From: Alexandre Bruyelles <git@jack.fr.eu.org>
Date: Thu, 8 Apr 2021 08:45:13 +0000 (+0200)
Subject: zones: evpn: add a default unreachable, to prevent vrf leak
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=d9ee954447c0ea7ab99f68e42d5281282a38c588;p=matthieu%2Fpve-network.git

zones: evpn: add a default unreachable, to prevent vrf leak

On Linux, when no route is found in a vrf, it somehow fallback
to the default routing table. In our case, that means a leak
from the overlay to the underlay.
Adding a low priority unreachable catch-all route is the way to go, as
per the doc: https://www.kernel.org/doc/Documentation/networking/vrf.txt

Signed-off-by: Alexandre Bruyelles <git@jack.fr.eu.org>
---

diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index e6ee839..ca000cf 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -134,6 +134,7 @@ sub generate_sdn_config {
 	#vrf interface
 	@iface_config = ();
 	push @iface_config, "vrf-table auto";
+	push @iface_config, "post-up ip route add vrf $vrf_iface unreachable default metric 4278198272";
 	push(@{$config->{$vrf_iface}}, @iface_config) if !$config->{$vrf_iface};
 
 	if ($vrfvxlan) {