From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 10/16] evpn: disable vxlan-learning on create if GBP is enabled
Date: Tue, 9 Jun 2026 15:25:16 +0200 [thread overview]
Message-ID: <20260609132522.235917-11-h.laimer@proxmox.com> (raw)
In-Reply-To: <20260609132522.235917-1-h.laimer@proxmox.com>
The kernel recomputes a vxlan interface's reserved_bits on every
changelink. When GBP is enabled, those bits must leave the group
policy id and GBP flag unreserved, otherwise vxlan_rcv classifies
incoming GBP frames as malformed and drops them.
When bridge-learning is off, ifupdown2 syncs vxlan-learning to match
by issuing a separate changelink after create. That changelink omits
vxlan-gbp, so the kernel resets reserved_bits to the default and GBP
frames start getting dropped.
Set vxlan-learning off already at create when GBP is enabled, so the
interface matches the desired state up front and ifupdown2's later
learning sync has nothing to change. This avoids the gbp-less
changelink that would reset reserved_bits.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index d8ce733..7f10c8a 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -225,6 +225,10 @@ sub generate_sdn_config {
push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip;
push @iface_config, "vxlan-port $vxlanport" if $vxlanport;
push @iface_config, "vxlan-gbp on" if $plugin_config->{'vxlan-gbp'};
+ # keep vxlan-learning off already at create, matching bridge-learning, otherwise
+ # ifupdown2's later learning sync sends a gbp-less changelink and the kernel resets
+ # reserved_bits to the default, which makes it drop GBP frames
+ push @iface_config, "vxlan-learning off" if $plugin_config->{'vxlan-gbp'};
push @iface_config, "bridge-learning off";
push @iface_config, "bridge-arp-nd-suppress on"
if !$plugin_config->{'disable-arp-nd-suppression'};
@@ -322,6 +326,10 @@ sub generate_sdn_config {
push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip;
push @iface_config, "vxlan-port $vxlanport" if $vxlanport;
push @iface_config, "vxlan-gbp on" if $plugin_config->{'vxlan-gbp'};
+ # keep vxlan-learning off already at create, matching bridge-learning, otherwise
+ # ifupdown2's later learning sync sends a gbp-less changelink and the kernel resets
+ # reserved_bits to the default, which makes it drop GBP frames
+ push @iface_config, "vxlan-learning off" if $plugin_config->{'vxlan-gbp'};
push @iface_config, "bridge-learning off";
push @iface_config, "bridge-arp-nd-suppress on"
if !$plugin_config->{'disable-arp-nd-suppression'};
--
2.47.3
next prev parent reply other threads:[~2026-06-09 13:26 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 13:25 [RFC cluster/docs/ifupdown2/manager/network/proxmox{-ebpf,-ve-rs,-perl-rs} 00/16] sdn: add microsegmentation support Hannes Laimer
2026-06-09 13:25 ` [PATCH proxmox-ebpf 01/16] agent: add userspace coordinator and stateless policy subsystem Hannes Laimer
2026-06-09 13:25 ` [PATCH proxmox-ebpf 02/16] bpf: add bridge subsystem Hannes Laimer
2026-06-09 13:25 ` [PATCH proxmox-ebpf 03/16] debian: add packaging and boot-time oneshot unit Hannes Laimer
2026-06-09 13:25 ` [PATCH proxmox-ve-rs 04/16] ve-config: sdn: add microseg config types Hannes Laimer
2026-06-09 13:25 ` [PATCH proxmox-perl-rs 05/16] sdn: add microseg config binding Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-cluster 06/16] cfs: add 'sdn/microseg.cfg' to observed files Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-network 07/16] sdn: microseg: add config and API Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-network 08/16] sdn: zones: trigger microseg apply on tap_plug Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-network 09/16] sdn: zones: add vxlan-gbp option to vxlan and evpn zones Hannes Laimer
2026-06-09 13:25 ` Hannes Laimer [this message]
2026-06-09 13:25 ` [PATCH pve-manager 11/16] ui: sdn: add microsegmentation Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-manager 12/16] network: apply microseg state on reload Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-manager 13/16] ui: sdn: zones: add vxlan-gbp checkbox to vxlan and evpn Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-docs 14/16] sdn: add microsegmentation section Hannes Laimer
2026-06-09 13:25 ` [PATCH pve-docs 15/16] sdn: add VXLAN-GBP flag to evpn/vxlan zone sections Hannes Laimer
2026-06-09 13:25 ` [PATCH ifupdown2 16/16] d/patches: add support for VXLAN-GBP flag Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609132522.235917-11-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox