-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation for vlan bpf bypass.
Follow-up for PR: #16772 Signed-off-by: Viktor Kuzmin <kvaster@gmail.com>
- Loading branch information
Showing
2 changed files
with
26 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,3 +16,4 @@ Core Agent | |
:glob: | ||
|
||
api-rate-limiting | ||
vlan-802.1q |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
.. only:: not (epub or latex or html) | ||
|
||
WARNING: You are looking at unreleased Cilium documentation. | ||
Please use the official rendered version released here: | ||
https://docs.cilium.io | ||
|
||
.. _vlan_802.1q: | ||
|
||
******************* | ||
VLAN 802.1q support | ||
******************* | ||
|
||
Cilium enables firewalling on native devices in use and will filter all unknown traffic. VLAN 802.1q packets | ||
will always be passed through their main device with associated tag (e.g. VLAN device is ``eth0.4000`` and its main interface is ``eth0``). | ||
By default, Cilium will allow all tags from the native devices (i.e. if ``eth0.4000`` is controlled by Cilium and has | ||
an eBPF program attached, then VLAN tag ``4000`` will be allowed on device ``eth0``). Additional VLAN tags may be allowed | ||
with the cilium-agent flag ``--vlan-bpf-bypass=4001,4002`` (or Helm variable ``--set bpf.vlan-bpf-bypass=4001,4002``). | ||
|
||
The list of allowed VLAN tags cannot be too big in order to keep eBPF program of predictable size. Currently this list | ||
should contain no more than 5 entries. If you need more, then there is only one way for now: you need to allow | ||
all tags with cilium-agent flag ``--vlan-bpf-bypass=0``. | ||
|
||
.. note:: | ||
|
||
Currently, the cilium-agent will scan for available VLAN devices and tags only on startup. |