From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id CB7AA1FF146
	for <inbox@lore.proxmox.com>; Tue, 09 Jun 2026 15:26:04 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3C91211FA0;
	Tue,  9 Jun 2026 15:25:41 +0200 (CEST)
From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 10/16] evpn: disable vxlan-learning on create if
 GBP is enabled
Date: Tue,  9 Jun 2026 15:25:16 +0200
Message-ID: <20260609132522.235917-11-h.laimer@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260609132522.235917-1-h.laimer@proxmox.com>
References: <20260609132522.235917-1-h.laimer@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1781011483965
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.084 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: RPOUMZDY7NXBJRBXTF5FPBR2QU2FJHE6
X-Message-ID-Hash: RPOUMZDY7NXBJRBXTF5FPBR2QU2FJHE6
X-MailFrom: h.laimer@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

The kernel recomputes a vxlan interface's reserved_bits on every
changelink. When GBP is enabled, those bits must leave the group
policy id and GBP flag unreserved, otherwise vxlan_rcv classifies
incoming GBP frames as malformed and drops them.

When bridge-learning is off, ifupdown2 syncs vxlan-learning to match
by issuing a separate changelink after create. That changelink omits
vxlan-gbp, so the kernel resets reserved_bits to the default and GBP
frames start getting dropped.

Set vxlan-learning off already at create when GBP is enabled, so the
interface matches the desired state up front and ifupdown2's later
learning sync has nothing to change. This avoids the gbp-less
changelink that would reset reserved_bits.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 src/PVE/Network/SDN/Zones/EvpnPlugin.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
index d8ce733..7f10c8a 100644
--- a/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -225,6 +225,10 @@ sub generate_sdn_config {
     push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip;
     push @iface_config, "vxlan-port $vxlanport" if $vxlanport;
     push @iface_config, "vxlan-gbp on" if $plugin_config->{'vxlan-gbp'};
+    # keep vxlan-learning off already at create, matching bridge-learning, otherwise
+    # ifupdown2's later learning sync sends a gbp-less changelink and the kernel resets
+    # reserved_bits to the default, which makes it drop GBP frames
+    push @iface_config, "vxlan-learning off" if $plugin_config->{'vxlan-gbp'};
     push @iface_config, "bridge-learning off";
     push @iface_config, "bridge-arp-nd-suppress on"
         if !$plugin_config->{'disable-arp-nd-suppression'};
@@ -322,6 +326,10 @@ sub generate_sdn_config {
             push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip;
             push @iface_config, "vxlan-port $vxlanport" if $vxlanport;
             push @iface_config, "vxlan-gbp on" if $plugin_config->{'vxlan-gbp'};
+            # keep vxlan-learning off already at create, matching bridge-learning, otherwise
+            # ifupdown2's later learning sync sends a gbp-less changelink and the kernel resets
+            # reserved_bits to the default, which makes it drop GBP frames
+            push @iface_config, "vxlan-learning off" if $plugin_config->{'vxlan-gbp'};
             push @iface_config, "bridge-learning off";
             push @iface_config, "bridge-arp-nd-suppress on"
                 if !$plugin_config->{'disable-arp-nd-suppression'};
-- 
2.47.3