search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
6.45k stars 514 forks source link

Allow management of VLANs on bridge controlled interfaces #9117

Open e3b0c442 opened 1 month ago

e3b0c442 commented 1 month ago

Feature Request

Allow management of VLANs on bridge controlled interfaces.

Description

8941 was recently completed which allows for enabling the VLAN filtering feature on Linux bridges. However, this feature cannot be fully utilized without the ability to also control the VLANs allowed on interfaces controlled by the bridge.

References:

The command-line process for a hypothetical br0 with a hypothetical eth0 interface attached would be as follows:

# create the bridge
ip link add br0 type bridge

# enable the bridge
ip link set br0 up

# enable VLAN filtering on the bridge -- accomplished in #8950
ip link set br0 type bridge vlan_filtering 1

# add a controlled interface to the bridge
ip link set eth0 master br0

# add allowed VLANs to the controlled port
bridge vlan add dev eth0 vid 2 master
bridge vlan add dev eth0 vid 3 master

# set a different VLAN on the bridge as the PVID (untagged traffic)
bridge vlan add dev eth0 vid 4 pvid untagged master

The end result of the above is a bridge which accepts traffic on VLANs 2, 3, and 4, with untagged traffic being assigned VLAN 4 on ingress via eth0 (and likewise VLAN 4 traffic being untagged on egress via eth0)

This is enough to enable appropriate usage with multus and NetworkAttachmentDefinitions, which will manage the pod network interfaces including adding the correct VLANs to the bridge port.

cc @camrossi FYI and for sanity check.

camrossi commented 1 month ago

That seems correct to me and @smira I am happy to test any alpha/beta code that you might have to ensure it works fine For now I will just create a daemon set to add the VLANs on the trunk.

camrossi commented 1 month ago

@e3b0c442 I have been reading this: https://www.cni.dev/plugins/current/main/bridge/#example-l2-only-disabled-interface-configuration

Note: The VLAN parameter configures the VLAN tag on the host end of the veth and also enables the vlan_filtering feature on the bridge interface. are you 100% sure vlan_filtering was disabled when you tested? Wondering why bridge CNI was failing here.

Now I only have a 1.8 alpha cluster running and if I don't set the vlan_filtering to true is always disabled but I am not sure if is disabled because now talos has its own config overriding things.

Do you have a 1.7 or earlier cluster to test?

ip -details  link show type bridge
    bridge forward_delay 1500 hello_time 200 max_age 2000 ageing_time 30000 stp_state 0 priority 32768 **vlan_filtering 0**