1.\" 2.\" SPDX-License-Identifier: BSD-4-Clause 3.\" 4.\" $NetBSD: bridge.4,v 1.5 2004/01/31 20:14:11 jdc Exp $ 5.\" 6.\" Copyright 2001 Wasabi Systems, Inc. 7.\" All rights reserved. 8.\" 9.\" Written by Jason R. Thorpe for Wasabi Systems, Inc. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. All advertising materials mentioning features or use of this software 20.\" must display the following acknowledgement: 21.\" This product includes software developed for the NetBSD Project by 22.\" Wasabi Systems, Inc. 23.\" 4. The name of Wasabi Systems, Inc. may not be used to endorse 24.\" or promote products derived from this software without specific prior 25.\" written permission. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND 28.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 29.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 30.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC 31.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 32.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 33.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 34.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 35.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 36.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 37.\" POSSIBILITY OF SUCH DAMAGE. 38.\" 39.Dd April 10, 2024 40.Dt IF_BRIDGE 4 41.Os 42.Sh NAME 43.Nm if_bridge 44.Nd network bridge device 45.Sh SYNOPSIS 46To compile this driver into the kernel, 47place the following line in your 48kernel configuration file: 49.Bd -ragged -offset indent 50.Cd "device if_bridge" 51.Ed 52.Pp 53Alternatively, to load the driver as a 54module at boot time, place the following lines in 55.Xr loader.conf 5 : 56.Bd -literal -offset indent 57if_bridge_load="YES" 58bridgestp_load="YES" 59.Ed 60.Sh DESCRIPTION 61The 62.Nm 63driver creates a logical link between two or more IEEE 802 networks 64that use the same (or 65.Dq "similar enough" ) 66framing format. 67For example, it is possible to bridge Ethernet and 802.11 networks together, 68but it is not possible to bridge Ethernet and Token Ring together. 69.Pp 70Each 71.Nm 72interface is created at runtime using interface cloning. 73This is 74most easily done with the 75.Xr ifconfig 8 76.Cm create 77command or using the 78.Va cloned_interfaces 79variable in 80.Xr rc.conf 5 . 81.Pp 82The 83.Nm 84interface randomly chooses a link (MAC) address in the range reserved for 85locally administered addresses when it is created. 86This address is guaranteed to be unique 87.Em only 88across all 89.Nm 90interfaces on the local machine. 91Thus you can theoretically have two bridges on different machines with 92the same link addresses. 93The address can be changed by assigning the desired link address using 94.Xr ifconfig 8 . 95.Pp 96If 97.Xr sysctl 8 98node 99.Va net.link.bridge.inherit_mac 100has a non-zero value, the newly created bridge will inherit the MAC 101address from its first member instead of choosing a random link-level 102address. 103This will provide more predictable bridge MAC addresses without any 104additional configuration, but currently this feature is known to break 105some L2 protocols, for example PPPoE that is provided by 106.Xr ng_pppoe 4 107and 108.Xr ppp 8 . 109Currently this feature is considered as experimental and is turned off 110by default. 111.Pp 112A bridge can be used to provide several services, such as a simple 113802.11-to-Ethernet bridge for wireless hosts, or traffic isolation. 114.Pp 115A bridge works like a switch, forwarding traffic from one interface 116to another. 117Multicast and broadcast packets are always forwarded to all 118interfaces that are part of the bridge. 119For unicast traffic, the bridge learns which MAC addresses are associated 120with which interfaces and will forward the traffic selectively. 121.Pp 122By default the bridge logs MAC address port flapping to 123.Xr syslog 3 . 124This behavior can be disabled by setting the 125.Xr sysctl 8 126variable 127.Va net.link.bridge.log_mac_flap 128to 129.Li 0 . 130.Pp 131All the bridged member interfaces need to be up 132in order to pass network traffic. 133These can be enabled using 134.Xr ifconfig 8 135or 136.Va ifconfig_ Ns Ao Ar interface Ac Ns Li ="up" 137in 138.Xr rc.conf 5 . 139.Pp 140The MTU of the first member interface to be added is used as the bridge MTU. 141All additional members will have their MTU changed to match. 142If the MTU of a bridge is changed after its creation, the MTU of all member 143interfaces is also changed to match. 144.Pp 145The TOE, TSO, TXCSUM and TXCSUM6 capabilities on all interfaces added to the 146bridge are disabled if any of the interfaces do not support/enable them. 147The LRO capability is always disabled. 148All the capabilities are restored when the interface is removed from the bridge. 149Changing capabilities at run-time may cause NIC reinit and a link flap. 150.Pp 151The bridge supports 152.Dq monitor mode , 153where the packets are discarded after 154.Xr bpf 4 155processing, and are not processed or forwarded further. 156This can be used to multiplex the input of two or more interfaces into a single 157.Xr bpf 4 158stream. 159This is useful for reconstructing the traffic for network taps 160that transmit the RX/TX signals out through two separate interfaces. 161.Sh IPV6 SUPPORT 162.Nm 163supports the 164.Li AF_INET6 165address family on bridge interfaces. 166The following 167.Xr rc.conf 5 168variable configures an IPv6 link-local address on 169.Li bridge0 170interface: 171.Bd -literal -offset indent 172ifconfig_bridge0_ipv6="inet6 auto_linklocal" 173.Ed 174.Pp 175However, the 176.Li AF_INET6 177address family has a concept of scope zone. 178Bridging multiple interfaces changes the zone configuration because 179multiple links are merged to each other and form a new single link 180while the member interfaces still work individually. 181This means each member interface still has a separate link-local scope 182zone and the 183.Nm 184interface has another single, 185aggregated link-local scope zone at the same time. 186This situation is clearly against the description 187.Qq zones of the same scope cannot overlap 188in Section 5, 189RFC 4007. 190Although it works in most cases, 191it can cause some counterintuitive or undesirable behavior in some 192edge cases when both, the 193.Nm 194interface and one of the member interfaces, have an IPv6 address 195and applications use both of them. 196.Pp 197To prevent this situation, 198.Nm 199checks whether a link-local scoped IPv6 address is configured on 200a member interface to be added and the 201.Nm 202interface. 203When the 204.Nm 205interface has IPv6 addresses, 206IPv6 addresses on the member interface will be automatically removed 207before the interface is added. 208.Pp 209This behavior can be disabled by setting 210.Xr sysctl 8 211variable 212.Va net.link.bridge.allow_llz_overlap 213to 214.Li 1 . 215.Pp 216Note that 217.Li ACCEPT_RTADV 218and 219.Li AUTO_LINKLOCAL 220interface flags are not enabled by default on 221.Nm 222interfaces even when 223.Va net.inet6.ip6.accept_rtadv 224and/or 225.Va net.inet6.ip6.auto_linklocal 226is set to 227.Li 1 . 228.Sh SPANNING TREE 229The 230.Nm 231driver implements the Rapid Spanning Tree Protocol (RSTP or 802.1w) with 232backwards compatibility with the legacy Spanning Tree Protocol (STP). 233Spanning Tree is used to detect and remove loops in a network topology. 234.Pp 235RSTP provides faster spanning tree convergence than legacy STP, the protocol 236will exchange information with neighbouring switches to quickly transition to 237forwarding without creating loops. 238.Pp 239The code will default to RSTP mode but will downgrade any port connected to a 240legacy STP network so is fully backward compatible. 241A bridge can be forced to operate in STP mode without rapid state transitions 242via the 243.Va proto 244command in 245.Xr ifconfig 8 . 246.Pp 247The bridge can log STP port changes to 248.Xr syslog 3 249by setting the 250.Va net.link.bridge.log_stp 251node using 252.Xr sysctl 8 . 253.Sh PACKET FILTERING 254Packet filtering can be used with any firewall package that hooks in via the 255.Xr pfil 9 256framework. 257When filtering is enabled, bridged packets will pass through the filter 258inbound on the originating interface, on the bridge interface and outbound on 259the appropriate interfaces. 260Either stage can be disabled. 261The filtering behavior can be controlled using 262.Xr sysctl 8 : 263.Bl -tag -width indent 264.It Va net.link.bridge.pfil_onlyip 265Controls the handling of non-IP packets which are not passed to 266.Xr pfil 9 . 267Set to 268.Li 1 269to only allow IP packets to pass (subject to firewall rules), set to 270.Li 0 271to unconditionally pass all non-IP Ethernet frames. 272.It Va net.link.bridge.pfil_member 273Set to 274.Li 1 275to enable filtering on the incoming and outgoing member interfaces, set 276to 277.Li 0 278to disable it. 279.It Va net.link.bridge.pfil_bridge 280Set to 281.Li 1 282to enable filtering on the bridge interface, set 283to 284.Li 0 285to disable it. 286.It Va net.link.bridge.pfil_local_phys 287Set to 288.Li 1 289to additionally filter on the physical interface for locally destined packets. 290Set to 291.Li 0 292to disable this feature. 293.It Va net.link.bridge.ipfw 294Set to 295.Li 1 296to enable layer2 filtering with 297.Xr ipfirewall 4 , 298set to 299.Li 0 300to disable it. 301This needs to be enabled for 302.Xr dummynet 4 303support. 304When 305.Va ipfw 306is enabled, 307.Va pfil_bridge 308and 309.Va pfil_member 310will be disabled so that IPFW 311is not run twice; these can be re-enabled if desired. 312.It Va net.link.bridge.ipfw_arp 313Set to 314.Li 1 315to enable layer2 ARP filtering with 316.Xr ipfirewall 4 , 317set to 318.Li 0 319to disable it. 320Requires 321.Va ipfw 322to be enabled. 323.El 324.Pp 325ARP and REVARP packets are forwarded without being filtered and others 326that are not IP nor IPv6 packets are not forwarded when 327.Va pfil_onlyip 328is enabled. 329IPFW can filter Ethernet types using 330.Cm mac-type 331so all packets are passed to 332the filter for processing. 333.Pp 334The packets originating from the bridging host will be seen by 335the filter on the interface that is looked up in the routing 336table. 337.Pp 338The packets destined to the bridging host will be seen by the filter 339on the interface with the MAC address equal to the packet's destination 340MAC. 341There are situations when some of the bridge members are sharing 342the same MAC address (for example the 343.Xr vlan 4 344interfaces: they are currently sharing the 345MAC address of the parent physical interface). 346It is not possible to distinguish between these interfaces using 347their MAC address, excluding the case when the packet's destination 348MAC address is equal to the MAC address of the interface on which 349the packet was entered to the system. 350In this case the filter will see the incoming packet on this 351interface. 352In all other cases the interface seen by the packet filter is chosen 353from the list of bridge members with the same MAC address and the 354result strongly depends on the member addition sequence and the 355actual implementation of 356.Nm . 357It is not recommended to rely on the order chosen by the current 358.Nm 359implementation since it may change in the future. 360.Pp 361The previous paragraph is best illustrated with the following 362pictures. 363Let 364.Bl -bullet 365.It 366the MAC address of the incoming packet's destination is 367.Nm nn:nn:nn:nn:nn:nn , 368.It 369the interface on which packet entered the system is 370.Nm ifX , 371.It 372.Nm ifX 373MAC address is 374.Nm xx:xx:xx:xx:xx:xx , 375.It 376there are possibly other bridge members with the same MAC address 377.Nm xx:xx:xx:xx:xx:xx , 378.It 379the bridge has more than one interface that are sharing the 380same MAC address 381.Nm yy:yy:yy:yy:yy:yy ; 382we will call them 383.Nm vlanY1 , 384.Nm vlanY2 , 385etc. 386.El 387.Pp 388If the MAC address 389.Nm nn:nn:nn:nn:nn:nn 390is equal to 391.Nm xx:xx:xx:xx:xx:xx 392the filter will see the packet on interface 393.Nm ifX 394no matter if there are any other bridge members carrying the same 395MAC address. 396But if the MAC address 397.Nm nn:nn:nn:nn:nn:nn 398is equal to 399.Nm yy:yy:yy:yy:yy:yy 400then the interface that will be seen by the filter is one of the 401.Nm vlanYn . 402It is not possible to predict the name of the actual interface 403without the knowledge of the system state and the 404.Nm 405implementation details. 406.Pp 407This problem arises for any bridge members that are sharing the same 408MAC address, not only to the 409.Xr vlan 4 410ones: they were taken just as an example of such a situation. 411So if one wants to filter the locally destined packets based on 412their interface name, one should be aware of this implication. 413The described situation will appear at least on the filtering bridges 414that are doing IP-forwarding; in some of such cases it is better 415to assign the IP address only to the 416.Nm 417interface and not to the bridge members. 418Enabling 419.Va net.link.bridge.pfil_local_phys 420will let you do the additional filtering on the physical interface. 421.Sh NETMAP 422.Xr netmap 4 423applications may open a bridge interface in emulated mode. 424The netmap application will receive all packets which arrive from member 425interfaces. 426In particular, packets which would otherwise be forwarded to another 427member interface will be received by the netmap application. 428.Pp 429When the 430.Xr netmap 4 431application transmits a packet to the host stack via the bridge interface, 432.Nm 433receive it and attempts to determine its 434.Ql source 435interface by looking up the source MAC address in the interface's learning 436tables. 437Packets for which no matching source interface is found are dropped and the 438input error counter is incremented. 439If a matching source interface is found, 440.Nm 441treats the packet as though it was received from the corresponding interface 442and handles it normally without passing the packet back to 443.Xr netmap 4 . 444.Sh EXAMPLES 445The following when placed in the file 446.Pa /etc/rc.conf 447will cause a bridge called 448.Dq Li bridge0 449to be created, and will add the interfaces 450.Dq Li wlan0 451and 452.Dq Li fxp0 453to the bridge, and then enable packet forwarding. 454Such a configuration could be used to implement a simple 455802.11-to-Ethernet bridge (assuming the 802.11 interface is 456in ad-hoc mode). 457.Bd -literal -offset indent 458cloned_interfaces="bridge0" 459ifconfig_bridge0="addm wlan0 addm fxp0 up" 460.Ed 461.Pp 462For the bridge to forward packets, 463all member interfaces and the bridge need to be up. 464The above example would also require: 465.Bd -literal -offset indent 466create_args_wlan0="wlanmode hostap" 467ifconfig_wlan0="up ssid my_ap mode 11g" 468ifconfig_fxp0="up" 469.Ed 470.Pp 471Consider a system with two 4-port Ethernet boards. 472The following will cause a bridge consisting of all 8 ports with 473Rapid Spanning Tree enabled to be created: 474.Bd -literal -offset indent 475ifconfig bridge0 create 476ifconfig bridge0 \e 477 addm fxp0 stp fxp0 \e 478 addm fxp1 stp fxp1 \e 479 addm fxp2 stp fxp2 \e 480 addm fxp3 stp fxp3 \e 481 addm fxp4 stp fxp4 \e 482 addm fxp5 stp fxp5 \e 483 addm fxp6 stp fxp6 \e 484 addm fxp7 stp fxp7 \e 485 up 486.Ed 487.Pp 488The bridge can be used as a regular host interface at the same time as bridging 489between its member ports. 490In this example, the bridge connects em0 and em1, and will receive its IP 491address through DHCP: 492.Bd -literal -offset indent 493cloned_interfaces="bridge0" 494ifconfig_bridge0="addm em0 addm em1 DHCP" 495ifconfig_em0="up" 496ifconfig_em1="up" 497.Ed 498.Pp 499The bridge can tunnel Ethernet across an IP internet using the EtherIP 500protocol. 501This can be combined with 502.Xr ipsec 4 503to provide an encrypted connection. 504Create a 505.Xr gif 4 506interface and set the local and remote IP addresses for the 507tunnel, these are reversed on the remote bridge. 508.Bd -literal -offset indent 509ifconfig gif0 create 510ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up 511ifconfig bridge0 create 512ifconfig bridge0 addm fxp0 addm gif0 up 513.Ed 514.Sh SEE ALSO 515.Xr gif 4 , 516.Xr ipf 4 , 517.Xr ipfw 4 , 518.Xr netmap 4 , 519.Xr pf 4 , 520.Xr ifconfig 8 521.Sh HISTORY 522The 523.Nm 524driver first appeared in 525.Fx 6.0 . 526.Sh AUTHORS 527.An -nosplit 528The 529.Nm bridge 530driver was originally written by 531.An Jason L. Wright Aq Mt jason@thought.net 532as part of an undergraduate independent study at the University of 533North Carolina at Greensboro. 534.Pp 535This version of the 536.Nm 537driver has been heavily modified from the original version by 538.An Jason R. Thorpe Aq Mt thorpej@wasabisystems.com . 539.Pp 540Rapid Spanning Tree Protocol (RSTP) support was added by 541.An Andrew Thompson Aq Mt thompsa@FreeBSD.org . 542.Sh BUGS 543The 544.Nm 545driver currently supports only Ethernet and Ethernet-like (e.g., 802.11) 546network devices, which can be configured with the same MTU size as the bridge 547device. 548