Bug#992811: marked as done (linux-image-5.10.0-8-amd64 routing is leaking from vrf)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 20 Feb 2025 13:50:40 +0100 (CET)
with message-id <20250220125040.BEB71BE2EE7@eldamar.lan>
and subject line Closing this bug (BTS maintenance for src:linux bugs)
has caused the Debian Bug report #992811,
regarding linux-image-5.10.0-8-amd64 routing is leaking from vrf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992811: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992811
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: linux-image-5.10.0-8-amd64 routing is leaking from vrf
• From: lj92x <lj92x@protonmail.com>
• Date: Mon, 23 Aug 2021 17:23:14 +0000
• Message-id: <cozAlLj1tM0j8swSqWj686qX8MHV7c2KRX8p_ie7AF-QXgvTiRJHp8Y63b3EYo4r56dvBEO4fCnhMBoO0OgofGsUIXzrXmLpjRheUFd2_rg=@protonmail.com>
• Reply-to: lj92x <lj92x@protonmail.com>

Package: linux-image-5.10.0-8-amd64

Version: 5.10.46-4

I have host device which is directly connected to debian router. On both sides there are interfaces enp0s9.

Host device have default route, next hop is router.

Router have three network interfaces:

enp0s3 - connected to WAN, no VRF (default)

enp0s9 - connected to end host, assigned to VRF vrf-routing

dummy0 - assigned to vrf-routing

When I ping from end host to dummy0 interface, everything works well.

Issue is when I ping network from end host which is not in vrf-routing table on router, for example 8.8.8.8 . Then routing is leaked from vrf-routing table and jump to default table. Packet is then routed to WAN via default table on router.

root@host:~# ip -4 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    inet 192.168.10.2/24 brd 192.168.10.255 scope global enp0s9

       valid_lft forever preferred_lft forever

root@host:~# ip -4 r

default via 192.168.10.1 dev enp0s9

192.168.10.0/24 dev enp0s9 proto kernel scope link src 192.168.10.2

root@host:~# ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000

    link/ether 08:00:27:b1:8f:b6 brd ff:ff:ff:ff:ff:ff

root@router:~# ip -4 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3

       valid_lft 85358sec preferred_lft 85358sec

4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vrf-routing state UP group default qlen 1000

    inet 192.168.10.1/24 brd 192.168.10.255 scope global enp0s9

       valid_lft forever preferred_lft forever

6: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue master vrf-routing state UNKNOWN group default qlen 1000

    inet 192.168.255.255/32 scope global dummy0

       valid_lft forever preferred_lft forever

root@router:~# ip -4 r

default via 10.0.2.2 dev enp0s3

10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15

root@router:~# ip vrf

Name              Table

-----------------------

vrf-routing         10

VRF routing works well:

root@host:~# ping 192.168.255.255

PING 192.168.255.255 (192.168.255.255) 56(84) bytes of data.

64 bytes from 192.168.255.255: icmp_seq=1 ttl=64 time=0.438 ms

64 bytes from 192.168.255.255: icmp_seq=2 ttl=64 time=0.537 ms

^C

--- 192.168.255.255 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1038ms

rtt min/avg/max/mdev = 0.438/0.487/0.537/0.049 ms

If I start ping on host to 8.8.8.8, then I see this packet leak from vrf vrf-routing and jump into default routing table:

root@router:~# tcpdump  -i enp0s3

...

19:17:28.104547 IP 192.168.10.2 > dns.google: ICMP echo request, id 23874, seq 5, length 64

...

19:17:29.123176 IP 192.168.10.2 > dns.google: ICMP echo request, id 23874, seq 6, length 64

...

Hotfix for this is issue is add unreachable route with highest metric:

ip -4 route add vrf vrf-routing unreachable default metric 4278198272

Attachment: Untitled Diagram.png
Description: PNG image

--- End Message ---

--- Begin Message ---

• To: 992811-done@bugs.debian.org
• Cc: 992811-submitter@bugs.debian.org
• Subject: Closing this bug (BTS maintenance for src:linux bugs)
• From: carnil@debian.org
• Date: Thu, 20 Feb 2025 13:50:40 +0100 (CET)
• Message-id: <20250220125040.BEB71BE2EE7@eldamar.lan>

Hi

This bug was filed for a very old kernel or the bug is old itself
without resolution.

If you can reproduce it with

- the current version in unstable/testing
- the latest kernel from backports

please reopen the bug, see https://www.debian.org/Bugs/server-control
for details.

Regards,
Salvatore

--- End Message ---