logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ip-vrf.8 (3734B)


  1. .TH IP\-VRF 8 "7 Dec 2016" "iproute2" "Linux"
  2. .SH NAME
  3. ip-vrf \- run a command against a vrf
  4. .SH SYNOPSIS
  5. .sp
  6. .ad l
  7. .in +8
  8. .ti -8
  9. .B ip
  10. .B vrf
  11. .RI " { " COMMAND " | "
  12. .BR help " }"
  13. .sp
  14. .ti -8
  15. .BR "ip vrf show"
  16. .RI "[ " NAME " ]"
  17. .ti -8
  18. .BR "ip vrf identify"
  19. .RI "[ " PID " ]"
  20. .ti -8
  21. .BR "ip vrf pids"
  22. .I NAME
  23. .ti -8
  24. .BR "ip vrf exec "
  25. .RI "[ " NAME " ] " command ...
  26. .SH DESCRIPTION
  27. A VRF provides traffic isolation at layer 3 for routing, similar to how a
  28. VLAN is used to isolate traffic at layer 2. Fundamentally, a VRF is a separate
  29. routing table. Network devices are associated with a VRF by enslaving the
  30. device to the VRF. At that point network addresses assigned to the device are
  31. local to the VRF with host and connected routes moved to the table associated
  32. with the VRF.
  33. A process can specify a VRF using several APIs -- binding the socket to the
  34. VRF device using SO_BINDTODEVICE, setting the VRF association using
  35. IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a specific message
  36. using IP_PKTINFO or IPV6_PKTINFO.
  37. By default a process is not bound to any VRF. An association can be set
  38. explicitly by making the program use one of the APIs mentioned above or
  39. implicitly using a helper to set SO_BINDTODEVICE for all IPv4 and IPv6
  40. sockets (AF_INET and AF_INET6) when the socket is created. This ip-vrf command
  41. is a helper to run a command against a specific VRF with the VRF association
  42. inherited parent to child.
  43. .TP
  44. .B ip vrf show [ NAME ] - Show all configured VRF
  45. .sp
  46. This command lists all VRF and their corresponding table ids. If NAME is
  47. given, then only that VRF and table id is shown. The latter command is
  48. useful for scripting where the table id for a VRF is needed.
  49. .TP
  50. .B ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF
  51. .sp
  52. This command allows applications that are VRF unaware to be run against
  53. a VRF other than the default VRF (main table). A command can be run against
  54. the default VRF by passing the "default" as the VRF name. This is useful if
  55. the current shell is associated with another VRF (e.g, Management VRF).
  56. This command requires the system to be booted with cgroup v2 (e.g. with systemd,
  57. add systemd.unified_cgroup_hierarchy=1 to the kernel command line).
  58. This command also requires to be run as root. Alternatively it
  59. can be run by an unprivileged user if the following
  60. .BR capabilities (7)
  61. are given:
  62. .RS
  63. .IP \fBCAP_BPF\fP
  64. To load the BPF program.
  65. .IP \fBCAP_NET_ADMIN\fP
  66. To set the socket into the cgroup.
  67. .IP \fBCAP_DAC_OVERRIDE\fP
  68. To create the cgroup subdir in /sys.
  69. .RE
  70. .IP
  71. If these capabilities are added and if
  72. .BR ip (8)
  73. is built with
  74. .BR libcap (3)
  75. then these capabilities will be dropped before
  76. .BR cmd
  77. is executed by
  78. .B ip vrf exec.
  79. For every other unprivileged invocation of
  80. .BR ip (8)
  81. all capabilities will be dropped.
  82. .br
  83. .B NOTE:
  84. capabilities will
  85. .B NOT
  86. be dropped if
  87. .B CAP_NET_ADMIN
  88. is set to
  89. .B INHERITABLE
  90. to avoid breaking programs with ambient capabilities that call ip.
  91. .TP
  92. .B ip vrf identify [PID] - Report VRF association for process
  93. .sp
  94. This command shows the VRF association of the specified process. If PID is
  95. not specified then the id of the current process is used.
  96. .TP
  97. .B ip vrf pids NAME - Report processes associated with the named VRF
  98. .sp
  99. This command shows all process ids that are associated with the given
  100. VRF.
  101. .SH CAVEATS
  102. This command requires a kernel compiled with CGROUPS and CGROUP_BPF enabled.
  103. The VRF helper *only* affects network layer sockets.
  104. .SH EXAMPLES
  105. .PP
  106. ip vrf exec red ssh 10.100.1.254
  107. .RS
  108. Executes ssh to 10.100.1.254 against the VRF red table.
  109. .RE
  110. .SH SEE ALSO
  111. .br
  112. .BR ip (8),
  113. .BR ip-link (8),
  114. .BR ip-address (8),
  115. .BR ip-route (8),
  116. .BR ip-neighbor (8)
  117. .SH AUTHOR
  118. Original Manpage by David Ahern