1.\" 2.\" $FreeBSD$ 3.\" 4.Dd February 15, 2002 5.Dt BRIDGE 4 6.Os 7.Sh NAME 8.Nm bridge 9.Nd bridging support 10.Sh SYNOPSIS 11.Cd "options BRIDGE" 12.Sh DESCRIPTION 13.Fx 14supports bridging on Ethernet-type interfaces, including VLANs. 15Bridging support can be either compiled into the kernel, or loaded 16at runtime as a kernel module. 17.Pp 18A single 19.Fx 20host can do bridging on independent sets of interfaces, 21which are called 22.Dq clusters . 23Each cluster connects a set of interfaces, and is 24identified by a 25.Dq cluster-ID 26which is a number in the range 1..65535. 27A cluster in fact is very similar to what commercial switches call 28a 29.Dq VLAN . 30Note however that there is no relation whatsoever 31between the cluster-ID and the IEEE 802.1q VLAN-ID which appears 32in the header of packets transmitted on the wire. 33In fact, in most cases there is no relation between the 34so-called 35.Dq "VLAN identifier" 36used in most commercial switches, and 37the IEEE 802.1q VLAN-ID. 38.Pp 39By putting both physical and logical 40.Pq Xr vlan 4 41interfaces in the same cluster, a 42.Fx 43box can also implement what in commercial terms is called a 44.Dq trunk 45interface. 46This means that packets 47coming from one of the interfaces in a cluster 48will appear on the wire of the 49.Dq parent 50interface of any VLAN interface in a cluster, 51with the proper VLAN tag. 52Similarly, packets 53coming from a parent interface of any VLAN interface in a cluster 54will have the VLAN tag stripped, 55and will be forwarded to other interfaces in a cluster. 56See the 57.Sx EXAMPLES 58section for more details. 59.Pp 60Runtime operation of the 61.Nm 62is controlled by several 63.Xr sysctl 8 64variables, as follows. 65.Bl -tag -width indent 66.It Va net.link.ether.bridge 67set to 68.Li 1 69to enable bridging, set to 70.Li 0 71to disable it. 72.It Va net.link.ether.bridge_ipfw 73set to 74.Li 1 75to enable 76.Xr ipfw 8 77filtering on bridged packets. 78Note that 79.Xr ipfw 8 80rules only apply 81to IP packets. 82Non-IP packets are accepted by default. 83See the 84.Sx BUGS 85section and the 86.Xr ipfw 8 87manpage for more details on the interaction of bridging 88and the firewall. 89.It Va net.link.ether.bridge_cfg 90contains a list of interfaces on which bridging is to be performed. 91Interfaces are separated by spaces, commas or tabs. 92Each interface 93can be optionally followed by a colon and an integer indicating the 94cluster it belongs to (defaults to 1 if the cluster-ID is missing), e.g.\& 95.Dq Li "dc0:1,dc1,vlan0:3 dc2:3" 96will put 97.Li dc0 98and 99.Li dc1 100in cluster number 1, and 101.Li vlan0 102and 103.Li dc2 104in cluster 105number 3. 106See the 107.Sx EXAMPLES 108section for more examples. 109.Pp 110The list of interfaces is rescanned every time the list is 111modified, bridging is enabled, or new interfaces are created or 112destroyed. 113Interfaces that are in the list but cannot be used 114for bridging (because they are non-existing, or not Ethernet or VLAN) 115are not used and a warning message is generated. 116.El 117.Pp 118Bridging requires interfaces to be put in promiscuous mode, 119and transmit packets with Ethernet source addresses. 120Some interfaces (e.g.\& 121.Xr wi 4 ) 122do not support this functionality. 123Also, bridging is not compatible with interfaces which 124use hardware loopback, because there is no way to tell locally 125generated packets from externally generated ones. 126.Sh EXAMPLES 127A simple bridge configuration with three interfaces in the same 128cluster can be set as follows. 129No cluster-ID is specified here, which 130will cause the interfaces to appear as part of cluster #1. 131.Pp 132.Dl "sysctl net.link.ether.bridge_cfg=dc0,dc1,fxp1" 133.Pp 134If you do not know what actual interfaces will be present on 135your system, you can just put all existing interfaces in the 136configuration, as follows: 137.Pp 138.Dl sysctl net.link.ether.bridge_cfg="`ifconfig -l`" 139.Pp 140This will result in a space-separated list of interfaces. 141Out of the list, only Ethernet and VLAN interfaces will be 142used for bridging, whereas for others the kernel will produce 143a warning message. 144.Pp 145More complex configurations can be used to create multiple 146clusters, e.g.\& 147.Pp 148.Dl "sysctl net.link.ether.bridge_cfg=dc0:3,dc1:3,fxp0:4,fxp1:4" 149.Pp 150will create two completely independent clusters. 151.Pp 152Finally, interesting configurations involve VLANs and parent interfaces. 153As an example, the following configuration will use interface 154.Li dc0 155as a 156.Dq trunk 157interface, and pass packets 158for 802.1q VLANs 10 and 20 to physical interfaces 159.Li dc1 160and 161.Li dc2 , 162respectively: 163.Bd -literal -offset indent 164sysctl net.link.ether.bridge_cfg=vlan0:34,dc1:34,vlan1:56,dc2:56 165ifconfig vlan0 vlan 10 vlandev dc0 166ifconfig vlan1 vlan 20 vlandev dc0 167.Ed 168.Pp 169Note how there is no relation between the 802.1q VLAN identifiers 170(10 and 20) and the cluster-ID's (34 and 56) used in 171the 172.Va bridge_cfg 173variable. 174.Pp 175Note also that the trunk interface 176does not even appear in the 177.Va bridge_cfg , 178as VLAN tag insertion/removal 179is performed by the 180.Xr vlan 4 181devices. 182When using VLAN devices, care must be taken by not creating loops 183between these devices and their parent interfaces. 184.Sh BUGS 185Care must be taken not to construct loops in the 186.Nm 187topology. 188The kernel supports only a primitive form of loop detection, by disabling 189some interfaces when a loop is detected. 190No support for a daemon running the 191spanning tree algorithm is currently provided. 192.Pp 193With bridging active, interfaces are in promiscuous mode, 194thus causing some load on the system to receive and filter 195out undesired traffic. 196.Pp 197When passing bridged packets to 198.Xr ipfw 8 , 199remember that only IP packets are passed to the firewall, while 200other packets are silently accepted. 201Also remember that bridged packets are accepted after the 202first pass through the firewall irrespective of the setting 203of the sysctl variable 204.Va net.inet.ip.fw.one_pass , 205and that some 206.Xr ipfw 8 207actions such as 208.Cm divert 209do not apply to bridged packets. 210It might be useful to have a rule of the form 211.Pp 212.Dl "skipto 20000 ip from any to any bridged" 213.Pp 214near the beginning of your ruleset to implement specific rulesets 215for bridged packets. 216.Sh FILES 217.Bl -tag -width ".Pa /boot/kernel/bridge.ko" -compact 218.It Pa /boot/kernel/bridge.ko 219.Nm 220loadable module. 221.El 222.Sh SEE ALSO 223.Xr ip 4 , 224.Xr ng_bridge 4 , 225.Xr vlan 4 , 226.Xr ipfw 8 , 227.Xr sysctl 8 228.Sh HISTORY 229Bridging was introduced in 230.Fx 2.2.8 231by 232.An Luigi Rizzo Aq luigi@iet.unipi.it . 233