Doc: Update documentation about VRFs and BFD

1 files changed, 25 insertions, 8 deletions

diff --git a/doc/bird.sgml b/doc/bird.sgml
index c69ab87f..e15e3dd1 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -671,14 +671,24 @@ agreement").
 	This is an optional description of the protocol. It is displayed as a
 	part of the output of 'show protocols all' command.
 
-	<tag><label id="proto-vrf">vrf "<m/text/"</tag>
+	<tag><label id="proto-vrf">vrf "<m/text/"|default</tag>
 	Associate the protocol with specific VRF. The protocol will be
 	restricted to interfaces assigned to the VRF and will use sockets bound
-	to the VRF. Appropriate VRF interface must exist on OS level. For kernel
-	protocol, an appropriate table still must be explicitly selected by
-	<cf/table/ option. Note that for proper VRF support it is necessary to
-	use Linux kernel version at least 4.14, older versions have limited VRF
-	implementation.
+	to the VRF. A corresponding VRF interface must exist on OS level. For
+	kernel protocol, an appropriate table still must be explicitly selected
+	by <cf/table/ option.
+
+	By selecting <cf/default/, the protocol is associated with the default
+	VRF; i.e., it will be restricted to interfaces not assigned to any
+	regular VRF. That is different from not specifying <cf/vrf/ at all, in
+	which case the protocol may use any interface regardless of its VRF
+	status.
+
+	Note that for proper VRF support it is necessary to use Linux kernel
+	version at least 4.14, older versions have limited VRF implementation.
+	Before Linux kernel 5.0, a socket bound to a port in default VRF collide
+	with others in regular VRFs. In BGP, this can be avoided by using
+	<ref id="bgp-strict-bind" name="strict bind"> option.
 
 	<tag><label id="proto-channel"><m/channel name/ [{<m/channel config/}]</tag>
 	Every channel must be explicitly stated. See the protocol-specific
@@ -1896,12 +1906,11 @@ the BFD session went down).
 advanced features like the echo mode or authentication are not implemented), IP
 transport for BFD as defined in <rfc id="5881"> and <rfc id="5883"> and
 interaction with client protocols as defined in <rfc id="5882">.
-We currently support at most one protocol instance.
 
 <p>BFD packets are sent with a dynamic source port number. Linux systems use by
 default a bit different dynamic port range than the IANA approved one
 (49152-65535). If you experience problems with compatibility, please adjust
-<cf>/proc/sys/net/ipv4/ip_local_port_range</cf>
+<cf>/proc/sys/net/ipv4/ip_local_port_range</cf>.
 
 <sect1>Configuration
 <label id="bfd-config">
@@ -1918,6 +1927,14 @@ configuration is often sufficient.
 <p>Note that to use BFD for other protocols like OSPF or BGP, these protocols
 also have to be configured to request BFD sessions, usually by <cf/bfd/ option.
 
+<p>A BFD instance not associated with any VRF handles session requests from all
+other protocols, even ones associated with a VRF. Such setup would work for
+single-hop BFD sessions if <cf/net.ipv4.udp_l3mdev_accept/ sysctl is enabled,
+but does not currently work for multihop sessions. Another approach is to
+configure multiple BFD instances, one for each VRF (including the default VRF).
+Each BFD instance associated with a VRF (regular or default) only handles
+session requests from protocols in the same VRF.
+
 <p>Some of BFD session options require <m/time/ value, which has to be specified
 with the appropriate unit: <m/num/ <cf/s/|<cf/ms/|<cf/us/. Although microseconds
 are allowed as units, practical minimum values are usually in order of tens of