|
Packit |
d3f73b |
.TH IP\-VRF 8 "7 Dec 2016" "iproute2" "Linux"
|
|
Packit |
d3f73b |
.SH NAME
|
|
Packit |
d3f73b |
ip-vrf \- run a command against a vrf
|
|
Packit |
d3f73b |
.SH SYNOPSIS
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
.ad l
|
|
Packit |
d3f73b |
.in +8
|
|
Packit |
d3f73b |
.ti -8
|
|
Packit |
d3f73b |
.B ip
|
|
Packit |
d3f73b |
.B vrf
|
|
Packit |
d3f73b |
.RI " { " COMMAND " | "
|
|
Packit |
d3f73b |
.BR help " }"
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.ti -8
|
|
Packit |
d3f73b |
.BR "ip vrf show"
|
|
Packit |
d3f73b |
.RI "[ " NAME " ]"
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.ti -8
|
|
Packit |
d3f73b |
.BR "ip vrf identify"
|
|
Packit |
d3f73b |
.RI "[ " PID " ]"
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.ti -8
|
|
Packit |
d3f73b |
.BR "ip vrf pids"
|
|
Packit |
d3f73b |
.I NAME
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.ti -8
|
|
Packit |
d3f73b |
.BR "ip vrf exec "
|
|
Packit |
d3f73b |
.RI "[ " NAME " ] " command ...
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.SH DESCRIPTION
|
|
Packit |
d3f73b |
A VRF provides traffic isolation at layer 3 for routing, similar to how a
|
|
Packit |
d3f73b |
VLAN is used to isolate traffic at layer 2. Fundamentally, a VRF is a separate
|
|
Packit |
d3f73b |
routing table. Network devices are associated with a VRF by enslaving the
|
|
Packit |
d3f73b |
device to the VRF. At that point network addresses assigned to the device are
|
|
Packit |
d3f73b |
local to the VRF with host and connected routes moved to the table associated
|
|
Packit |
d3f73b |
with the VRF.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
A process can specify a VRF using several APIs -- binding the socket to the
|
|
Packit |
d3f73b |
VRF device using SO_BINDTODEVICE, setting the VRF association using
|
|
Packit |
d3f73b |
IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a specific message
|
|
Packit |
d3f73b |
using IP_PKTINFO or IPV6_PKTINFO.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
By default a process is not bound to any VRF. An association can be set
|
|
Packit |
d3f73b |
explicitly by making the program use one of the APIs mentioned above or
|
|
Packit |
d3f73b |
implicitly using a helper to set SO_BINDTODEVICE for all IPv4 and IPv6
|
|
Packit |
d3f73b |
sockets (AF_INET and AF_INET6) when the socket is created. This ip-vrf command
|
|
Packit |
d3f73b |
is a helper to run a command against a specific VRF with the VRF association
|
|
Packit |
d3f73b |
inherited parent to child.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.TP
|
|
Packit |
d3f73b |
.B ip vrf show [ NAME ] - Show all configured VRF
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
This command lists all VRF and their corresponding table ids. If NAME is
|
|
Packit |
d3f73b |
given, then only that VRF and table id is shown. The latter command is
|
|
Packit |
d3f73b |
useful for scripting where the table id for a VRF is needed.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.TP
|
|
Packit |
d3f73b |
.B ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
This command allows applications that are VRF unaware to be run against
|
|
Packit |
d3f73b |
a VRF other than the default VRF (main table). A command can be run against
|
|
Packit |
d3f73b |
the default VRF by passing the "default" as the VRF name. This is useful if
|
|
Packit |
d3f73b |
the current shell is associated with another VRF (e.g, Management VRF).
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
This command requires the system to be booted with cgroup v2 (e.g. with systemd,
|
|
Packit |
d3f73b |
add systemd.unified_cgroup_hierarchy=1 to the kernel command line).
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
This command also requires to be ran as root or with the CAP_SYS_ADMIN,
|
|
Packit |
d3f73b |
CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
|
|
Packit |
d3f73b |
capabilities are added to the ip binary program via setcap, the program will
|
|
Packit |
d3f73b |
drop them as the first thing when invoked, unless the command is vrf exec.
|
|
Packit |
d3f73b |
.br
|
|
Packit |
d3f73b |
NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
|
|
Packit |
d3f73b |
to avoid breaking programs with ambient capabilities that call ip.
|
|
Packit |
d3f73b |
Do not set the INHERITABLE flag on the ip binary itself.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.TP
|
|
Packit |
d3f73b |
.B ip vrf identify [PID] - Report VRF association for process
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
This command shows the VRF association of the specified process. If PID is
|
|
Packit |
d3f73b |
not specified then the id of the current process is used.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.TP
|
|
Packit |
d3f73b |
.B ip vrf pids NAME - Report processes associated with the named VRF
|
|
Packit |
d3f73b |
.sp
|
|
Packit |
d3f73b |
This command shows all process ids that are associated with the given
|
|
Packit |
d3f73b |
VRF.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.SH CAVEATS
|
|
Packit |
d3f73b |
This command requires a kernel compiled with CGROUPS and CGROUP_BPF enabled.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
The VRF helper *only* affects network layer sockets.
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.SH EXAMPLES
|
|
Packit |
d3f73b |
.PP
|
|
Packit |
d3f73b |
ip vrf exec red ssh 10.100.1.254
|
|
Packit |
d3f73b |
.RS
|
|
Packit |
d3f73b |
Executes ssh to 10.100.1.254 against the VRF red table.
|
|
Packit |
d3f73b |
.RE
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.SH SEE ALSO
|
|
Packit |
d3f73b |
.br
|
|
Packit |
d3f73b |
.BR ip (8),
|
|
Packit |
d3f73b |
.BR ip-link (8),
|
|
Packit |
d3f73b |
.BR ip-address (8),
|
|
Packit |
d3f73b |
.BR ip-route (8),
|
|
Packit |
d3f73b |
.BR ip-neighbor (8)
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
.SH AUTHOR
|
|
Packit |
d3f73b |
Original Manpage by David Ahern
|