[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Celeste Liu  changed:

   What|Removed |Added

 CC||coelacanthus...@gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Ben Greear  changed:

   What|Removed |Added

 CC||gree...@candelatech.com

--- Comment #39 from Ben Greear  ---
It would be nice to have this feature added.  There is no way to tunnel
across VRF since vrf exec would bind to a single vrf.

I'm hoping for this to work:

ssh -L :172.16.0.2:22:vrf-blue  192.168.1.1

In other words, on 192.168.1.1, there is a virtual router vrf-blue that
holds the 172.16.0.0/24 network, and I want to tunnel onto that network
from a non-vrf port (192.168.1.1).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #38 from Luca Boccassi  ---
>  once cgroups v2 is stable and full-featured.

I admire your optimism! :-D

Yes I agree that it's a bit invasive as there are multiple sockets and
features to account for, and for the normal use case ip exec will
suffice when cgoups2 is complete (hope to see that before I retire :-P
).

There are other corner cases where, unless I'm mistaken, I think that
won't be enough though - for example, doing forwarding over a vrf and
connecting via another, eg:

ssh -r vrf-blue -L 192.168.122.1:9001:localhost:6 192.168.122.1

or

ssh -L 192.168.122.1:9001:vrf-blue:localhost:6 192.168.122.1

Since ip exec is an "all or nothing" deal (I'm not sure if there is a
BSD equivalent). Do you know of a way to achieve the same functionality
without changing the client?

Now strictly speaking I don't need these cases at $work so I'm not too
fussed about it, but some other users might want that at some point so
I thought it would be worth at least mentioning.

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #37 from Damien Miller  ---
Hi Luca, IMO those client-side patches are a bit too intrusive given
that "ip vrf exec" will make them unnecessary in the future once
cgroups v2 is stable and full-featured.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #36 from Luca Boccassi  ---
Hi Damien - did you have any chance to have a look at the client
patches?
Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #35 from Luca Boccassi  ---
Hi Damien,

First of all, thank you very much for taking care of the sshd support
upstream. I've tested it on Linux, and I can confirm it works
perfectly.

And thanks for the feedback as well - it's true that I didn't touch the
other sockets. I've now attached 3 proposed patches for the ssh client,
that add support for the forwarding sockets as well.

Among other things, this allows for example to listen for traffic on RD
foo and forward it on RD bar.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #34 from Luca Boccassi  ---
Created attachment 3082
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3082=edit
rdomain support for ssh client remote-forward socket

Add support for connecting to the local application port SSH is
forwarding traffic to via a Routing Domain. Like for the LocalForward,
a 5th parameter is added to the tuple.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #33 from Luca Boccassi  ---
Created attachment 3081
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3081=edit
rdomain support for ssh client local-forward sockets

Add support for binding the local forwarding socket to a routing
domain.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Luca Boccassi  changed:

   What|Removed |Added

   Attachment #3078|0   |1
is obsolete||
   Attachment #3079|0   |1
is obsolete||

--- Comment #32 from Luca Boccassi  ---
Created attachment 3080
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3080=edit
rdomain support for ssh client connect socket

This new patch builds on top of the changes recently committed in
master, to add RDomain support to the ssh client connecting socket
(forwarding sockets are dealt with in the following patches).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #31 from Damien Miller  ---
That looks more fiddly than I have time for this week, so I've added a
minimal valid_rdomain() implemention that just tries to SO_BINDTOADDR
the supplied name. This will likely accept some non-VRF interface
names, but will do as a first approximation until someone writes the
rtnetlink glue to do it properly.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #30 from David Ahern  ---
I believe the only way to verify the device kind is an rtnetlink
message, RTM_GETLINK. In the response look for the IFLA_INFO_KIND
attribute.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #29 from Damien Miller  ---
the get/set_rdomain functions seem pretty easy to write, they are just
SO_BINDTODEVICE, but I'm not sure how to write valid_rdomain() - is
there an easy way to determine whether an interface name exists and
represents a VRF under Linux?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #28 from Damien Miller  ---
I'm reluctant to add rdomain support to the client because, to do it
properly, it involves touching every socket() call that it makes. Your
patch just binds the connection socket, but all subsequent forwarding
sockets will be in the default vrf.

BTW, the upstream patches are committed and I've placed stubs in
openbsd-compat/port-net.[ch] for the functions that need replacing.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #27 from Luca Boccassi  ---
On Linux "ip vrf exec" unfortunately requires using cgroups V2 on the
system, which as of today latest RC candidates is still missing
important features, so not everyone can use it.

For example it does not implement a CPU controller, which is necessary
to effectively partition the CPUs on a system.
This is a real use case we have in production with the Vyatta vRouter
at AT - unfortunately we cannot use cgroups v2 and thus we cannot use
"ip vrf exec". Like our case, there will be many more out there.

Another example are the Long Term Support kernels like 4.4 that are
going to be maintained for 6 years - they either lack the command
altogether or cgroups v2 is even more limited.

For these reasons IMHO it would be worth to add client-side support in
openssh-portable for the Linux case. I'm happy to rework the 2 patches
and test them again if you like.

Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #26 from Damien Miller  ---
I don't think there is any need for rdomain support in the client.
"route exec" exists on OpenBSD and "ip vrf exec" on Linux that achieve
exactly the same result. We actually had similar support in ssh
previously and removed it for this reason.

Rdomain/VRF support in the server is different, because there we are
adding capabilities that can't be replicated using other tools
(listening in arbitrary domains, placing user sessions in a domain,
using domain on which a connection was received as a Match criteria)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #25 from Luca Boccassi  ---
Thanks Damien.

I've added support for RD and VRF to the ssh client as well in 2
separate patches, tested on Linux, in case it can be useful.

w.r.t. the support for forking processes IMHO it can wait a bit and
doesn't need to block the rest as long as what works is well documented
- as far as I know the main use cases we need for our customers are
covered by support for the listen socket in sshd and the connecting
socket in ssh. I imagine the same is true for David at Cumulus.

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #24 from Luca Boccassi  ---
Created attachment 3079
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3079=edit
linux vrf support for ssh client

This patch builds on top of the changes to support routing domain in
the ssh client, and adds the required ifdef'd branches to apply the
same config file/command line option as a Linux vrf.
Tested with Linux/iproute2 4.9.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #23 from Luca Boccassi  ---
Created attachment 3078
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3078=edit
rdomain support for ssh client

This patch applies similar changes to the ssh client as the previous
patches to sshd, and adds support for BSD routing domain via a RDomain
ssh_config option and a new -r command line option. The changes are
documented in the respective manpages.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #22 from David Ahern  ---
Damien: It is a supported interface. In fact someone else is looking at
adding the capability to systemd. My point is that 'ip vrf exec' and
process tree style control does not seem appropriate for sshd. If there
is a use case for it then it can be added. The key is a v2 cgroup and
applying a BPF filter. Also, you need a v4.10 and higher kernel.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #21 from Damien Miller  ---
The patches are against OpenBSD. Once I've got them committed upstream
I was planning on starting implementing the Linux bits - probably by
extending openbsd-compat/port-tun.[ch] to contain VRF stuff too and
renaming it it to port-net.[ch] in the process.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #20 from Luca Boccassi  ---
Hi Damien,

On what git tree are the 3 patches to be applied on? git am fails on
the current openssh-portable master branch, and on the latest tag as
well.
I wanted to add the Linux-specific bits and test them.

Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #19 from Damien Miller  ---
Are you saying that it's an unsupported interface or that we should
otherwise avoid using it?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #18 from David Ahern  ---
Ok, I see. I wrote 'ip vrf exec' and its kernel side implementation
using cgroups for case 2. This is not something we intended to be done
from sshd.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #17 from Damien Miller  ---
Right now there are no use cases, these patches add them for the first
time.

The functionality in question here is:

1. Being able to tell sshd to listen in an explicit rdomain/VRF. This
is the first patch, implementing

ListenAddress addr[:port] [rdomain domain]

This seems like SO_BINDTODEVICE will work fine.

2. Being able to set the rdomain/VRF for sshd, so the user session as
well as any sockets created for forwardings end up in an rdomain. This
is the second patch, implementing

RDomain domain

I can't see how SO_BINDTODEVICE will work here, because it won't affect
sshd's child processes (e.g. the user's shell).

OpenBSD provides a setrtable(2) syscall to do this that has sensible
semantics: https://man.openbsd.org/setrtable.2

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #16 from David Ahern  ---
I am thinking about this in terms of sshd and a listen socket bound to
a VRF or an ssh client opening a socket contained in a VRF. I am not
familiar with openssh and process tree use cases.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #15 from Damien Miller  ---
I think one of us is misunderstanding; how does one bind a process tree
to a VRF using SO_BINDTODEVICE? That's what the RDomain keyword does...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #14 from David Ahern  ---
The API for Linux is SO_BINDTODEVICE. 'ip vrf exec' is a helper for
applications that do not natively support SO_BINDTODEVICE (or similar
APIs). The helper is not applicable for sshd; the intent is to support
the API directly. VRF support was added in v4.3, so any attempts to use
SO_BINDTODEVICE for VRF will be running a newer kernel.

Finally, should any code be needed from Linux I wrote both the Linux
kernel implementation and the vrf support in iproute2.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

--- Comment #13 from Damien Miller  ---
get/set_rdomain can be implemented on Linux using SO_BINDTODEVICE, but
note the caveat that applies to get_rdomain:

> Before Linux 3.8, this socket option could be set, but could not 
> retrieved with getsockopt(2). Since Linux 3.8, it is readable.

(from https://linux.die.net/man/7/socket)

Implementing set_process_rdomain() on Linux seems a little convoluted,
but "ip vrf exec" shows the procedure (NB. we can't copy the code
because of licensing)

https://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git/tree/ip/ipvrf.c?id=4b73d52f8a81919f511cd47d39251f74f6a37c7d#n353

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Damien Miller  changed:

   What|Removed |Added

   Attachment #3072|0   |1
is obsolete||

--- Comment #12 from Damien Miller  ---
Created attachment 3077
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3077=edit
rdomain Match criteria

Revised rdomain sshd_config match criteria. With documentation

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Damien Miller  changed:

   What|Removed |Added

   Attachment #3071|0   |1
is obsolete||

--- Comment #11 from Damien Miller  ---
Created attachment 3076
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3076=edit
add RDomain option

Revised RDomain (was RoutingDomain) option for sshd_config; with more
documentation

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Damien Miller  changed:

   What|Removed |Added

   Attachment #3070|0   |1
is obsolete||

--- Comment #10 from Damien Miller  ---
Created attachment 3075
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3075=edit
ListenAddress rdomain qualifier

Revised ListenAddress rdomain qualifier, with fewer bugs and more
documentation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2784] Add native support for routing domains / VRF

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=2784

Damien Miller  changed:

   What|Removed |Added

Summary|Add native support routing  |Add native support for
   |domains / VRF   |routing domains / VRF

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs