On Thu, May 30, 2019 at 03:50:09PM -0600, David Ahern wrote: > On 5/30/19 2:52 PM, George Wilkie wrote: > > This doesn't work for me (again, not using namespaces). > > For traffic coming in on vrf-b to a destination on 10.200.2.0, > > I see ARPs going out for the destination on xvrf2/in on xvrf1, > > but nothing replies to it. > > Is rp_filter set? >
No, but arp_filter and arp_ignore was. After setting net.ipv4.conf.all.arp_ignore=0 and net.ipv4.conf.xvrf1.arp_filter=0 I can get ARP replies to the local address but unsurprisingly not to the peer address. So would only be able to leak the local /32 in this way, and leak the /24 via the interface: sysctl net.ipv4.conf.all.arp_ignore=0 ip li add xvrf1 type veth peer name xvrf2 ip li set xvrf1 up ip li set xvrf2 master vrfA up sysctl net.ipv4.conf.xvrf1.arp_filter=0 ip ro add vrf vrfA 10.10.3.0/24 dev enp1s3 ip ro add vrf vrfA 10.10.3.2/32 dev xvrf2 ip ro add 10.10.2.0/24 dev vrfA It doesn't help for ipv6 though. No response to the neighbor solicitation. What are your thoughts on creating a "vrfdefault" for "local" table? ip link add vrfdefault type vrf table local ip link set dev vrfdefault up ip ro add vrf vrfA 10.10.3.0/24 dev vrfdefault ip ro add 10.10.2.0/24 dev vrfA ip -6 ro add vrf vrfA 10:10:3::/64 dev vrfdefault ip -6 ro add 10:10:2::/64 dev vrfA I'm able to reach local and peer addresses for both v4 and v6 with this approach.
