From nobody Wed Jul 13 21:09:33 2022 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3ECE617FE5EE for <freebsd-questions@mlmmj.nyi.freebsd.org>; Wed, 13 Jul 2022 21:09:37 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ljqxs1Fm7z3LMP; Wed, 13 Jul 2022 21:09:37 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657746577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lLdolHaC1AwZqJV8dweVPL2q48+9kRg3XwmXZFR62TY=; b=LnNV5hL4roT3Y6qoY6G/eMWWMfQxWS1mnUagxyk+wq6E3/MPDUD7+lJbiadcHaUoH+TB5G v9KrpX+hkQDPwKDJF5o2k5G/B18f5uwIf/MCj6xF0b+EINH3l1JQHDemqGAinCcNCcpkqG QZBwHa5modVfRWzf8op3e6txSUYdPrzFCn5KbxfuOxQdev4yhBSCMcaMyHd9x0bJzPt+X2 QibObfADZ4oCL16p1CtVoGZfgfS1mE++6Px0UwOX5iZe1hRcDfL/XnwzIAqcPpFvz28OOg K7t0p2VvUFADJkP7wi6HaBR/KfW1r1093fovWWCsLoGI3rPD1CD0QgYnfk/mZg== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Ljqxr602Cz1KQ8; Wed, 13 Jul 2022 21:09:36 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 3B9D91E8BC; Wed, 13 Jul 2022 23:09:34 +0200 (CEST) From: Kristof Provost <kp@FreeBSD.org> To: Norman Gray <gray@nxg.name> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Why can't I add a loopback interface to a bridge? Date: Wed, 13 Jul 2022 23:09:33 +0200 X-Mailer: MailMate (1.14r5852) Message-ID: <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org> In-Reply-To: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name> References: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name> List-Id: User questions <freebsd-questions.freebsd.org> List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: <mailto:questions+help@freebsd.org> List-Post: <mailto:questions@freebsd.org> List-Subscribe: <mailto:questions+subscribe@freebsd.org> List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org> Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_=" Content-Transfer-Encoding: 8bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657746577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lLdolHaC1AwZqJV8dweVPL2q48+9kRg3XwmXZFR62TY=; b=ZaLLGH6+tIxyuwktQM/tlBs5QQpXMOTK8KuaiJNUFh7LIRBIn/nEtF+WKHPGhj1uiet4o6 fFHtdvSAuDFZQeL185l55OGWOfaylFy4YbLBSc+SuCsDVxvYWlB/15zbiscJbu3AfM0WNF kUZSVgkBKrckePVxlfd5xWUiY8aK6HqG7RV3ARRU2LYQXrIZ8gtpgxYupFrpVdee2tVfBm PY8lgYOWCFI64VCP4WzSdG8T13jiTjW7wsfGysuXYejACjh3cmzyy15RPzQC4SiJ/Vi0HJ p2zT0gho12eXH05VRljZGMCfMFb2tDqNcf0x4dTxYcidZnq1xNe7E4hpHl616g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657746577; a=rsa-sha256; cv=none; b=Zg6P387VVJ3SNySutyiCHd2/bc+iHCUyAU7LtprB2JgdRdYJR7CmQoDehvnZIADTKYGUXG n7Cup9vQsZNt2UbcKuSH5/EQp8qrcDkcpQ+7mr0EAnxO+/WbHetsRmXP9r4r5om0IFLBhZ AbxUYKdUZjcw2IVzaKQW3gwf1umn4vn3eh4gQq/226mc0OWyxDfltxvZJmb3EWhGCh90N3 n247VV/vaVwnS3ngWzaKda7n6xL2mdCG7XKkayKcKFH0tDc5Xv1fJ+WMbCcq9OQVI2C9jg J/tXI02cj6JnFFSDZ9ZLYxYQl060psFdENId9WrQyuXcBinjmH01zjtUmLO4Lg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 13 Jul 2022, at 22:43, Norman Gray wrote: > Why can't I add a loopback interface to a bridge? > The short answer is: because it’s not an Ethernet interface. From the man page: The if_bridge driver creates a logical link between two or more IEEE 802 networks that use the same (or “similar enoughâ€) framing format. For > I thought I should be able to do this, and the fact that I can't > suggests I'm misunderstanding something significant. > > If I do > > # ifconfig bridge create > bridge0 > # ifconfig lo create > lo1 > # ifconfig bridge0 addm lo1 > ifconfig: BRDGADD lo1: Invalid argument > # > That’s expected, yes. That will happen whenever you try to add something that’s not Ethernet (or close enough) to a bridge. > What I'm aiming to do is to set up a bridge to VNET-isolated jails, so > I can subsequently selectively route and NAT packets from those jails > to the rest of the network. > > My mental model here is that I create an interface lo1 and then 'plug > it in to the bridge', so that I can subsequently forward packets from > lo1 to the real network interface. This mental model is clearly > defective, but I can't see where. > Your model is indeed incorrect. An if_bridge is not just a switch, but also a NIC that’s plugged into that switch. So to do what you’re trying to do you’d add an epair interface for each jail, put one end in the bridge and the other in the jail. You’d assign the subnet(s) you want the jails to use to the bridge interface, and to the jailed interfaces. Kristof --=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"= > </head> <body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty= le=3D"white-space: normal;"> <p dir=3D"auto">On 13 Jul 2022, at 22:43, Norman Gray wrote:</p> </div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote= style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136= BCE; color: #136BCE;"><p dir=3D"auto">Why can't I add a loopback interfac= e to a bridge?</p> <br></blockquote></div> <div class=3D"markdown" style=3D"white-space: normal;"> <p dir=3D"auto">The short answer is: because it=E2=80=99s not an Ethernet= interface.</p> <p dir=3D"auto">From the man page:</p> <pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border= : thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #= E4E4E4;"><code> The if_bridge driver creates a logical link between two o= r more IEEE 802 networks that use the same (or =E2=80=9Csimilar enough=E2=80=9D) framing= format. For </code></pre> </div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote= style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136= BCE; color: #136BCE;"><p dir=3D"auto">I thought I should be able to do th= is, and the fact that I can't suggests I'm misunderstanding something sig= nificant.</p> <p dir=3D"auto">If I do</p> <p dir=3D"auto"> # ifconfig bridge create <br> bridge0 <br> # ifconfig lo create <br> lo1 <br> # ifconfig bridge0 addm lo1 <br> ifconfig: BRDGADD lo1: Invalid argument <br> #</p> <br></blockquote></div> <div class=3D"markdown" style=3D"white-space: normal;"> <p dir=3D"auto">That=E2=80=99s expected, yes.<br> That will happen whenever you try to add something that=E2=80=99s not Eth= ernet (or close enough) to a bridge.</p> </div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote= style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136= BCE; color: #136BCE;"><p dir=3D"auto">What I'm aiming to do is to set up = a bridge to VNET-isolated jails, so I can subsequently selectively route = and NAT packets from those jails to the rest of the network.</p> <p dir=3D"auto">My mental model here is that I create an interface lo1 an= d then 'plug it in to the bridge', so that I can subsequently forward pac= kets from lo1 to the real network interface. This mental model is clearl= y defective, but I can't see where.</p> <br></blockquote></div> <div class=3D"markdown" style=3D"white-space: normal;"> <p dir=3D"auto">Your model is indeed incorrect. An if_bridge is not just = a switch, but also a NIC that=E2=80=99s plugged into that switch.<br> So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair inte= rface for each jail, put one end in the bridge and the other in the jail.= <br> You=E2=80=99d assign the subnet(s) you want the jails to use to the bridg= e interface, and to the jailed interfaces.</p> <p dir=3D"auto">Kristof</p> </div></div></body> </html> --=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_=--