From d9ee954447c0ea7ab99f68e42d5281282a38c588 Mon Sep 17 00:00:00 2001 From: Alexandre Bruyelles Date: Thu, 8 Apr 2021 10:45:13 +0200 Subject: [PATCH] zones: evpn: add a default unreachable, to prevent vrf leak On Linux, when no route is found in a vrf, it somehow fallback to the default routing table. In our case, that means a leak from the overlay to the underlay. Adding a low priority unreachable catch-all route is the way to go, as per the doc: https://www.kernel.org/doc/Documentation/networking/vrf.txt Signed-off-by: Alexandre Bruyelles --- PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm index e6ee839..ca000cf 100644 --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm @@ -134,6 +134,7 @@ sub generate_sdn_config { #vrf interface @iface_config = (); push @iface_config, "vrf-table auto"; + push @iface_config, "post-up ip route add vrf $vrf_iface unreachable default metric 4278198272"; push(@{$config->{$vrf_iface}}, @iface_config) if !$config->{$vrf_iface}; if ($vrfvxlan) { -- 2.39.5