To reproduce, configure a vyos router as a dhcp server with classless static routes:
set interface ethernet eth0 address '192.168.1.1/24' set service dhcp-server shared-network TEST subnet 192.168.1.0/16 default-router '192.168.1.1' set service dhcp-server shared-network TEST subnet 192.168.1.0/24 lease '300' set service dhcp-server shared-network TEST subnet 192.168.1.0/24 range 0 start '192.168.1.64' set service dhcp-server shared-network TEST subnet 192.168.1.0/24 range 0 stop '192.168.1.250' set service dhcp-server shared-network TEST subnet 192.168.1.0/24 subnet-parameters 'option rfc3442-static-route 0, 192, 168, 1, 1, 24, 192, 168, 116, 192, 168, 20, 1;'
Connect a vyos router as a dhcp client with vrfs:
set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 vrf vrf_eth0 set vrf name vrf_eth0 table 200
Running show ip route vrf vrf_eth0 show the routes installed as expected:
vyos@vyos:~$ show ip route vrf vrf_eth0 Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure VRF vrf_eth0: S>* 0.0.0.0/0 [210/0] via 192.168.1.1, eth0, weight 1, 00:02:57 C>* 192.168.1.0/24 is directly connected, eth0, 00:03:06 S 192.168.116.0/24 [210/0] via 192.168.20.1, eth0 inactive, weight 1, 00:02:57
If we disconnect and reconnect the link, wiping the vrf table, the default route and static routes are not added back:
vyos@vyos:~$ show ip route vrf vrf_eth0 Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued, r - rejected, b - backup t - trapped, o - offload failure VRF vrf_eth0: C>* 192.168.1.0/24 is directly connected, eth0, 00:03:06
The culprit appears to be exit calls in 99-ipsec-dhclient-hook exiting on BOUND before the unnumbered rfc3442-classless-routes hook can be executed.
I've tested two ways of fixing the bug:
- Remove exit statements from 99-ipsec-dhclient-hook (could still prematurely exit with bug described in https://vyos.dev/T4856).
- Rename 99-ipsec-dhclient-hook to zz-ipsec-dhclient-hook so it runs after the default unnumbered hooks.