Good Catch. Thanks Jack !
Le jeudi 08 avril 2021 à 10:32 +0200, Alexandre Bruyelles a écrit : > On Linux, when no route is found in a vrf, it somehow fallback > to the default routing table. In our case, that means a leak > from the overlay to the underlay. > Adding a low priority unreachable catch-all route is the way to go, > as > per the doc: > https://www.kernel.org/doc/Documentation/networking/vrf.txt > > Signed-off-by: Alexandre Bruyelles <g...@jack.fr.eu.org> > --- > PVE/Network/SDN/Zones/EvpnPlugin.pm | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm > b/PVE/Network/SDN/Zones/EvpnPlugin.pm > index e6ee839..ca000cf 100644 > --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm > +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm > @@ -134,6 +134,7 @@ sub generate_sdn_config { > #vrf interface > @iface_config = (); > push @iface_config, "vrf-table auto"; > + push @iface_config, "post-up ip route add vrf $vrf_iface > unreachable default metric 4278198272"; > push(@{$config->{$vrf_iface}}, @iface_config) if !$config- > >{$vrf_iface}; > > if ($vrfvxlan) { _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
