VRF SSH problem


Hi I am testing VRF on ubuntu I have a problem I created a vrf but ssh client or telnet not working. where is the problem. any idea ? Thanks . [~]$ ip -V ip utility, iproute2-ss151103 [~]$ uname -a Linux master 4.4.0-22-generic #40-Ubuntu SMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [~]$ [~]$ ip link show type vrf 12: test10: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 9e:64:a7:19:32:ad brd ff:ff:ff:ff:ff:ff [~]$ ip link show master test10 5: vboxnet0: mtu 1500 qdisc pfifo_fast master test10 state DOWN mode DEFAULT group default qlen 1000 link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff 6: vboxnet1: mtu 1500 qdisc pfifo_fast master test10 state UP mode DEFAULT group default qlen 1000 link/ether 0a:00:27:00:00:01 brd ff:ff:ff:ff:ff:ff 7: tun0: mtu 1500 qdisc pfifo_fast master test10 state UNKNOWN mode DEFAULT group default qlen 100 link/none [~]$ ip addr show master test10 5: vboxnet0: mtu 1500 qdisc pfifo_fast master test10 state DOWN group default qlen 1000 link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff inet 169.254.1.2/16 brd 169.254.255.255 scope global vboxnet0 valid_lft forever preferred_lft forever inet6 fe80::800:27ff:fe00:0/64 scope link valid_lft forever preferred_lft forever 6: vboxnet1: mtu 1500 qdisc pfifo_fast master test10 state UP group default qlen 1000 link/ether 0a:00:27:00:00:01 brd ff:ff:ff:ff:ff:ff inet 10.1.1.10/24 brd 10.1.1.255 scope global vboxnet1 valid_lft forever preferred_lft forever inet6 fe80::800:27ff:fe00:1/64 scope link valid_lft forever preferred_lft forever 7: tun0: mtu 1500 qdisc pfifo_fast master test10 state UNKNOWN group default qlen 100 link/none inet 10.8.3.3/24 brd 10.8.3.255 scope global tun0 valid_lft forever preferred_lft forever [~]$ ping -I test10 10.1.1.100 ping: Warning: source address might be selected on device other than test10. PING 10.1.1.100 (10.1.1.100) from 10.1.1.10 test10: 56(84) bytes of data. 64 bytes from 10.1.1.100: icmp_seq=1 ttl=64 time=0.249 ms 64 bytes from 10.1.1.100: icmp_seq=2 ttl=64 time=0.235 ms 64 bytes from 10.1.1.100: icmp_seq=3 ttl=64 time=0.221 ms 64 bytes from 10.1.1.100: icmp_seq=4 ttl=64 time=0.245 ms ^C --- 10.1.1.100 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.221/0.237/0.249/0.018 ms [~]$ ssh -b 10.1.1.10 10.1.1.100 bind: 10.1.1.10: Cannot assign requested address ssh: connect to host 10.1.1.100 port 22: Cannot assign requested address [~]$

6 replies

Userlevel 5
So this is an untested use case. What are you attempting to accomplish with this setup and perhaps I can point the correct person to this?
I'm just testing. I did not have access to a server via SSH VRF region.
The integration can be done with a lot of service or server. (NTP, DNS, Radius, LDAP, etc.)
One of these services can not be accessed at all.
Maybe make that assessment VRF-lite is wrong. But it is seen as such a need.
Maybe this can be solved with the kernel namespace. Is it possible to make such a setting?
Sorry for my english. 😞
Userlevel 1
'ssh -b' is binding to an address but with VRFs addresses are relative to a VRF context. The openssh suite does not support bind to device (bind to VRF is needed), so client mode currently does not work with VRFs. I have proposed a cgroup patch to handle this use case, but it has not been accepted upstream yet. ssh into the node via a VRF should work if 'net.ipv4.tcp_l3mdev_accept' is set to 1.

ok. I understood. Is 'net.ipv4.tcp_l3mdev_accept' parameters in kernel-4.4.x? This function Is it a new version? I tested but return failed. [vrf]$ grep CONFIG_NET_L3_MASTER_DEV /boot/config-4.4.0-22-generic CONFIG_NET_L3_MASTER_DEV=y [vrf]$ sysctl -w net.ipv4.tcp_l3mdev_accept=1 sysctl: cannot stat /proc/sys/net/ipv4/tcp_l3mdev_accept: No such file or directory
Userlevel 1
You are right. I added that option in v4.5, not v4.4. The VRF feature is new to the Linux kernel, starting with v4.3 (basic routing support for IPv4). Each kernel version after has gained important capabilities. v4.4 has basic routing support for IPv6.
Thanks David Ahern. I will test when I compiled kernel 4.5. I will share result this post.

Reply