[pve-devel] [PATCH common] fix #7193: allow vlan-interfaces as physical bridge ports

[pve-devel] [PATCH common] fix #7193: allow vlan-interfaces as physical bridge ports

[Stoiko Ivanov]

as described in the bug-report having a vlan-interface on a physical
NIC (eno1.1234) as bridge port - allowed users until
057f62f ("fix #7118: fix bridge port detection when plugging netdev with vlan")

to stack 2 802.1q tags on a packet leaving a VM (not quite QinQ, as
both packets have the TPID of a plain 802.1q tag [0].

the fix in the patch 057f62f allowed for nics to have arbitrary names,
so I went ahead and only check if this is a VLAN-interface, without
matching the name for the <iface>.<VLAN> pattern (that is quite common
in debian-based systems but not the only way to configure a
vlan-interface).

Not sure if this is the cleanest way forward, but it fixes the
regression in #7193 for me in a test-setup.

[0] see: https://en.wikipedia.org/wiki/IEEE_802.1ad - the spec says
the outer layer should have TPID (Tag protocol identifier ~ type)
of 0x88A8 and the inner keep the regular 0x8100 from 802.1Q - but it
seems this is not enforced by quite a number of switches in reality.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
will send a backport for stable-8 right away.
 src/PVE/IPRoute2.pm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/PVE/IPRoute2.pm b/src/PVE/IPRoute2.pm
index 5c312d9..0480871 100644
--- a/src/PVE/IPRoute2.pm
+++ b/src/PVE/IPRoute2.pm
@@ -32,6 +32,14 @@ sub ip_link_is_physical($ip_link) {
         && (!defined($ip_link->{linkinfo}) || !defined($ip_link->{linkinfo}->{info_kind}));
 }
 
+sub ip_link_is_vlan($ip_link) {
+    return
+        $ip_link->{link_type} eq 'ether'
+        && defined($ip_link->{linkinfo})
+        && defined($ip_link->{linkinfo}->{info_kind})
+        && $ip_link->{linkinfo}->{info_kind} eq "vlan";
+}
+
 sub ip_link_is_bond($ip_link) {
     return
         $ip_link->{link_type} eq 'ether'
@@ -75,7 +83,9 @@ sub get_physical_bridge_ports($bridge, $ip_links = undef) {
     }
 
     return grep {
-        (ip_link_is_physical($ip_links->{$_}) || ip_link_is_bond($ip_links->{$_}))
+        (ip_link_is_physical($ip_links->{$_})
+                || ip_link_is_bond($ip_links->{$_})
+                || ip_link_is_vlan($ip_links->{$_}))
             && defined($ip_links->{$_}->{master})
             && $ip_links->{$_}->{master} eq $bridge
     } keys $ip_links->%*;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH common] fix #7193: allow vlan-interfaces as physical bridge ports

[Thomas Lamprecht]

On Tue, 30 Dec 2025 17:06:58 +0100, Stoiko Ivanov wrote:
> as described in the bug-report having a vlan-interface on a physical
> NIC (eno1.1234) as bridge port - allowed users until
> 057f62f ("fix #7118: fix bridge port detection when plugging netdev with vlan")
> 
> to stack 2 802.1q tags on a packet leaving a VM (not quite QinQ, as
> both packets have the TPID of a plain 802.1q tag [0].
> 
> [...]

Applied, thanks!

btw. I think the notion of physical bridge ports turned out to be not such a
great representation of what we actually want here, it mnight make sense to
rename this method–at least on the master branch. An option might be e.g.,
"get_upstream_bridge_ports".

[1/1] fix #7193: allow vlan-interfaces as physical bridge ports
      commit: ca27acb6d430bdd9b2f8b5e854c00e582a13a563


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel