Add documentation for vlan bpf bypass.

Follow-up for PR: #16772 Signed-off-by: Viktor Kuzmin <kvaster@gmail.com>
cilium · Oct 13, 2021 · 05a3daf · 05a3daf
1 parent c5f5de8
commit 05a3daf
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/Documentation/configuration/index.rst b/Documentation/configuration/index.rst
@@ -16,3 +16,4 @@ Core Agent
    :glob:
 
    api-rate-limiting
+   vlan-802.1q
diff --git a/Documentation/configuration/vlan-802.1q.rst b/Documentation/configuration/vlan-802.1q.rst
@@ -0,0 +1,25 @@
+.. only:: not (epub or latex or html)
+
+    WARNING: You are looking at unreleased Cilium documentation.
+    Please use the official rendered version released here:
+    https://docs.cilium.io
+
+.. _vlan_802.1q:
+
+*******************
+VLAN 802.1q support
+*******************
+
+Cilium enables firewalling on native devices in use and will filter all unknown traffic. VLAN 802.1q packets
+will always be passed through their main device with associated tag (e.g. VLAN device is ``eth0.4000`` and its main interface is ``eth0``).
+By default, Cilium will allow all tags from the native devices (i.e. if ``eth0.4000`` is controlled by Cilium and has
+an eBPF program attached, then VLAN tag ``4000`` will be allowed on device ``eth0``). Additional VLAN tags may be allowed
+with the cilium-agent flag ``--vlan-bpf-bypass=4001,4002`` (or Helm variable ``--set bpf.vlan-bpf-bypass=4001,4002``).
+
+The list of allowed VLAN tags cannot be too big in order to keep eBPF program of predictable size. Currently this list
+should contain no more than 5 entries. If you need more, then there is only one way for now: you need to allow
+all tags with cilium-agent flag ``--vlan-bpf-bypass=0``.
+
+.. note::
+
+    Currently, the cilium-agent will scan for available VLAN devices and tags only on startup.