vrf: fix route filter to use output iface

[sockmister]

Summary

The route filter currently filters based on the LinkIndex and Scope. The corresponding filter flag for LinkIndex should be netlink.RT_FILTER_OIF, and not netlink.RT_FILTER_IIF. This renders the filter ineffective, causing the wrong routes to be copied into the new VRF.

The netlink code here tells us which filter flags corresponds to which field.

Example

I have a k8s cluster that's using Multus to have multiple interfaces. Here's a concrete example demonstrating this issue:

1. create a pod with 2 interfaces, the default pod CNI and an additional one, say, the bridge CNI

# ip -4 -br a
lo               UNKNOWN        127.0.0.1/8
eth0@if398       UP             10.244.2.151/24
net1@if399       UP             10.8.1.1/24

2. on the second CNI, we also chain the VRF plugin

# ip vrf
Name              Table
-----------------------
gateway              1

3. we see that the routes that are being added into the new VRF also has the routes that's being used for pod networking

# ip route
default via 10.244.2.1 dev eth0
10.244.0.0/16 via 10.244.2.1 dev eth0
10.244.2.0/24 dev eth0 proto kernel scope link src 10.244.2.151

# ip route list vrf gateway
default via 10.244.2.1 dev eth0
10.8.1.0/24 dev net1 proto kernel scope link src 10.8.1.1
10.244.0.0/16 via 10.244.2.1 dev eth0

4. what we want to see instead:

# ip route list vrf gateway
default via 10.8.1.1 dev net1
10.8.1.0/24 dev net1 proto kernel scope link src 10.8.1.1

PR notes

• I've added a test scenario roughly equivalent to the above description
• I've changed checkRoutesOnVRF to filter only based on the table ID so we can check the LinkIndex of the routes that were copied to the new VRF

[squeed]

very good catch!

[squeed]

@sockmister can you please rebase to pick up a CI fix? Thanks!

[sockmister]

done!