bridge: add vlan trunk support #829
Conversation
|
hey @SchSeba would you mind taking a quick look? |
|
I found the test failed in "portmap" plugin. |
|
I will take a look on this one. |
tjjh89017
force-pushed
the
bridge_vlan_trunk
branch
8 times, most recently
from
5f9df94
to
43a475f
Compare
|
@mlguerrero12, who agreed to review this. |
tjjh89017
force-pushed
the
bridge_vlan_trunk
branch
3 times, most recently
from
c85b58a
to
534f610
Compare
tjjh89017
force-pushed
the
bridge_vlan_trunk
branch
2 times, most recently
from
40f87d8
to
5f9ae6e
Compare
|
I see a conflict with PVID here that has not been addressed. When a port has PVID set (regular vlan id here), this becomes an access port. On the other hand, a trunk port has no PVID. Only tagged VIDs and no VID (default vlan). That's a check we need to add on this pr. So, a use case for vlan trunk is a container with a trunk port on the bridge. This container can use multus for example to create additional vlan subinterfaces. Let's say two for vlan 100 and 200. Then, 3 containers can be created, one with vlan 100, the other one with 200 and the last one with no vlan. The subinterfaces on the first container should be able to talk to the containers with the specific vlan and untagged traffic should be forwarded thanks to the default vlan. Now, regarding the default vlan, with the new parameter preserveDefaultVlan, it is possible to remove it. For instance, if a user only wants tagged traffic to go through the trunk port. Hope this makes sense. |
In most of current switches, they could accept hybrid mode port which allow PVID and trunk at the same time.
That is the reason I didn't check the vlan value before we configure vlanTrunk. But it seems I need to check if pvid is in vlanTrunks list, and skip it.
|
|
Exactly, the pvid here is the native vlan, not the one coming from the parameter vlan. From you message, I think you believe the native vlan is configured with this parameter and it is not. We currently don't have a param to modify the native vlan of the bridge. When we add the pvid (vlan param equal 100), the port has: Now, if you add trunk port. This will become. 1 Egress untagged Native vlan is still 1 (this a configuration of the bridge itself, not the ports of the bridge). With the above config, untagged ingress traffic will have tag 100 (clearly not the native vlan) and on egress, vid 100 and untagged traffic will output untagged. I'm familiar with cisco switches as well and I don't remember a config to do this. |
So did it mean that we need to always remove the vid 1 when vlan is presented? In this config, vid 1 didn't take any effect and it might have some issue on this port.
In this bridge cni, I think we never modify the bridge's vlan config.
I'm not really confident that I understand this part. traffic from eth0 to eth1 will be captured with vid 1 tagged in eth1 egress direction. The only config with problem will be like this traffic from eth0 to eth1 will be captured with untagged in eth1 egress direction.
This is my config of my switch. c2960s So from my side, I will suggest to remove default vlan always when vlanID is presented. Stay away from the config as this |
|
If we took this cisco config as example to impelment. In Linux Bridge, we should get something like this below. without I want to ensure that we have the same config translation in this Cisco config. |
|
If you want to achieve veth0 101 PVID Egress Untagged you need to create a bridge with a default vlan equal to 101 and then add tags 100 and 999 with this pr. In my view, you want to achieve the same with a hack. You want to add a vlan with PVID (access port) 101 and then delete the default vlan (with preserveDefaultVlan equal to false) and add tags 100 and 999. Conceptually, this is not correct. |
|
All the issues come from not having removed the default vlan of the bridge from the ports since day 1. If we allow users this kind of flexibility, there will be confusion. They can set a different default vlan by setting a PVID and having preserveDefaultVlan equal to false. But this is contradicting, they will have a default vlan but they are explicitly saying that they don't want to preserve the default vlan. It works, but it's not semantically correct. Another issue, if they leave the default vlan of the bridge and set a PVID. They will have on port: Untagged ingress traffic is fine, it will be tagged with 101, but egress traffic with tag 101 and 1 will be untagged. In a cisco switch, if the default vlan is set to 101, the trunk will not modify any other traffic. Traffic with vlan 1 will have tag 1. This will not be the case here. In my opinion, we should stick to basic concepts, at least for now to avoid these issues. A trunk port should only allow tagged vids and the native vlan, the one configured on the bridge. @maiqueb @squeed, what do you think? See my comment above also. |
As discussion with @mlguerrero12, I think we could make this PR with some limitation and leave something to the future version. For now, I will modify the PR to support access port (untagged only) and trunk port (tagged only). by the way, I will suggest not to use the "default" vlan term. [1]: |
|
cool, thanks @tjjh89017 |
I agree w/ @mlguerrero12 - having a single, crystal clear flow regarding VLANs is preferable. |
|
From my side,
I didn't agree with this one in the future. |
tjjh89017
force-pushed
the
bridge_vlan_trunk
branch
from
e185d05
to
d869ebd
Compare
|
@maiqueb I think this version of unit test should work. |
There was a problem hiding this comment.
Nice, I'm just missing a few tests.
Also missing tests for the vlanTrunk.ID attribute; I would say:
- positive tests: a vlan trunk w/ just the ID
- positive tests: a vlan trunk w/ a range + ID
- negative test: a a vlan trunk where the ID has a negative value
- negative test: a a vlan trunk where the ID == 10000
There was a problem hiding this comment.
Thank you.
Please squash all commits into one once the PR is ready.
@mlguerrero12 can you take another look ?
I will squash commit in the last moment. |
|
thank you @tjjh89017 |
add vlan trunk support for veth vlan trunk only support L2 only mode without any IPAM refer ovs-cni design https://github.com/k8snetworkplumbingwg/ovs-cni/blob/main/pkg/plugin/plugin.go design: origin "vlan" option will be PVID or untagged vlan for the network. "vlanTrunk" will setup tagged vlan for veth. entry type: `{ "id": 100 }` will specify only tagged vlan 100 `{ "minID": 100, "maxID": 120 }` will specify tagged vlan from 100 to 120 (include 100 and 120) vlanTrunk is a list of above entry type, so you can use this to add tagged vlan `[ { "id": 100 }, { "minID": 1000, "maxID": 2000 } ]` complete config will be like this { "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "mynet0", "vlan": 100, "vlanTrunk": [ { "id": 101 }, { "minID": 1000, "maxID": 2000 }, { "minID": 3000, "maxID": 4000 } ], "ipam": {} } Signed-off-by: Date Huang <date.huang@suse.com>
tjjh89017
force-pushed
the
bridge_vlan_trunk
branch
from
beae87d
to
090af7d
Compare
|
Ok thanks all of you guys! |
|
please don't forget to update the docs, the example sets both vlan and vlantrunk |
Sure, I will! |
add vlan trunk support for veth
vlan trunk only support L2 only mode without any IPAM
refer ovs-cni design
https://github.com/k8snetworkplumbingwg/ovs-cni/blob/main/pkg/plugin/plugin.go
design:
origin "vlan" option will be PVID or untagged vlan for the network.
"vlanTrunk" will setup tagged vlan for veth.
entry type:
{ "id": 100 }will specify only tagged vlan 100{ "minID": 100, "maxID": 120 }will specify tagged vlan from 100 to120 (include 100 and 120)
vlanTrunk is a list of above entry type, so you can use this to add
tagged vlan
[ { "id": 100 }, { "minID": 1000, "maxID": 2000 } ]complete config will be like this
{ "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "mynet0", "vlan": 100, "vlanTrunk": [ { "id": 101 }, { "minID": 1000, "maxID": 2000 }, { "minID": 3000, "maxID": 4000 } ], "ipam": {} }Original PR: #689
Signed-off-by: Date Huang date.huang@suse.com