[pve-devel] [PATCH container 1/1] zones: evpn: add a default unreachable, to prevent vrf leak

Alexandre Bruyelles Thu, 08 Apr 2021 01:45:50 -0700

On Linux, when no route is found in a vrf, it somehow fallback
to the default routing table. In our case, that means a leak
from the overlay to the underlay.
Adding a low priority unreachable catch-all route is the way to go, as
per the doc: https://www.kernel.org/doc/Documentation/networking/vrf.txt


Signed-off-by: Alexandre Bruyelles <g...@jack.fr.eu.org>
---
 PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm 
b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index e6ee839..ca000cf 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -134,6 +134,7 @@ sub generate_sdn_config {
        #vrf interface
        @iface_config = ();
        push @iface_config, "vrf-table auto";
+       push @iface_config, "post-up ip route add vrf $vrf_iface unreachable 
default metric 4278198272";
        push(@{$config->{$vrf_iface}}, @iface_config) if !$config->{$vrf_iface};
 
        if ($vrfvxlan) {
-- 
2.31.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH container 1/1] zones: evpn: add a default unreachable, to prevent vrf leak

Reply via email to