* veth pair ping fail if one of them enslaved into a VRF
@ 2019-07-02 18:42 Zoltán Elek
2019-07-02 19:21 ` Ido Schimmel
0 siblings, 1 reply; 3+ messages in thread
From: Zoltán Elek @ 2019-07-02 18:42 UTC (permalink / raw)
To: netdev, dsa
Hi!
I have a simple scenario, with a veth pair, IP addresses assigned from
the same subnet. They can ping eachother. But when I put one of them
into a VRF (in the example below, I put veth in-vrf into the test-vrf
VRF) the ping fails. My first question: that is the expected behavior?
And my second question: is there any way to overcome this?
Here are my test commands:
ip link add out-of-vrf type veth peer name in-vrf
ip link set dev out-of-vrf up
ip link set dev in-vrf up
ip link add test-vrf type vrf table 10
ip link set dev test-vrf up
ip -4 addr add 100.127.253.2/24 dev in-vrf
ip -4 addr add 100.127.253.1/24 dev out-of-vrf
Then ping works as expected:
ping -c1 -I 100.127.253.1 100.127.253.2
After I put the in-vrf into test-vrf, ping fails:
ip link set in-vrf vrf test-vrf up
Thanks,
Zoltan Elek,
VI1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: veth pair ping fail if one of them enslaved into a VRF
2019-07-02 18:42 veth pair ping fail if one of them enslaved into a VRF Zoltán Elek
@ 2019-07-02 19:21 ` Ido Schimmel
2019-07-02 19:36 ` Zoltán Elek
0 siblings, 1 reply; 3+ messages in thread
From: Ido Schimmel @ 2019-07-02 19:21 UTC (permalink / raw)
To: Zoltán Elek; +Cc: netdev, dsa
On Tue, Jul 02, 2019 at 08:42:15PM +0200, Zoltán Elek wrote:
> Hi!
>
> I have a simple scenario, with a veth pair, IP addresses assigned from
> the same subnet. They can ping eachother. But when I put one of them
> into a VRF (in the example below, I put veth in-vrf into the test-vrf
> VRF) the ping fails. My first question: that is the expected behavior?
> And my second question: is there any way to overcome this?
>
> Here are my test commands:
> ip link add out-of-vrf type veth peer name in-vrf
> ip link set dev out-of-vrf up
> ip link set dev in-vrf up
> ip link add test-vrf type vrf table 10
> ip link set dev test-vrf up
> ip -4 addr add 100.127.253.2/24 dev in-vrf
> ip -4 addr add 100.127.253.1/24 dev out-of-vrf
>
> Then ping works as expected:
> ping -c1 -I 100.127.253.1 100.127.253.2
>
> After I put the in-vrf into test-vrf, ping fails:
> ip link set in-vrf vrf test-vrf up
You need to re-order the FIB rules so that lookup for 100.127.253.1
happens in table 10 and not in the local table:
# ip -4 rule add pref 32765 table local
# ip -4 rule del pref 0
# ip -4 rule show
1000: from all lookup [l3mdev-table]
32765: from all lookup local
32766: from all lookup main
32767: from all lookup default
Bad:
ping 16735 [001] 13726.398115: fib:fib_table_lookup: table 255 oif 0 iif
9 proto 0 100.127.253.2/0 -> 100.127.253.1/0 tos 0 scope 0 flags 4 ==>
dev out-of-vrf gw 0.0.0.0 src 100.127.253.1 err 0
Good:
ping 16665 [001] 13500.937145: fib:fib_table_lookup: table 10 oif 0 iif
9 proto 0 100.127.253.2/0 -> 100.127.253.1/0 tos 0 scope 0 flags 4 ==>
dev in-vrf gw 0.0.0.0 src 100.127.253.2 err 0
>
> Thanks,
> Zoltan Elek,
> VI1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: veth pair ping fail if one of them enslaved into a VRF
2019-07-02 19:21 ` Ido Schimmel
@ 2019-07-02 19:36 ` Zoltán Elek
0 siblings, 0 replies; 3+ messages in thread
From: Zoltán Elek @ 2019-07-02 19:36 UTC (permalink / raw)
To: Ido Schimmel; +Cc: netdev, dsa
Thank you for the detailed answer, I tried your solution and it works
as expected.
Ido Schimmel <idosch@idosch.org> ezt írta (időpont: 2019. júl. 2., K, 21:21):
>
> On Tue, Jul 02, 2019 at 08:42:15PM +0200, Zoltán Elek wrote:
> > Hi!
> >
> > I have a simple scenario, with a veth pair, IP addresses assigned from
> > the same subnet. They can ping eachother. But when I put one of them
> > into a VRF (in the example below, I put veth in-vrf into the test-vrf
> > VRF) the ping fails. My first question: that is the expected behavior?
> > And my second question: is there any way to overcome this?
> >
> > Here are my test commands:
> > ip link add out-of-vrf type veth peer name in-vrf
> > ip link set dev out-of-vrf up
> > ip link set dev in-vrf up
> > ip link add test-vrf type vrf table 10
> > ip link set dev test-vrf up
> > ip -4 addr add 100.127.253.2/24 dev in-vrf
> > ip -4 addr add 100.127.253.1/24 dev out-of-vrf
> >
> > Then ping works as expected:
> > ping -c1 -I 100.127.253.1 100.127.253.2
> >
> > After I put the in-vrf into test-vrf, ping fails:
> > ip link set in-vrf vrf test-vrf up
>
> You need to re-order the FIB rules so that lookup for 100.127.253.1
> happens in table 10 and not in the local table:
>
> # ip -4 rule add pref 32765 table local
> # ip -4 rule del pref 0
> # ip -4 rule show
> 1000: from all lookup [l3mdev-table]
> 32765: from all lookup local
> 32766: from all lookup main
> 32767: from all lookup default
>
> Bad:
>
> ping 16735 [001] 13726.398115: fib:fib_table_lookup: table 255 oif 0 iif
> 9 proto 0 100.127.253.2/0 -> 100.127.253.1/0 tos 0 scope 0 flags 4 ==>
> dev out-of-vrf gw 0.0.0.0 src 100.127.253.1 err 0
>
> Good:
>
> ping 16665 [001] 13500.937145: fib:fib_table_lookup: table 10 oif 0 iif
> 9 proto 0 100.127.253.2/0 -> 100.127.253.1/0 tos 0 scope 0 flags 4 ==>
> dev in-vrf gw 0.0.0.0 src 100.127.253.2 err 0
>
> >
> > Thanks,
> > Zoltan Elek,
> > VI1
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-02 19:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-02 18:42 veth pair ping fail if one of them enslaved into a VRF Zoltán Elek
2019-07-02 19:21 ` Ido Schimmel
2019-07-02 19:36 ` Zoltán Elek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).