summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
authorzsdc <taras@vyos.io>2021-07-12 22:59:48 +0300
committerzsdc <taras@vyos.io>2021-07-17 22:36:39 +0300
commit22791e26f444766dc9f9e1729b72893208f58079 (patch)
treee412fd0e8247c3fc11b9f90d33646aafaf29247c /interface-definitions
parent83721c1ce672b76d40c710f38b0ab05c370a2191 (diff)
downloadvyos-1x-22791e26f444766dc9f9e1729b72893208f58079.tar.gz
vyos-1x-22791e26f444766dc9f9e1729b72893208f58079.zip
VRF: T3655: proper connection tracking for VRFs
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/vrf.xml.in8
1 files changed, 4 insertions, 4 deletions
diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in
index 426884a11..9d513945c 100644
--- a/interface-definitions/vrf.xml.in
+++ b/interface-definitions/vrf.xml.in
@@ -19,7 +19,7 @@
<constraint>
<validator name="vrf-name"/>
</constraint>
- <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\n</constraintErrorMessage>
+ <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\nA name must starts from a letter.\n</constraintErrorMessage>
<valueHelp>
<format>txt</format>
<description>VRF instance name</description>
@@ -76,13 +76,13 @@
<properties>
<help>Routing table associated with this instance</help>
<valueHelp>
- <format>100-2147483647</format>
+ <format>100-65535</format>
<description>Routing table ID</description>
</valueHelp>
<constraint>
- <validator name="numeric" argument="--range 100-2147483647"/>
+ <validator name="numeric" argument="--range 100-65535"/>
</constraint>
- <constraintErrorMessage>VRF routing table must be in range from 100 to 2147483647</constraintErrorMessage>
+ <constraintErrorMessage>VRF routing table must be in range from 100 to 65535</constraintErrorMessage>
</properties>
</leafNode>
#include <include/vni.xml.i>