talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Allow management of VLANs on bridge controlled interfaces

Open e3b0c442 opened this issue 1 year ago • 3 comments

Feature Request

Allow management of VLANs on bridge controlled interfaces.

Description

#8941 was recently completed which allows for enabling the VLAN filtering feature on Linux bridges. However, this feature cannot be fully utilized without the ability to also control the VLANs allowed on interfaces controlled by the bridge.

References:

  • https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge#with_vlan_filtering
  • https://developers.redhat.com/articles/2022/04/06/introduction-linux-bridging-commands-and-features#vlan_filter

The command-line process for a hypothetical br0 with a hypothetical eth0 interface attached would be as follows:

# create the bridge
ip link add br0 type bridge

# enable the bridge
ip link set br0 up

# enable VLAN filtering on the bridge -- accomplished in #8950
ip link set br0 type bridge vlan_filtering 1

# add a controlled interface to the bridge
ip link set eth0 master br0

# add allowed VLANs to the controlled port
bridge vlan add dev eth0 vid 2 master
bridge vlan add dev eth0 vid 3 master

# set a different VLAN on the bridge as the PVID (untagged traffic)
bridge vlan add dev eth0 vid 4 pvid untagged master

The end result of the above is a bridge which accepts traffic on VLANs 2, 3, and 4, with untagged traffic being assigned VLAN 4 on ingress via eth0 (and likewise VLAN 4 traffic being untagged on egress via eth0)

This is enough to enable appropriate usage with multus and NetworkAttachmentDefinitions, which will manage the pod network interfaces including adding the correct VLANs to the bridge port.

cc @camrossi FYI and for sanity check.

e3b0c442 avatar Aug 06 '24 12:08 e3b0c442

That seems correct to me and @smira I am happy to test any alpha/beta code that you might have to ensure it works fine For now I will just create a daemon set to add the VLANs on the trunk.

camrossi avatar Aug 07 '24 03:08 camrossi

@e3b0c442 I have been reading this: https://www.cni.dev/plugins/current/main/bridge/#example-l2-only-disabled-interface-configuration

Note: The VLAN parameter configures the VLAN tag on the host end of the veth and also enables the vlan_filtering feature on the bridge interface. are you 100% sure vlan_filtering was disabled when you tested? Wondering why bridge CNI was failing here.

Now I only have a 1.8 alpha cluster running and if I don't set the vlan_filtering to true is always disabled but I am not sure if is disabled because now talos has its own config overriding things.

Do you have a 1.7 or earlier cluster to test?

ip -details  link show type bridge
    bridge forward_delay 1500 hello_time 200 max_age 2000 ageing_time 30000 stp_state 0 priority 32768 **vlan_filtering 0**

camrossi avatar Aug 08 '24 02:08 camrossi

I started work today on adding bridge port vlan filter settings to the machine config and other APIs. There is not yet much to look at but I will publish a draft PR when I have made some progress.

jnohlgard avatar Oct 14 '24 20:10 jnohlgard

We just spent quite a lot of time trying to figure out why the bridge CNI wasn't working with VLANs, and it wasn't until I found this issue that I understood the problem. The Talos Multus documentation should link here, since it's very likely that people will be using the bridge plugin with VLANs, at least on bare metal.

Also, it's worth noting that, in my testing, at least, you must disable the VLAN filtering feature implemented in https://github.com/siderolabs/talos/issues/8941 when creating static VLANs in the Talos machine config, or else pods won't be able to communicate on the VLAN at all. This is especially unintuitive.

dhess avatar Mar 25 '25 20:03 dhess

@jnohlgard did you ever end up coding something? @dhess for me works perfectly fine with the VLAN Filter enabled but I do not have VLANs configured in the machine config. I just have a bridge and then I manually add the missing vlan with bridge vlan add dev eth0 vid 2 master This for now happens with a silly daemonset

camrossi avatar Apr 30 '25 04:04 camrossi

I started working on it but various things came up so there is this WIP branch with my work. I think it is mostly working but there were some things that I wanted to implement before posting a PR, but I can't remember exactly what right now :shrug:. https://github.com/jnohlgard/talos/tree/bridge-port-vlan

jnohlgard avatar Apr 30 '25 06:04 jnohlgard

@jnohlgard oh cool looking at the code only thing I would suggest is to support vlan ranges as many time we need to add a few hundreds of vlans. NMState does it like tis

  vlan:
    mode: trunk
    trunk-tags:
      - id: 315
      - id: 316
      - id: 3456
      - id-range:
          max: 3799
          min: 3700

camrossi avatar Apr 30 '25 07:04 camrossi

Agree with mirroring nmstate syntax wherever possible.

Thanks for digging into this, I also had intended to but was able to work around the issue and couldn't prioritize it.

e3b0c442 avatar Apr 30 '25 11:04 e3b0c442

Hey, any traction on this? It would be suuuper useful :)

codingJWilliams avatar Nov 28 '25 23:11 codingJWilliams