[pve-devel] [PATCH common/manager/network 0/3] bookworm: fix VLAN handling on vlan-unaware bridges with pinned NIC names

[pve-devel] [PATCH common/manager/network 0/3] bookworm: fix VLAN handling on vlan-unaware bridges with pinned NIC names

[Stefan Hanreich]

There were mainly two issues related to this:
* generating SDN configuration for VLAN and QinQ zones that use vlan-unaware
  bridges
* tagging network devices of VMs on vlan-unaware bridges

In both cases the detection of the underlying physical ports relied on a regex,
that doesn't work with pinned names at all. Switch over to using `ip link` for
the detection of physical ports, since network interfaces can now have names
that do not need to have a specific prefix at all. For SDN, we add a new change
detection mechanism to `pve-sdn-commit`, that reloads the SDN configuration if
there is a vlan-unaware bridge used as the underlying bridge of a VLAN / QinQ
zone. This ensures that the network configuration gets regenerated properly
if pinning takes place, after a VLAN or QinQ zone have been created.

Since bookworm doesn't have the IPRoute2 helper yet, it has one commit less than
the trixie one, because the helper is added directly to pve-sdn-commit.

Dependencies:

pve-network depends on pve-common

pve-common:

Stefan Hanreich (1):
  fix #7118: fix bridge port detection when plugging netdev with vlan

 src/PVE/Network.pm | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)


pve-manager:

Stefan Hanreich (1):
  pve-sdn-commit: run for vlan/qinq zones on non-vlan-aware bridges

 bin/pve-sdn-commit | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)


pve-network:

Stefan Hanreich (1):
  fix #6806: vlan: qinq: fix bridge port detection

 src/PVE/Network/SDN/Zones/Plugin.pm | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)


Summary over all repositories:
  3 files changed, 46 insertions(+), 17 deletions(-)

-- 
Generated by git-murpp 0.8.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-common 1/1] fix #7118: fix bridge port detection when plugging netdev with vlan

[Stefan Hanreich]

When tagging a network device with a VLAN tag, tap_plug checks if the
bridge is vlan-aware and, if it isn't, creates a VLAN subinterface and
a respective bridge for that VLAN for the physical interfaces that are
enslaved on the bridge. The detection of physical interfaces relied on
a regex that only allowed certain prefixes. Since the introduction of
network-interface-pinning, the rules for network interface naming have
been changed, and physical network interfaces are not restricted to
certain prefixes anymore. Therefore, use the newly provided helper
from IPRoute2 that uses `ip link` to obtain the physical bridge ports,
instead of a regex.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Network.pm | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index 67c9601..9a8449a 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -683,16 +683,7 @@ sub activate_bridge_vlan {
 
     my $bridgevlan = "${bridge}v$tag";
 
-    my @ifaces = ();
-    my $dir = "/sys/class/net/$bridge/brif";
-    PVE::Tools::dir_glob_foreach(
-        $dir,
-        '(((eth|bond)\d+|en[^.]+)(\.\d+)?)',
-        sub {
-            push @ifaces, $_[0];
-        },
-    );
-
+    my @ifaces = get_physical_bridge_ports($bridge);
     die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0;
 
     lock_network(sub {
@@ -973,6 +964,16 @@ sub is_ovs_bridge {
     die "failed to query OVS to determine type of '$bridge': $res\n";
 }
 
+sub get_physical_bridge_ports {
+    my ($bridge, $ip_links) = @_;
+
+    $ip_links = ip_link_details() if !defined($ip_links);
+
+    return grep {
+        ip_link_is_physical($ip_links->{$_}) && $ip_links->{$_}->{master} eq $bridge
+    } keys $ip_links->%*;
+}
+
 sub ip_link_details {
     my $link_json = '';
 
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-manager 1/1] pve-sdn-commit: run for vlan/qinq zones on non-vlan-aware bridges

[Stefan Hanreich]

When using non-vlan-aware bridges for the VLAN or QinQ zones, the
generated SDN ifupdown2 configuration uses the physical NIC as port on
the generate vnet bridge, since it is not possible to create a VLAN
subinterface directly on the bridge.

This causes issues when pinning NIC names, after a VLAN or QinQ zone
has already been created on a non-vlan-aware zone. The name of the
physical interface changes after a reboot, but the generated SDN
configuration doesn't. Avoid this by detecting any VLAN / QinQ zone
that uses a non-vlan-aware bridge and regenerate the SDN configuration
in that case. This should also fix cases where the network interface
gets renamed for other reasons (e.g. not pinned network interfaces and
updates to the kernel).

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 bin/pve-sdn-commit | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/bin/pve-sdn-commit b/bin/pve-sdn-commit
index 525ba3b32..e322235f1 100644
--- a/bin/pve-sdn-commit
+++ b/bin/pve-sdn-commit
@@ -6,6 +6,7 @@ use warnings;
 use Time::HiRes qw(usleep);
 
 use PVE::Cluster;
+use PVE::Network;
 use PVE::Network::SDN;
 use PVE::Network::SDN::Zones;
 use PVE::Network::SDN::Vnets;
@@ -30,6 +31,29 @@ sub has_pending_changes {
     return 0;
 }
 
+sub ip_link_is_non_vlan_aware_bridge {
+    my ($ip_link) = @_;
+
+    return
+        defined($ip_link->{linkinfo})
+        && defined($ip_link->{linkinfo}->{info_kind})
+        && $ip_link->{linkinfo}->{info_kind} eq 'bridge'
+        && defined($ip_link->{linkinfo}->{info_data})
+        && defined($ip_link->{linkinfo}->{info_data}->{vlan_filtering})
+        && $ip_link->{linkinfo}->{info_data}->{vlan_filtering} == 0;
+}
+
+sub zone_uses_non_vlan_aware_bridge {
+    my ($zone, $ip_links) = @_;
+
+    return 0 if ($zone->{type} ne 'vlan' && $zone->{type} ne 'qinq');
+
+    my $ip_link = $ip_links->{ $zone->{bridge} };
+    return 0 if !defined($ip_link);
+
+    return ip_link_is_non_vlan_aware_bridge($ip_link);
+}
+
 sub sdn_changed {
     my $running_config = PVE::Network::SDN::running_config();
 
@@ -48,6 +72,16 @@ sub sdn_changed {
         return 1 if has_pending_changes($pending_config);
     }
 
+    my $ip_links = PVE::Network::ip_link_details();
+
+    for my $zone (values $configs->{zones}->{ids}->%*) {
+        return 1 if zone_uses_non_vlan_aware_bridge($zone, $ip_links);
+    }
+
+    for my $running_zone (values $running_config->{zones}->{ids}->%*) {
+        return 1 if zone_uses_non_vlan_aware_bridge($running_zone, $ip_links);
+    }
+
     return 0;
 }
 
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Stefan Hanreich]

When creating a vlan zone and vnet, pve-network looks at all the
physical bridge ports (slaves) and adds them to the generated vlan
bridge. The zone plugin gets all the bridge interfaces using
`/sys/class/net` and then filters them using a regex. With the
introduction of network interface pinning, the restrictions on network
interface names have gotten more liberal - they're not required to
have specific prefixes anymore. The check for physical interfaces in
the zones plugin needs to be adjusted to reflect those changes,
otherwise the generated SDN configuration does not contain any pinned
physical ports and therefore doesn't work.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Network/SDN/Zones/Plugin.pm | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index a860168..05af47f 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -349,13 +349,7 @@ sub is_ovs {
 sub get_bridge_ifaces {
     my ($bridge) = @_;
 
-    my @bridge_ifaces = ();
-    my $dir = "/sys/class/net/$bridge/brif";
-    PVE::Tools::dir_glob_foreach($dir, '(((eth|bond)\d+|en[^.]+)(\.\d+)?)', sub {
-	push @bridge_ifaces, $_[0];
-    });
-
-    return @bridge_ifaces;
+    return PVE::Network::get_physical_bridge_ports($bridge);
 }
 
 sub datacenter_config {
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-common 1/1] fix #7118: fix bridge port detection when plugging netdev with vlan

[Thomas Lamprecht]

On Wed, 10 Dec 2025 19:42:43 +0100, Stefan Hanreich wrote:
> When tagging a network device with a VLAN tag, tap_plug checks if the
> bridge is vlan-aware and, if it isn't, creates a VLAN subinterface and
> a respective bridge for that VLAN for the physical interfaces that are
> enslaved on the bridge. The detection of physical interfaces relied on
> a regex that only allowed certain prefixes. Since the introduction of
> network-interface-pinning, the rules for network interface naming have
> been changed, and physical network interfaces are not restricted to
> certain prefixes anymore. Therefore, use the newly provided helper
> from IPRoute2 that uses `ip link` to obtain the physical bridge ports,
> instead of a regex.
> 
> [...]

Applied, thanks!

[1/1] fix #7118: fix bridge port detection when plugging netdev with vlan
      commit: c255d4685369ade4a969aabad26af009fcbe6698


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Thomas Lamprecht]

On Wed, 10 Dec 2025 19:42:45 +0100, Stefan Hanreich wrote:
> When creating a vlan zone and vnet, pve-network looks at all the
> physical bridge ports (slaves) and adds them to the generated vlan
> bridge. The zone plugin gets all the bridge interfaces using
> `/sys/class/net` and then filters them using a regex. With the
> introduction of network interface pinning, the restrictions on network
> interface names have gotten more liberal - they're not required to
> have specific prefixes anymore. The check for physical interfaces in
> the zones plugin needs to be adjusted to reflect those changes,
> otherwise the generated SDN configuration does not contain any pinned
> physical ports and therefore doesn't work.
> 
> [...]

Applied, but resolved conflict with selecting a branch point after the perl
tidy commit, as that makes future backports much easier, thanks!

[1/1] fix #6806: vlan: qinq: fix bridge port detection
      commit: bb7142117c72214ed4b7e4c99ce30ab837333558


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Thomas Lamprecht]

Am 10.12.25 um 19:43 schrieb Stefan Hanreich:
> When creating a vlan zone and vnet, pve-network looks at all the
> physical bridge ports (slaves) and adds them to the generated vlan
> bridge. The zone plugin gets all the bridge interfaces using
> `/sys/class/net` and then filters them using a regex. With the
> introduction of network interface pinning, the restrictions on network
> interface names have gotten more liberal - they're not required to
> have specific prefixes anymore. The check for physical interfaces in
> the zones plugin needs to be adjusted to reflect those changes,
> otherwise the generated SDN configuration does not contain any pinned
> physical ports and therefore doesn't work. Use the provided helper
> from PVE::IPRoute2 instead, that adheres to the new naming policy and
> uses `ip link` to determine the physical ports of the bridge, instead
> of relying on a regex.
> 
> This improves the previous commit 4f19480b - which only allowed the
> nic / if prefixes, which solved the issue when using the default
> prefix, but not when using a custom prefix.
> 
> Fixes: 4f19480b04315afb5dc23e0130463acaea35db18
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  src/PVE/Network/SDN/Zones/Plugin.pm | 14 ++------------
>  1 file changed, 2 insertions(+), 12 deletions(-)
> 
>

applied, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel