man/man4/bridge.4

.\"
.\" $FreeBSD$
.\"
.Dd February 15, 2002
.Dt BRIDGE 4
.Os
.Sh NAME
.Nm bridge
.Nd bridging support
.Sh SYNOPSIS
.Cd "options BRIDGE"
.Cd kldload /modules/bridge.ko
.Sh DESCRIPTION
.Fx
supports bridging on Ethernet-type interfaces, including VLANs.
Bridging support can be either compiled into the kernel, or loaded
at runtime as a kernel module.
.Pp
A single
.Fx
host can do bridging on independent sets of interfaces,
which are called
.Ar clusters .
Each cluster connects a set of interfaces, and is
identified by a "cluster-id" which is a number in the range 1..65535.
A cluster in fact is very similar to what commercial switches call
a "VLAN". Note however that there is no relation whatsoever
between the cluster-id and the IEEE 802.1q VLAN-id which appears
in the header of packets transmitted on the wire.
In fact, in most cases there is no relation between the
so-called "VLAN identifier" used in most commercial switches, and
the IEEE 802.1q VLAN-id.
.Pp
By putting both physical and logical (vlanX) interfaces
in the same cluster, a FreeBSD box can also implement what in
commercial terms is called a "trunk" interface. This means packets
coming from one of the interfaces in the cluster,
will appear
on the wire on the "parent" interfaces of any vlan
interface belonging to the cluster, with the
proper VLAN tag. Similarly, packets coming from a
parent interface, will have the VLAN tag stripped and
will be forwarded to other interfaces on the same cluster.
See the
.Sx EXAMPLES
section for more details.
.Pp
Runtime operation of the
.Nm
is controlled by several
.Xr sysctl 8
variables, as follows.
.Pp
.Bl -tag -width indent
.It Va net.link.ether.bridge
set to
.Li 1
to enable bridging, set to
.Li 0
to disable it.
.Pp
.It Va net.link.ether.bridge_ipfw
set to
.Li 1
to enable
.Xr ipfw 8
filtering on bridged packets.
Note that
.Xr ipfw 8
rules only apply
to IP packets.
Non-IP packets are accepted by default.
See the
.Sx BUGS
section and the
.Xr ipfw 8
manpage for more details on the interaction of bridging
and the firewall.
.Pp
.It Va net.link.ether.bridge_cfg
contains a list of interfaces on which bridging is to be performed.
Interfaces are separated by spaces, commas or tabs. Each interface
can be optionally followed by a colon and an integer indicating the
cluster it belongs to (defaults to 1 if the cluster-id is missing), e.g.
.Pp
.Ar dc0:1,dc1,vlan0:3 dc2:3
.Pp
will put dc0 and dc1 in cluster number 1, and vlan0 and dc2 in cluster
number 3.
See the
.Sx EXAMPLES
section for more examples.
.Pp
The list of interfaces is rescanned every time the list is
modified, bridging is enabled, or new interfaces are created or
destroyed. Interfaces that are in the list but cannot be used
for bridging (because they are non-existing, or not Ethernet or VLAN)
are not used and a warning message is generated.
.Pp
.El
.Pp
Bridging requires interfaces to be put in promiscuous mode,
and transmit packets with Ethernet source addresses.
Some interfaces (e.g.
.Xr wi 4 )
do not support this functionality.
Also, bridging is not compatible with interfaces which
use hardware loopback, because there is no way to tell locally
generated packets from externally generated ones.
.Pp
.Sh EXAMPLES
A simple bridge configuration with three interfaces in the same
cluster can be set as follows. No cluster-id is specified here, which
will cause the interfaces to appear as part of cluster #1.
.Pp
.Dl sysctl net.link.ether.bridge_cfg=dc0,dc1,fxp1
.Pp
If you do not know what actual interfaces will be present on
your system, you can just put all existing interfaces in the
configuration, as follows:
.Pp
.Dl sysctl net.link.ether.bridge_cfg="`ifconfig -l`"
.Pp
This will result in a space-separated list of interfaces.
Out of the list, only Ethernet or VLAN interfaces will be
used for bridging, whereas for others the kernel will produce
a warning message.
.Pp
More complex configurations can be used to create multiple
clusters, e.g.
.Pp
.Dl sysctl net.link.ether.bridge_cfg=dc0:3,dc1:3,fxp0:4,fxp1:4
.Pp
will create two completely independent clusters.
.Pp
Finally, interesting configurations involve vlans and parent interfaces.
As an example, the following configuration will use interface dc0
as a "trunk" interface, and pass packets
for 802.1q vlans 10 and 20 to physical interfaces dc1 and dc2:
.Pp
.Dl sysctl net.link.ether.bridge_cfg=vlan0:34,dc1:34,vlan1:56,dc2:56
.Dl ifconfig vlan0 vlan 10 vlandev dc0
.Dl ifconfig vlan1 vlan 20 vlandev dc0
.Pp
Note how there is no relation between the 802.1q vlan identifiers
(10 and 20) and the cluster-id's (34 and 56) used in
the bridge_cfg variable.
.Pp
Note also that the trunk interface
does not even appear in the bridge_cfg, as vlan tag insertion/removal
is performed by the
.Xr vlan 4
devices.
When using vlan devices, care must be taken by not creating loops
between these devices and their parent interfaces.
.Pp
.Sh BUGS
Care must be taken not to construct loops in the
.Nm
topology.
The kernel supports only a primitive form of loop detection, by disabling
some interfaces when a loop is detected.
No support for a daemon running the
spanning tree algorithm is currently provided.
.Pp
With bridging active, interfaces are in promiscuous mode,
thus causing some load on the system to receive and filter
out undesired traffic.
.Pp
When passing bridged packets to
.Xr ipfw 8 ,
remember that only IP packets are passed to the firewall, while
other packets are silently accepted.
Also remember that bridged packets are accepted after the
first pass through the firewall irrespective of the setting
of the sysctl variable
.Nm net.inet.ip.fw.one_pass ,
and that some
.Nm ipfw
actions such as
.Nm divert
do not apply to bridged packets.
It might be useful to have a rule of the form
.Pp
.Dl skipto 20000 ip from any to any bridged
.Pp
near the beginning of your ruleset to implement specific rulesets
for bridged packets.
.Sh SEE ALSO
.Xr ip 4 ,
.Xr ng_bridge 4 ,
.Xr vlan 4 ,
.Xr ipfw 8 ,
.Xr sysctl 8
.Sh HISTORY
Bridging was introduced in
.Fx 2.2.8
by
.An Luigi Rizzo Aq luigi@iet.unipi.it .