Difference between revisions of "VRF"

From Alpine Linux
Jump to: navigation, search
(fix vrf-mgmt still in state down and swtich to $IFACE)
(fix route, gateway can not be used as the route ends up in the wrong table)
Line 23: Line 23:
 
     address 1.2.3.4
 
     address 1.2.3.4
 
     netmask 255.255.255.0
 
     netmask 255.255.255.0
    gateway 1.2.3.1
 
 
     pre-up ip link set $IFACE master vrf-mgmt
 
     pre-up ip link set $IFACE master vrf-mgmt
 +
    up ip route add default table 42 via 1.2.3.1
 
</pre>
 
</pre>
  

Revision as of 13:33, 6 November 2020

VRF or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.

Prerequisites

To make use of VRFs, you will need `iproute2` and a kernel that is capable of using eBPF installed. Kernel 5.4.19-r1 and later are capable of using eBPF.

VRF creation

The easiest way to define VRFs is to add them to /etc/network/interfaces:

auto vrf-mgmt
iface vrf-mgmt inet manual
    pre-up ip link add $IFACE type vrf table 42
    up ip link set dev $IFACE up

You can then associate specific interfaces with VRFs using pre-up commands:

auto eth0
iface eth0 inet static
    address 1.2.3.4
    netmask 255.255.255.0
    pre-up ip link set $IFACE master vrf-mgmt
    up ip route add default table 42 via 1.2.3.1

VRF-based Service Isolation

Services can be isolated to specific VRFs when running OpenRC 0.42.1-r4 or newer. You can set the $vrf variable in an /etc/conf.d file for a service to isolate it in most cases.

For example, with sshd:

# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# rc-service sshd restart