Lines Matching +full:group +full:- +full:default
1 .. SPDX-License-Identifier: GPL-2.0
11 routing and forwarding domains (aka VRFs, VRF-lite to be specific) in the
12 Linux network stack. One use case is the multi-tenancy problem where each
14 different default gateways.
30 ------
34 +-----------------------------+
35 | vrf-blue | ===> route table 10
36 +-----------------------------+
38 +------+ +------+ +-------------+
40 +------+ +------+ +-------------+
42 +------+ +------+
44 +------+ +------+
59 .. [2] Iptables on ingress supports PREROUTING with skb->dev set to the real
60 ingress device and both INPUT and PREROUTING rules with skb->dev set to
65 -----
69 ip link add vrf-blue type vrf table 10
70 ip link set dev vrf-blue up
75 default preference of 1000. Users may delete the rule if desired and add
76 with a different priority or install per-VRF rules.
80 ip ru add oif vrf-blue table 10
81 ip ru add iif vrf-blue table 10
83 3. Set the default route for the table (and hence default route for the VRF)::
85 ip route add table 10 unreachable default metric 4278198272
87 This high metric value ensures that the default unreachable route can
94 ip link set dev eth1 master vrf-blue
104 sysctl -w net.ipv6.conf.all.keep_addr_on_down=1
112 ------------
120 By default the scope of the port bindings for unbound sockets is
121 limited to the default VRF. That is, it will not be matched by packets
125 TCP & UDP services running in the default VRF context (ie., not bound
129 sysctl -w net.ipv4.tcp_l3mdev_accept=1
130 sysctl -w net.ipv4.udp_l3mdev_accept=1
132 These options are disabled by default so that a socket in a VRF is only
134 sockets, which is enabled by default for reasons of backwards compatibility.
140 default VRF are only handled by a socket not bound to any VRF::
142 sysctl -w net.ipv4.raw_l3mdev_accept=0
145 running in the default VRF context as well.
147 Using VRF-aware applications (applications which simultaneously create sockets
160 --------------------------------------------------------------------------------
165 section lists both commands where appropriate -- with the vrf keyword and the
182 $ ip [-d] link show type vrf
183 NOTE: The -d option is needed to show the table id
187 $ ip -d link show type vrf
188 … <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
191 … <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
194 … <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
197 … <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
204 $ ip -br link show type vrf
237 …AST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
239 …AST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
241 …BROADCAST,MULTICAST> mtu 1500 qdisc noop master red state DOWN mode DEFAULT group default qlen 1000
247 $ ip -br link show vrf red
258 $ ip [-6] neigh show vrf NAME
259 $ ip [-6] neigh show master NAME
267 $ ip -6 neigh show vrf red
282 …ADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
290 …ADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
298 7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master red state DOWN group default qlen 1000
303 $ ip -br addr show vrf red
314 $ ip [-6] route show vrf NAME
315 $ ip [-6] route show table ID
320 unreachable default metric 4278198272
330 $ ip -6 route show vrf red
346 unreachable default dev lo metric 4278198272 error -101 pref medium
352 $ ip [-6] route get vrf NAME ADDRESS
353 $ ip [-6] route get oif NAME ADDRESS
361 $ ip -6 route get 2002:1::32 vrf red
372 Connected routes are moved back to the default table and local entries are
379 --------------------------------------------------------------------------------
399 ip route add table ${TBID} unreachable default metric 4278198272