185 lines
4.8 KiB
HTML
185 lines
4.8 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of IP-VRF</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>IP-VRF</H1>
|
|
Section: Linux (8)<BR>Updated: 7 Dec 2016<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
ip-vrf - run a command against a vrf
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<P>
|
|
|
|
|
|
<BR>
|
|
|
|
<B>ip</B>
|
|
|
|
<B>vrf</B>
|
|
|
|
{ <I>COMMAND</I> |
|
|
|
|
<B>help</B> }
|
|
|
|
<P>
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip vrf show</B>
|
|
|
|
[ <I>NAME</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip vrf identify</B>
|
|
|
|
[ <I>PID</I> ]
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip vrf pids</B>
|
|
|
|
<I>NAME</I>
|
|
|
|
<P>
|
|
<BR>
|
|
|
|
<B>ip vrf exec </B>
|
|
|
|
[ <I>NAME</I> ] <I>command</I>...
|
|
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
A VRF provides traffic isolation at layer 3 for routing, similar to how a
|
|
VLAN is used to isolate traffic at layer 2. Fundamentally, a VRF is a separate
|
|
routing table. Network devices are associated with a VRF by enslaving the
|
|
device to the VRF. At that point network addresses assigned to the device are
|
|
local to the VRF with host and connected routes moved to the table associated
|
|
with the VRF.
|
|
<P>
|
|
A process can specify a VRF using several APIs -- binding the socket to the
|
|
VRF device using SO_BINDTODEVICE, setting the VRF association using
|
|
IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a specific message
|
|
using IP_PKTINFO or IPV6_PKTINFO.
|
|
<P>
|
|
By default a process is not bound to any VRF. An association can be set
|
|
explicitly by making the program use one of the APIs mentioned above or
|
|
implicitly using a helper to set SO_BINDTODEVICE for all IPv4 and IPv6
|
|
sockets (AF_INET and AF_INET6) when the socket is created. This ip-vrf command
|
|
is a helper to run a command against a specific VRF with the VRF association
|
|
inherited parent to child.
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="1"><B>ip vrf show [ NAME ] - Show all configured VRF</B>
|
|
|
|
<DD>
|
|
<P>
|
|
This command lists all VRF and their corresponding table ids. If NAME is
|
|
given, then only that VRF and table id is shown. The latter command is
|
|
useful for scripting where the table id for a VRF is needed.
|
|
<P>
|
|
<DT id="2"><B>ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF</B>
|
|
|
|
<DD>
|
|
<P>
|
|
This command allows applications that are VRF unaware to be run against
|
|
a VRF other than the default VRF (main table). A command can be run against
|
|
the default VRF by passing the "default" as the VRF name. This is useful if
|
|
the current shell is associated with another VRF (e.g, Management VRF).
|
|
<P>
|
|
This command requires the system to be booted with cgroup v2 (e.g. with systemd,
|
|
add systemd.unified_cgroup_hierarchy=1 to the kernel command line).
|
|
<P>
|
|
This command also requires to be ran as root or with the CAP_SYS_ADMIN,
|
|
CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if
|
|
capabilities are added to the ip binary program via setcap, the program will
|
|
drop them as the first thing when invoked, unless the command is vrf exec.
|
|
<BR>
|
|
|
|
NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE
|
|
to avoid breaking programs with ambient capabilities that call ip.
|
|
Do not set the INHERITABLE flag on the ip binary itself.
|
|
<P>
|
|
<DT id="3"><B>ip vrf identify [PID] - Report VRF association for process</B>
|
|
|
|
<DD>
|
|
<P>
|
|
This command shows the VRF association of the specified process. If PID is
|
|
not specified then the id of the current process is used.
|
|
<P>
|
|
<DT id="4"><B>ip vrf pids NAME - Report processes associated with the named VRF</B>
|
|
|
|
<DD>
|
|
<P>
|
|
This command shows all process ids that are associated with the given
|
|
VRF.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>CAVEATS</H2>
|
|
|
|
This command requires a kernel compiled with CGROUPS and CGROUP_BPF enabled.
|
|
<P>
|
|
The VRF helper *only* affects network layer sockets.
|
|
<P>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
<P>
|
|
|
|
ip vrf exec red ssh 10.100.1.254
|
|
<DL COMPACT><DT id="5"><DD>
|
|
Executes ssh to 10.100.1.254 against the VRF red table.
|
|
</DL>
|
|
|
|
<P>
|
|
<A NAME="lbAG"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<BR>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ip">ip</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ip-link">ip-link</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ip-address">ip-address</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ip-route">ip-route</A></B>(8),
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+ip-neighbor">ip-neighbor</A></B>(8)
|
|
|
|
<P>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>AUTHOR</H2>
|
|
|
|
Original Manpage by David Ahern
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="6"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="7"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="8"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="9"><A HREF="#lbAE">CAVEATS</A><DD>
|
|
<DT id="10"><A HREF="#lbAF">EXAMPLES</A><DD>
|
|
<DT id="11"><A HREF="#lbAG">SEE ALSO</A><DD>
|
|
<DT id="12"><A HREF="#lbAH">AUTHOR</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:13 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|