dhclient and custom Linux routing tables (VRF)

Hello all,

I am trying to use the ISC dhclient with Linux VRFs, where each VRF is
assigned a custom Linux routing table. Typically, like this:

# ip link add vrf1 type vrf table 10
# ip link set eth0 master vrf1
# ip link set vrf1 up
# dhclient eth0

Unfortunately, dhclient populates the default Linux routing table with
the default gateway it receives, instead of adding it to the VRF's
routing table:

# ip route show
default via 10.0.2.2 dev eth0

# ip route show table 10
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15
local 10.0.2.15 dev eth0 proto kernel scope host src 10.0.2.15

I have read dhclient's documentation, and did not find any mention of
either VRFs or custom routing tables... Have I missed some obvious trick
here?

Mateusz
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Configuring interfaces and routing tables and what not are extremely OS
implementation dependent and as such dhclient itself has never directly
changed any of these things.  Operations like this are actually carried
out by a helper shell script which dhclient invokes at various stages of
operation and through out the life cycle of asking for, obtaining, and
releases leases. Prior to each invocation it sets numerous environment
variables with pertinent values like the old ip address, new ip address
etc.  The script is expected to configure interfaces and other OS/site
specific operations, but is generally free to do whatever it wishes, so
long as it returns the appropriate exit statuses.

Refer to  man 8 dhclient-script for details.  You can specify a
customized script via command line, or more properly, you can supply
enter and exit "hook" scripts as described in the man-page.


On 6/7/19 7:23 AM, Mateusz Viste wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Mateusz Viste <[hidden email]> wrote:
>
> I have read dhclient's documentation, and did not find any mention of either
> VRFs or custom routing tables... Have I missed some obvious trick here?

Network configuration changes from DHCP are handled by the
dhclient-script, which is probably supplied by your Linux distribution.

You might find you have to re-do most of the dhclient-script logic to
support VRFs, so you might be better off providing a complete replacement
script rather than using the hooks.

[ One awkward thing I have noticed is that Debian's dhclient-script always
continues after running the enter hooks, whereas the ISC versions exit
early if the enter hooks exit with a non-zero ststus, so the enter hooks
might or might not allow you to completely override parts of the
dhclient-script. ]

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Whitby to Gibraltar Point: East or southeast 4 or 5, increasing 6 or 7 for a
time, veering southwest later. Slight becoming moderate. Rain for a time then
showers. Good, occasionally poor later.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hello Tony & Thomas,

Thank you both for your kind replies. It makes perfect sense for
dhclient not to fiddle with OS-dependent configurations, this is the
major thing I missed. And indeed, I do see now that there is a bash
/sbin/dhclient-script file on my distro. I will have to hack it, or
replace it entirely so it matches my exact need.

Thanks for the pointers!

Mateusz





On 07/06/2019 13:48, Tony Finch wrote: _______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

One thing that bugs me about Debian's dhclient (might be an Ubuntu thing) is that
if the server sends both option router (3) and option static-routes (33), the script
implements the static-routes but ignores router. 

/sbin/dhclient-script:
            # if we have $new_rfc3442_classless_static_routes then we have to
            # ignore $new_routers entirely
 
Bill

Mateusz Viste [hidden email] wrote:

I have read dhclient's documentation, and did not find any mention of either
VRFs or custom routing tables... Have I missed some obvious trick here?

Network configuration changes from DHCP are handled by the
dhclient-script, which is probably supplied by your Linux distribution.

You might find you have to re-do most of the dhclient-script logic to
support VRFs, so you might be better off providing a complete replacement
script rather than using the hooks.

[ One awkward thing I have noticed is that Debian's dhclient-script always
continues after running the enter hooks, whereas the ISC versions exit
early if the enter hooks exit with a non-zero ststus, so the enter hooks
might or might not allow you to completely override parts of the
dhclient-script. ]

Tony.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Bill Shirley <[hidden email]> wrote:

> One thing that bugs me about Debian's dhclient (might be an Ubuntu thing) is that
> if the server sends both option router (3) and option static-routes (33), the script
> implements the static-routes but ignores router.  
>
> /sbin/dhclient-script:
>             # if we have $new_rfc3442_classless_static_routes then we have to
>             # ignore $new_routers entirely

It's called "standards compliancy" !
The comment conveniently references the RFC where this behaviour is mandated - ie if the classless static routes option is supplied (and used by the client) then the client MUST ignore both the default router and static routes options.
That does make sense - otherwise there could be all sorts of complications.

You can, if you wish, ignore (or just not ask for) the classless static routes option and just install the default router - but then you'd be throwing away useful configuration information.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

# dhclient eth0

I've done this without problem - recently tested in ubuntu 18.04. You need to create a namespace for the network.

example:

# create namespace

ip netns add client1

 

# create logical interface with vlan tag

ip link add link enp2s0 name enp2s0.212 type vlan id 212

 

# move interface into namespace

ip link set enp2s0.212 netns client1

 

# start bash in namespace

ip netns exec client bash

# Request an IP address

dhclient

-- 
MVH
Anders Löwinger, Abundo AB, 072-206 0322

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 08/06/2019 23:43, Anders Löwinger wrote:
> I've done this without problem - recently tested in ubuntu 18.04. You
> need to create a namespace for the network.

Hello Anders,

Thank you for your answer, but a netns is different from a VRF. The
namespace is a total isolation container, unsuitable for my needs.
AFAIK, a single process cannot have sockets in different namespaces,
while this is totally possible with a VRF.

That being said, there is a similar 'ip vrf exec' command in the latest
(5.x) branch of iproute2, unfortunately it doesn't run properly on my
default Debian 9.9 kernel - seems it needs some CGROUP extensions that
are not part of the default build. Will have to experiment some more.

Mateusz
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users