VRF: Difference between revisions

VRF or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.

Prerequisites

To make use of VRFs, you will need `iproute2` and a kernel that is capable of using eBPF installed. Kernel 5.4.19-r1 and later are capable of using eBPF.

VRF creation

The easiest way to define VRFs is to add them to /etc/network/interfaces:

auto vrf-mgmt
iface vrf-mgmt inet manual
    pre-up ip link add $IFACE type vrf table 42
    up ip link set dev $IFACE up

You can then associate specific interfaces with VRFs using pre-up commands:

auto eth0
iface eth0 inet static
    address 1.2.3.4
    netmask 255.255.255.0
    pre-up ip link set $IFACE master vrf-mgmt
    up ip route add default table 42 via 1.2.3.1

VRF-based Service Isolation

Services can be isolated to specific VRFs when running OpenRC 0.42.1-r4 or newer. You can set the $vrf variable in an /etc/conf.d file for a service to isolate it in most cases.

For example, with sshd:

# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# rc-service sshd restart

Name route tables

Routing tables can be named i.e. 42 can be named mgmt be editing /etc/iproute2/rt_tables or creating and separate config (e.g. /etc/iproute2/rt_tables.d/vrf.conf)

Example vrf.conf

42      mgmt
43      int
44      ext

Then instead of having to remember that 42 is is used for mgmt it can be used directly with ip route, example

# ip route add default table mgmt via 1.2.3.1

Running network clients in a specific VRF

For ping is a simple as specifying a local interface that is already bound to a specific vrf

Example

# ping -I eth0 <ip to ping>

For other process like apk we use the ip vrf command

ip vrf exec vrf-mgmt apk update