Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VLAN membership should be explicit #198

Closed
jovatn opened this issue Nov 8, 2023 · 1 comment
Closed

VLAN membership should be explicit #198

jovatn opened this issue Nov 8, 2023 · 1 comment

Comments

@jovatn
Copy link
Contributor

jovatn commented Nov 8, 2023

We pass vlan_default_pvid 1 when creating a bridge. It should be '0'

root@shelfy-82-00-00:~# cat /run/net/0/action/init/br0/50-init.ip
#!/sbin/ip -batch

link add dev br0 type bridge group_fwd_mask 0 vlan_filtering 1 mcast_snooping 0 vlan_protocol 802.1Q vlan_default_pvid 1
link set dev br0 down addrgenmode none
link set dev br0 up state up
root@shelfy-82-00-00:~#

The result is that VID 1 is lingering for ports and bridges in case I wish to configure a VLAN untagged for some other VID,
here VLAN 10 untagged on ports eth1 and eth2 on Bridge br0

admin@shelfy-82-00-00:/> show running-config 
...
interfaces {
  interface br0 {
    type bridge;
    bridge vlans {
      pvid 10;
      vlan 10 {
        untagged eth1;
        untagged eth2;
        tagged br0;
      }
    }
  }
...
  interface eth1 {
    type ethernet;
    ipv6 enabled true;
    bridge-port {
      bridge br0;
      pvid 10;
    }
  }
  interface eth2 {
    type ethernet;
    ipv6 enabled true;
    bridge-port {
      bridge br0;
      pvid 10;
    }
  }
...
  interface vlan10 {
    type vlan;
    ipv4 {
      enabled true;
      address 10.0.1.1 prefix-length 24;
    }
    vlan {
      id 10;
      lower-layer-if br0;
    }
  }
}

The membership looks like this

root@shelfy-82-00-00:~# bridge vlan show
port              vlan-id  
eth1              1 Egress Untagged
                  10 PVID Egress Untagged
eth2              1 Egress Untagged
                  10 PVID Egress Untagged
br0               1 PVID Egress Untagged
                  10
root@shelfy-82-00-00:~#

Also, it does not seem to bite until after a reboot.
troglobit added a commit that referenced this issue Nov 8, 2023
@troglobit
Fix #198: no defult PVID for a VLAN filtering bridge
054f04c 
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit troglobit mentioned this issue Nov 8, 2023
Merged
troglobit added a commit that referenced this issue Nov 8, 2023
@troglobit
Fix #198: no defult PVID for a VLAN filtering bridge
093699c 
 - drop bridge pvid setting in YANG model, we require bridge ports to
   have explicit VLAN assignment (security)
 - refactor bridge_vlan_settings(), do not enable vlan_filtering if
   there are no VLANs configured on the bridge

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@wkz wkz closed this as completed in 32c2319 Nov 8, 2023
@troglobit
Copy link
Contributor

Fixes merged to main in 32c2319. I verified also that adding ports to more VLANs, tagged and untagged, works without having to reboot. (configure + add + leave, configure + add + leave)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@troglobit @jovatn