Date: Wed, 13 Jul 2022 23:09:33 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Norman Gray <gray@nxg.name> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Why can't I add a loopback interface to a bridge? Message-ID: <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org> In-Reply-To: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name> References: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
On 13 Jul 2022, at 22:43, Norman Gray wrote:
> Why can't I add a loopback interface to a bridge?
>
The short answer is: because it’s not an Ethernet interface.
From the man page:
The if_bridge driver creates a logical link between two or more
IEEE 802
networks that use the same (or “similar enough”) framing
format. For
> I thought I should be able to do this, and the fact that I can't
> suggests I'm misunderstanding something significant.
>
> If I do
>
> # ifconfig bridge create
> bridge0
> # ifconfig lo create
> lo1
> # ifconfig bridge0 addm lo1
> ifconfig: BRDGADD lo1: Invalid argument
> #
>
That’s expected, yes.
That will happen whenever you try to add something that’s not Ethernet
(or close enough) to a bridge.
> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so
> I can subsequently selectively route and NAT packets from those jails
> to the rest of the network.
>
> My mental model here is that I create an interface lo1 and then 'plug
> it in to the bridge', so that I can subsequently forward packets from
> lo1 to the real network interface. This mental model is clearly
> defective, but I can't see where.
>
Your model is indeed incorrect. An if_bridge is not just a switch, but
also a NIC that’s plugged into that switch.
So to do what you’re trying to do you’d add an epair interface for
each jail, put one end in the bridge and the other in the jail.
You’d assign the subnet(s) you want the jails to use to the bridge
interface, and to the jailed interfaces.
Kristof
--=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
<p dir=3D"auto">On 13 Jul 2022, at 22:43, Norman Gray wrote:</p>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">Why can't I add a loopback interfac=
e to a bridge?</p>
<br></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto">The short answer is: because it=E2=80=99s not an Ethernet=
interface.</p>
<p dir=3D"auto">From the man page:</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code> The if_bridge driver creates a logical link between two o=
r more IEEE 802
networks that use the same (or =E2=80=9Csimilar enough=E2=80=9D) framing=
format. For
</code></pre>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">I thought I should be able to do th=
is, and the fact that I can't suggests I'm misunderstanding something sig=
nificant.</p>
<p dir=3D"auto">If I do</p>
<p dir=3D"auto"> # ifconfig bridge create
<br>
bridge0
<br>
# ifconfig lo create
<br>
lo1
<br>
# ifconfig bridge0 addm lo1
<br>
ifconfig: BRDGADD lo1: Invalid argument
<br>
#</p>
<br></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto">That=E2=80=99s expected, yes.<br>
That will happen whenever you try to add something that=E2=80=99s not Eth=
ernet (or close enough) to a bridge.</p>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">What I'm aiming to do is to set up =
a bridge to VNET-isolated jails, so I can subsequently selectively route =
and NAT packets from those jails to the rest of the network.</p>
<p dir=3D"auto">My mental model here is that I create an interface lo1 an=
d then 'plug it in to the bridge', so that I can subsequently forward pac=
kets from lo1 to the real network interface. This mental model is clearl=
y defective, but I can't see where.</p>
<br></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto">Your model is indeed incorrect. An if_bridge is not just =
a switch, but also a NIC that=E2=80=99s plugged into that switch.<br>
So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair inte=
rface for each jail, put one end in the bridge and the other in the jail.=
<br>
You=E2=80=99d assign the subnet(s) you want the jails to use to the bridg=
e interface, and to the jailed interfaces.</p>
<p dir=3D"auto">Kristof</p>
</div></div></body>
</html>
--=_MailMate_3BABBF8B-E9D4-4E6C-A46D-84B654A1470C_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D122341F-37FC-48A4-BD1F-D26773A26BCD>