[pve-devel] [PATCH common/manager/network 0/4] trixie: fix VLAN handling on vlan-unaware bridges with pinned NIC names

[pve-devel] [PATCH common/manager/network 0/4] trixie: fix VLAN handling on vlan-unaware bridges with pinned NIC names

[Stefan Hanreich]

There were mainly two issues related to this:
* generating SDN configuration for VLAN and QinQ zones that use vlan-unaware
  bridges
* tagging network devices of VMs on vlan-unaware bridges

In both cases the detection of the underlying physical ports relied on a regex,
that doesn't work with pinned names at all. Switch over to using `ip link` for
the detection of physical ports, since network interfaces can now have names
that do not need to have a specific prefix at all. For SDN, we add a new change
detection mechanism to `pve-sdn-commit`, that reloads the SDN configuration if
there is a vlan-unaware bridge used as the underlying bridge of a VLAN / QinQ
zone. This ensures that the network configuration gets regenerated properly
if pinning takes place, after a VLAN or QinQ zone have been created.

Dependencies:

pve-manager depends on pve-common
pve-network depends on pve-common

pve-common:

Stefan Hanreich (2):
  fix #7118: fix bridge port detection when plugging netdev with vlan
  iproute2: add helpers for detecting vlan-aware bridges

 src/PVE/IPRoute2.pm | 32 ++++++++++++++++++++++++++++++++
 src/PVE/Network.pm  | 12 ++----------
 2 files changed, 34 insertions(+), 10 deletions(-)


pve-manager:

Stefan Hanreich (1):
  pve-sdn-commit: run for vlan/qinq zones on non-vlan-aware bridges

 bin/pve-sdn-commit | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)


pve-network:

Stefan Hanreich (1):
  fix #6806: vlan: qinq: fix bridge port detection

 src/PVE/Network/SDN/Zones/Plugin.pm | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)


Summary over all repositories:
  4 files changed, 58 insertions(+), 22 deletions(-)

-- 
Generated by git-murpp 0.8.0

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-common 1/2] fix #7118: fix bridge port detection when plugging netdev with vlan

[Stefan Hanreich]

When tagging a network device with a VLAN tag, tap_plug checks if the
bridge is vlan-aware and, if it isn't, creates a VLAN subinterface and
a respective bridge for that VLAN for the physical interfaces that are
enslaved on the bridge. The detection of physical interfaces relied on
a regex that only allowed certain prefixes. Since the introduction of
network-interface-pinning, the rules for network interface naming have
been changed, and physical network interfaces are not restricted to
certain prefixes anymore. Therefore, use the newly provided helper
from IPRoute2 that uses `ip link` to obtain the physical bridge ports,
instead of a regex.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/IPRoute2.pm | 13 +++++++++++++
 src/PVE/Network.pm  | 12 ++----------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/PVE/IPRoute2.pm b/src/PVE/IPRoute2.pm
index 128ad72..5f7b94c 100644
--- a/src/PVE/IPRoute2.pm
+++ b/src/PVE/IPRoute2.pm
@@ -39,6 +39,19 @@ sub ip_link_is_bridge_member($ip_link) {
         && $ip_link->{linkinfo}->{info_slave_kind} eq "bridge";
 }
 
+sub get_physical_bridge_ports($bridge, $ip_links = undef) {
+    $ip_links = ip_link_details() if !defined($ip_links);
+
+    if (!ip_link_is_bridge($ip_links->{$bridge})) {
+        warn "passed link that isn't a bridge to get_physical_bridge_ports";
+        return ();
+    }
+
+    return grep {
+        ip_link_is_physical($ip_links->{$_}) && $ip_links->{$_}->{master} eq $bridge
+    } keys $ip_links->%*;
+}
+
 sub altname_mapping($ip_links) {
     $ip_links = ip_link_details() if !defined($ip_links);
 
diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index 5100833..573e34e 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use PVE::INotify;
+use PVE::IPRoute2;
 use PVE::ProcFSTools;
 use PVE::Tools qw(run_command lock_file);
 
@@ -684,16 +685,7 @@ sub activate_bridge_vlan {
 
     my $bridgevlan = "${bridge}v$tag";
 
-    my @ifaces = ();
-    my $dir = "/sys/class/net/$bridge/brif";
-    PVE::Tools::dir_glob_foreach(
-        $dir,
-        '(((eth|bond)\d+|en[^.]+)(\.\d+)?)',
-        sub {
-            push @ifaces, $_[0];
-        },
-    );
-
+    my @ifaces = PVE::IPRoute2::get_physical_bridge_ports($bridge);
     die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0;
 
     lock_network(sub {
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-common 2/2] iproute2: add helpers for detecting vlan-aware bridges

[Stefan Hanreich]

These helpers will initially be used in pve-manager's pve-sdn-commit
service, that reloads the SDN configuration if uncommitted changes are
detected. For non-vlan aware bridges, the SDN configuration might need
to get updated if there were changes to the names of the physical
interfaces enslaved to that bridge. pve-sdn-commit uses the helpers
introduced in this commit for that.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/IPRoute2.pm | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/PVE/IPRoute2.pm b/src/PVE/IPRoute2.pm
index 5f7b94c..5208d93 100644
--- a/src/PVE/IPRoute2.pm
+++ b/src/PVE/IPRoute2.pm
@@ -32,6 +32,25 @@ sub ip_link_is_physical($ip_link) {
         && (!defined($ip_link->{linkinfo}) || !defined($ip_link->{linkinfo}->{info_kind}));
 }
 
+sub ip_link_is_bridge($ip_link) {
+    return
+        defined($ip_link->{linkinfo})
+        && defined($ip_link->{linkinfo}->{info_kind})
+        && $ip_link->{linkinfo}->{info_kind} eq 'bridge';
+}
+
+sub bridge_is_vlan_aware($ip_link) {
+    if (!ip_link_is_bridge($ip_link)) {
+        warn "passed link that isn't a bridge to bridge_is_vlan_aware";
+        return 0;
+    }
+
+    return
+        defined($ip_link->{linkinfo}->{info_data})
+        && defined($ip_link->{linkinfo}->{info_data}->{vlan_filtering})
+        && $ip_link->{linkinfo}->{info_data}->{vlan_filtering} == 1;
+}
+
 sub ip_link_is_bridge_member($ip_link) {
     return
         defined($ip_link->{linkinfo})
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-manager 1/1] pve-sdn-commit: run for vlan/qinq zones on non-vlan-aware bridges

[Stefan Hanreich]

When using non-vlan-aware bridges for the VLAN or QinQ zones, the
generated SDN ifupdown2 configuration uses the physical NIC as port on
the generated vnet bridge, since it is not possible to create a VLAN
subinterface directly on the bridge.

This causes issues when pinning NIC names, after a VLAN or QinQ zone
has already been created on a non-vlan-aware zone. The name of the
physical interface changes after a reboot, but the generated SDN
configuration doesn't. Avoid this by detecting any VLAN / QinQ zone
that uses a non-vlan-aware bridge and regenerate the SDN configuration
in that case. This should also fix cases where the network interface
gets renamed for other reasons (e.g. not pinned network interfaces and
updates to the kernel).

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 bin/pve-sdn-commit | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/bin/pve-sdn-commit b/bin/pve-sdn-commit
index 6eeba301c..aa7e9b290 100644
--- a/bin/pve-sdn-commit
+++ b/bin/pve-sdn-commit
@@ -6,6 +6,7 @@ use warnings;
 use Time::HiRes qw(usleep);
 
 use PVE::Cluster;
+use PVE::IPRoute2;
 use PVE::Network::SDN;
 use PVE::Network::SDN::Zones;
 use PVE::Network::SDN::Vnets;
@@ -53,6 +54,17 @@ sub fabrics_changed {
     return has_pending_changes($pending_fabrics) || has_pending_changes($pending_nodes);
 }
 
+sub zone_uses_non_vlan_aware_bridge {
+    my ($zone, $ip_links) = @_;
+
+    return 0 if ($zone->{type} ne 'vlan' && $zone->{type} ne 'qinq');
+
+    my $ip_link = $ip_links->{ $zone->{bridge} };
+    return 0 if !defined($ip_link);
+
+    return !PVE::IPRoute2::bridge_is_vlan_aware($ip_link);
+}
+
 sub sdn_changed {
     my $running_config = PVE::Network::SDN::running_config();
 
@@ -71,6 +83,16 @@ sub sdn_changed {
         return 1 if has_pending_changes($pending_config);
     }
 
+    my $ip_links = PVE::IPRoute2::ip_link_details();
+
+    for my $zone (values $configs->{zones}->{ids}->%*) {
+        return 1 if zone_uses_non_vlan_aware_bridge($zone, $ip_links);
+    }
+
+    for my $running_zone (values $running_config->{zones}->{ids}->%*) {
+        return 1 if zone_uses_non_vlan_aware_bridge($running_zone, $ip_links);
+    }
+
     return fabrics_changed();
 }
 
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Stefan Hanreich]

When creating a vlan zone and vnet, pve-network looks at all the
physical bridge ports (slaves) and adds them to the generated vlan
bridge. The zone plugin gets all the bridge interfaces using
`/sys/class/net` and then filters them using a regex. With the
introduction of network interface pinning, the restrictions on network
interface names have gotten more liberal - they're not required to
have specific prefixes anymore. The check for physical interfaces in
the zones plugin needs to be adjusted to reflect those changes,
otherwise the generated SDN configuration does not contain any pinned
physical ports and therefore doesn't work. Use the provided helper
from PVE::IPRoute2 instead, that adheres to the new naming policy and
uses `ip link` to determine the physical ports of the bridge, instead
of relying on a regex.

This improves the previous commit 4f19480b - which only allowed the
nic / if prefixes, which solved the issue when using the default
prefix, but not when using a custom prefix.

Fixes: 4f19480b04315afb5dc23e0130463acaea35db18
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Network/SDN/Zones/Plugin.pm | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index 6dc2f65..826ebdf 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 
 use PVE::Tools qw(run_command);
+use PVE::IPRoute2;
 use PVE::JSONSchema;
 use PVE::Cluster;
 use PVE::Network;
@@ -341,18 +342,7 @@ sub is_vlanaware {
 
 sub get_bridge_ifaces {
     my ($bridge) = @_;
-
-    my @bridge_ifaces = ();
-    my $dir = "/sys/class/net/$bridge/brif";
-    PVE::Tools::dir_glob_foreach(
-        $dir,
-        '(((eth|bond|nic|if)\d+|en[^.]+)(\.\d+)?)',
-        sub {
-            push @bridge_ifaces, $_[0];
-        },
-    );
-
-    return @bridge_ifaces;
+    return PVE::IPRoute2::get_physical_bridge_ports($bridge);
 }
 
 sub datacenter_config {
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-common 2/2] iproute2: add helpers for detecting vlan-aware bridges

[Thomas Lamprecht]

On Wed, 10 Dec 2025 19:42:32 +0100, Stefan Hanreich wrote:
> These helpers will initially be used in pve-manager's pve-sdn-commit
> service, that reloads the SDN configuration if uncommitted changes are
> detected. For non-vlan aware bridges, the SDN configuration might need
> to get updated if there were changes to the names of the physical
> interfaces enslaved to that bridge. pve-sdn-commit uses the helpers
> introduced in this commit for that.
> 
> [...]

Applied, thanks!

[1/2] fix #7118: fix bridge port detection when plugging netdev with vlan
      commit: 057f62f73048bc1e73e45e9edf6e197f84de630a
[2/2] iproute2: add helpers for detecting vlan-aware bridges
      commit: fcab7d34a0331cc6839b0d679733118098b5275a


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Thomas Lamprecht]

Am 10.12.25 um 19:43 schrieb Stefan Hanreich:
> When creating a vlan zone and vnet, pve-network looks at all the
> physical bridge ports (slaves) and adds them to the generated vlan
> bridge. The zone plugin gets all the bridge interfaces using
> `/sys/class/net` and then filters them using a regex. With the
> introduction of network interface pinning, the restrictions on network
> interface names have gotten more liberal - they're not required to
> have specific prefixes anymore. The check for physical interfaces in
> the zones plugin needs to be adjusted to reflect those changes,
> otherwise the generated SDN configuration does not contain any pinned
> physical ports and therefore doesn't work. Use the provided helper
> from PVE::IPRoute2 instead, that adheres to the new naming policy and
> uses `ip link` to determine the physical ports of the bridge, instead
> of relying on a regex.
> 
> This improves the previous commit 4f19480b - which only allowed the
> nic / if prefixes, which solved the issue when using the default
> prefix, but not when using a custom prefix.
> 
> Fixes: 4f19480b04315afb5dc23e0130463acaea35db18
> Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
> ---
>  src/PVE/Network/SDN/Zones/Plugin.pm | 14 ++------------
>  1 file changed, 2 insertions(+), 12 deletions(-)
> 
>

applied, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-network 1/1] fix #6806: vlan: qinq: fix bridge port detection

[Stefan Hanreich]

When creating a vlan zone and vnet, pve-network looks at all the
physical bridge ports (slaves) and adds them to the generated vlan
bridge. The zone plugin gets all the bridge interfaces using
`/sys/class/net` and then filters them using a regex. With the
introduction of network interface pinning, the restrictions on network
interface names have gotten more liberal - they're not required to
have specific prefixes anymore. The check for physical interfaces in
the zones plugin needs to be adjusted to reflect those changes,
otherwise the generated SDN configuration does not contain any pinned
physical ports and therefore doesn't work.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Network/SDN/Zones/Plugin.pm | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/PVE/Network/SDN/Zones/Plugin.pm b/src/PVE/Network/SDN/Zones/Plugin.pm
index a860168..05af47f 100644
--- a/src/PVE/Network/SDN/Zones/Plugin.pm
+++ b/src/PVE/Network/SDN/Zones/Plugin.pm
@@ -349,13 +349,7 @@ sub is_ovs {
 sub get_bridge_ifaces {
     my ($bridge) = @_;
 
-    my @bridge_ifaces = ();
-    my $dir = "/sys/class/net/$bridge/brif";
-    PVE::Tools::dir_glob_foreach($dir, '(((eth|bond)\d+|en[^.]+)(\.\d+)?)', sub {
-	push @bridge_ifaces, $_[0];
-    });
-
-    return @bridge_ifaces;
+    return PVE::Network::get_physical_bridge_ports($bridge);
 }
 
 sub datacenter_config {
-- 
2.47.3


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel