[pve-devel] [PATCH container 1/1] zones: evpn: add a default unreachable, to prevent vrf leak

aderumier at odiso.com aderumier at odiso.com
Thu Apr 8 14:02:32 CEST 2021


Good Catch.

Thanks Jack !


Le jeudi 08 avril 2021 à 10:32 +0200, Alexandre Bruyelles a écrit :
> On Linux, when no route is found in a vrf, it somehow fallback
> to the default routing table. In our case, that means a leak
> from the overlay to the underlay.
> Adding a low priority unreachable catch-all route is the way to go,
> as
> per the doc:
> https://www.kernel.org/doc/Documentation/networking/vrf.txt
> 
> Signed-off-by: Alexandre Bruyelles <git at jack.fr.eu.org>
> ---
>  PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm
> b/PVE/Network/SDN/Zones/EvpnPlugin.pm
> index e6ee839..ca000cf 100644
> --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
> +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
> @@ -134,6 +134,7 @@ sub generate_sdn_config {
>         #vrf interface
>         @iface_config = ();
>         push @iface_config, "vrf-table auto";
> +       push @iface_config, "post-up ip route add vrf $vrf_iface
> unreachable default metric 4278198272";
>         push(@{$config->{$vrf_iface}}, @iface_config) if !$config-
> >{$vrf_iface};
>  
>         if ($vrfvxlan) {





More information about the pve-devel mailing list