[pve-devel] [PATCH common] fix #7193: allow vlan-interfaces as physical bridge ports

Stoiko Ivanov s.ivanov at proxmox.com
Tue Dec 30 17:06:58 CET 2025 

as described in the bug-report having a vlan-interface on a physical
NIC (eno1.1234) as bridge port - allowed users until
057f62f ("fix #7118: fix bridge port detection when plugging netdev with vlan")

to stack 2 802.1q tags on a packet leaving a VM (not quite QinQ, as
both packets have the TPID of a plain 802.1q tag [0].

the fix in the patch 057f62f allowed for nics to have arbitrary names,
so I went ahead and only check if this is a VLAN-interface, without
matching the name for the <iface>.<VLAN> pattern (that is quite common
in debian-based systems but not the only way to configure a
vlan-interface).

Not sure if this is the cleanest way forward, but it fixes the
regression in #7193 for me in a test-setup.

[0] see: https://en.wikipedia.org/wiki/IEEE_802.1ad - the spec says
the outer layer should have TPID (Tag protocol identifier ~ type)
of 0x88A8 and the inner keep the regular 0x8100 from 802.1Q - but it
seems this is not enforced by quite a number of switches in reality.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
will send a backport for stable-8 right away.
 src/PVE/IPRoute2.pm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/PVE/IPRoute2.pm b/src/PVE/IPRoute2.pm
index 5c312d9..0480871 100644
--- a/src/PVE/IPRoute2.pm
+++ b/src/PVE/IPRoute2.pm
@@ -32,6 +32,14 @@ sub ip_link_is_physical($ip_link) {
         && (!defined($ip_link->{linkinfo}) || !defined($ip_link->{linkinfo}->{info_kind}));
 }
 
+sub ip_link_is_vlan($ip_link) {
+    return
+        $ip_link->{link_type} eq 'ether'
+        && defined($ip_link->{linkinfo})
+        && defined($ip_link->{linkinfo}->{info_kind})
+        && $ip_link->{linkinfo}->{info_kind} eq "vlan";
+}
+
 sub ip_link_is_bond($ip_link) {
     return
         $ip_link->{link_type} eq 'ether'
@@ -75,7 +83,9 @@ sub get_physical_bridge_ports($bridge, $ip_links = undef) {
     }
 
     return grep {
-        (ip_link_is_physical($ip_links->{$_}) || ip_link_is_bond($ip_links->{$_}))
+        (ip_link_is_physical($ip_links->{$_})
+                || ip_link_is_bond($ip_links->{$_})
+                || ip_link_is_vlan($ip_links->{$_}))
             && defined($ip_links->{$_}->{master})
             && $ip_links->{$_}->{master} eq $bridge
     } keys $ip_links->%*;
-- 
2.47.3

More information about the pve-devel mailing list