[PATCH 0/4] Fix a few vlan-related issues
The main fix here is Patch 1, which adds the code necessary to support live update of the vlan tag for a direct (macvtap) passthrough interface, thus resolving two separate issues. The other three are just small annoyances that I found while testing. Laine Stump (4): qemu: update vlan tag of macvtap (direct) passthrough devices during update-device qemu: use actual/effective vlan when updating OVS-based interface vlan tag conf: validate that specified interface type supports vlan tags conf: simplify check for vlan tagging support in virDomainActualNetDefValidate() src/conf/domain_validate.c | 52 +++++++++++++++++++++++++++++++++----- src/qemu/qemu_hotplug.c | 14 ++++++++-- 2 files changed, 57 insertions(+), 9 deletions(-) -- 2.52.0
From: Laine Stump <laine@redhat.com> We already update the vlan tag of interfaces that are attached to an OVS bridge or Linux host bridge. This patch adds the bit of code necessary to update the vlan tag of a macvtap passthrough interface (the only other type of interface that supports vlan tagging). Resolves: https://issues.redhat.com/browse/RHEL-74487 Resolves: https://issues.redhat.com/browse/RHEL-7300 Signed-off-by: Laine Stump <laine@redhat.com> --- src/qemu/qemu_hotplug.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index fccbef5d0c..6d20e3a850 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -4265,11 +4265,21 @@ qemuDomainChangeNet(virQEMUDriver *driver, */ if (virNetDevOpenvswitchUpdateVlan(newdev->ifname, &newdev->vlan) < 0) goto cleanup; - } else { + } else if (newType == VIR_DOMAIN_NET_TYPE_DIRECT && + virDomainNetGetActualDirectMode(newdev) == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) { + if (virNetDevSetNetConfig(virDomainNetGetActualDirectDev(newdev), + -1, NULL, virDomainNetGetActualVlan(newdev), NULL, true) < 0) { + goto cleanup; + } + } else if (newBridgeName) { /* vlan setup is done as a part of reconnecting the tap * device to a new bridge (either OVS or Linux host bridge). */ needBridgeChange = true; + } else { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("unable to change vlan on '%1$s' network type"), + virDomainNetTypeToString(newType)); } needReplaceDevDef = true; } -- 2.52.0
From: Laine Stump <laine@redhat.com> Using &newdev->vlan when updating the vlan tag causes problems if the interface is using a libvirt virtual network to get its vlan tag info - in this case the info won't be properly pulled from the virtual network config, but instead it will just use the (empty) vlan object from the netdef. The proper thing to do is to use virDomainNetGetActualVlan(), which will pull the vlan tag from the network definition, if applicable. Signed-off-by: Laine Stunp <laine@redhat.com> Signed-off-by: Laine Stump <laine@redhat.com> --- src/qemu/qemu_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 6d20e3a850..c5905dba23 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -4263,7 +4263,7 @@ qemuDomainChangeNet(virQEMUDriver *driver, * will redo vlan setup without needing to re-attach the * tap device to the bridge */ - if (virNetDevOpenvswitchUpdateVlan(newdev->ifname, &newdev->vlan) < 0) + if (virNetDevOpenvswitchUpdateVlan(newdev->ifname, virDomainNetGetActualVlan(newdev)) < 0) goto cleanup; } else if (newType == VIR_DOMAIN_NET_TYPE_DIRECT && virDomainNetGetActualDirectMode(newdev) == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) { -- 2.52.0
On a Thursday in 2026, Laine Stump via Devel wrote:
From: Laine Stump <laine@redhat.com>
Using &newdev->vlan when updating the vlan tag causes problems if the interface is using a libvirt virtual network to get its vlan tag info - in this case the info won't be properly pulled from the virtual network config, but instead it will just use the (empty) vlan object from the netdef.
The proper thing to do is to use virDomainNetGetActualVlan(), which will pull the vlan tag from the network definition, if applicable.
Signed-off-by: Laine Stunp <laine@redhat.com> Signed-off-by: Laine Stump <laine@redhat.com>
How did you manage to sign off twice? Usually `git commit -s` avoids this. Jano
--- src/qemu/qemu_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
On 1/16/26 11:16 AM, Ján Tomko via Devel wrote:
On a Thursday in 2026, Laine Stump via Devel wrote:
From: Laine Stump <laine@redhat.com>
Using &newdev->vlan when updating the vlan tag causes problems if the interface is using a libvirt virtual network to get its vlan tag info - in this case the info won't be properly pulled from the virtual network config, but instead it will just use the (empty) vlan object from the netdef.
The proper thing to do is to use virDomainNetGetActualVlan(), which will pull the vlan tag from the network definition, if applicable.
Signed-off-by: Laine Stunp <laine@redhat.com> Signed-off-by: Laine Stump <laine@redhat.com>
How did you manage to sign off twice? Usually `git commit -s` avoids this.
That's odd - the duplicate isn't there in my local directory, and I certainly would have noticed an existing SOB on the adjancent line if I manually added it in.
From: Laine Stump <laine@redhat.com> Somehow this was never done in virDomainNetDefValidate() (which is run immediately post-parse) - it was only in virDomainActualNetDefValidate() (which isn't done until the interface is actually attached to the domain). While it is true that we *might* not know if vlan tagging is supported for the interface if the interface type == 'network', we otherwise will always know right away, so we may as well check sooner than later. Signed-off-by: Laine Stump <laine@redhat.com> --- src/conf/domain_validate.c | 41 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 7346a61731..4589965923 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -2377,6 +2377,47 @@ virDomainNetDefValidate(const virDomainNetDef *net) return -1; } + if (net->vlan.nTags > 0) { + /* vlan configuration via libvirt is only supported for PCI + * Passthrough SR-IOV devices (hostdev or macvtap passthru + * mode) and openvswitch/linux host bridges. (Also allow it in + * the case where we don't yet know what the exact connection + * type will be, i.e. NET_TYPE_NETWORK). + */ + bool vlanAllowed = false; + + switch (net->type) { + case VIR_DOMAIN_NET_TYPE_HOSTDEV: + case VIR_DOMAIN_NET_TYPE_NETWORK: + case VIR_DOMAIN_NET_TYPE_BRIDGE: + vlanAllowed = true; + break; + case VIR_DOMAIN_NET_TYPE_DIRECT: + if (net->data.direct.mode == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) + vlanAllowed = true; + break; + case VIR_DOMAIN_NET_TYPE_ETHERNET: + case VIR_DOMAIN_NET_TYPE_USER: + case VIR_DOMAIN_NET_TYPE_VHOSTUSER: + case VIR_DOMAIN_NET_TYPE_SERVER: + case VIR_DOMAIN_NET_TYPE_CLIENT: + case VIR_DOMAIN_NET_TYPE_MCAST: + case VIR_DOMAIN_NET_TYPE_INTERNAL: + case VIR_DOMAIN_NET_TYPE_UDP: + case VIR_DOMAIN_NET_TYPE_VDPA: + case VIR_DOMAIN_NET_TYPE_NULL: + case VIR_DOMAIN_NET_TYPE_VDS: + case VIR_DOMAIN_NET_TYPE_LAST: + break; + } + if (!vlanAllowed) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("interface %1$s - vlan tag not supported for this connection type"), + macstr); + return -1; + } + } + return 0; } -- 2.52.0
From: Laine Stump <laine@redhat.com> Since the only two types of bridges we support are OVS bridges and Linux host bridges, and since both of those now support vlan tagging, we don't need to check the virtualport type etc - if there is a bridge specified then we know the interface will support vlan tagging. Signed-off-by: Laine Stump <laine@redhat.com> --- src/conf/domain_validate.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c index 4589965923..4482203087 100644 --- a/src/conf/domain_validate.c +++ b/src/conf/domain_validate.c @@ -2229,15 +2229,12 @@ virDomainActualNetDefValidate(const virDomainNetDef *net) if (virDomainNetGetActualVlan(net)) { /* vlan configuration via libvirt is only supported for PCI * Passthrough SR-IOV devices (hostdev or macvtap passthru - * mode) and openvswitch bridges. Otherwise log an error and - * fail + * mode) and openvswitch/linux host bridges. */ - if (!(actualType == VIR_DOMAIN_NET_TYPE_HOSTDEV || + if (!(virDomainNetGetActualBridgeName(net) || + actualType == VIR_DOMAIN_NET_TYPE_HOSTDEV || (actualType == VIR_DOMAIN_NET_TYPE_DIRECT && - virDomainNetGetActualDirectMode(net) == VIR_NETDEV_MACVLAN_MODE_PASSTHRU) || - (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE && - vport && vport->virtPortType == VIR_NETDEV_VPORT_PROFILE_OPENVSWITCH) || - (actualType == VIR_DOMAIN_NET_TYPE_BRIDGE && !vport))) { + virDomainNetGetActualDirectMode(net) == VIR_NETDEV_MACVLAN_MODE_PASSTHRU))) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("interface %1$s - vlan tag not supported for this connection type"), macstr); -- 2.52.0
On a Thursday in 2026, Laine Stump via Devel wrote:
The main fix here is Patch 1, which adds the code necessary to support live update of the vlan tag for a direct (macvtap) passthrough interface, thus resolving two separate issues. The other three are just small annoyances that I found while testing.
Laine Stump (4): qemu: update vlan tag of macvtap (direct) passthrough devices during update-device qemu: use actual/effective vlan when updating OVS-based interface vlan tag conf: validate that specified interface type supports vlan tags conf: simplify check for vlan tagging support in virDomainActualNetDefValidate()
src/conf/domain_validate.c | 52 +++++++++++++++++++++++++++++++++----- src/qemu/qemu_hotplug.c | 14 ++++++++-- 2 files changed, 57 insertions(+), 9 deletions(-)
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
participants (2)
-
Ján Tomko -
Laine Stump