From nobody Thu Jul 14 16:54:43 2022
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4LkLFS0sS2z3hYVB
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Thu, 14 Jul 2022 16:54:52 +0000 (UTC)
	(envelope-from gray@nxg.name)
Received: from mx2.mythic-beasts.com (mx2.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LkLFR2S5rz4Krv;
	Thu, 14 Jul 2022 16:54:51 +0000 (UTC)
	(envelope-from gray@nxg.name)
Received: from [130.209.45.140] (port=52077 helo=[192.168.64.1])
	by mailhub-hex-d.mythic-beasts.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <gray@nxg.name>)
	id 1oC26z-001sSM-Pg; Thu, 14 Jul 2022 17:54:50 +0100
From: Norman Gray <gray@nxg.name>
To: Kristof Provost <kp@FreeBSD.org>
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Why can't I add a loopback interface to a bridge?
Date: Thu, 14 Jul 2022 17:54:43 +0100
X-Mailer: MailMate (1.14r5818)
Message-ID: <E3BC2970-D68C-48AC-84DA-5DC82460C6E4@nxg.name>
In-Reply-To: <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org>
References: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name>
 <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BlackCat-Spam-Score: 9
X-Spam-Status: No, score=0.9
X-Rspamd-Queue-Id: 4LkLFR2S5rz4Krv
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of gray@nxg.name designates 2a00:1098:0:82:1000:0:2:1 as permitted sender) smtp.mailfrom=gray@nxg.name
X-Spamd-Result: default: False [-2.50 / 15.00];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	RCVD_IN_DNSWL_MED(-0.20)[2a00:1098:0:82:1000:0:2:1:from];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1098::82:1000:0:2:0/112];
	MIME_GOOD(-0.10)[text/plain];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions];
	R_DKIM_NA(0.00)[];
	ASN(0.00)[asn:44684, ipnet:2a00:1098::/32, country:GB];
	MIME_TRACE(0.00)[0:+];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_DN_ALL(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	DMARC_NA(0.00)[nxg.name];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N


Kristof, hello.

On 13 Jul 2022, at 22:09, Kristof Provost wrote:

> On 13 Jul 2022, at 22:43, Norman Gray wrote:
>> Why can't I add a loopback interface to a bridge?
>>
> The short answer is: because it=E2=80=99s not an Ethernet interface.
>
> From the man page:
>
>      The if_bridge driver creates a logical link between two or more IE=
EE 802
>      networks that use the same (or =E2=80=9Csimilar enough=E2=80=9D) f=
raming format.  For

Aha -- this is key.  I'm pretty sure I've 'read' that manpage before, but=
 not, I suspect, when I was in a position to make sufficiently full sense=
 of it.

'Similar enough' is a worryingly vague term, but I suspect it's not one I=
'm likely to fall foul of in any practical sense.

>> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so=
 I can subsequently selectively route and NAT packets from those jails to=
 the rest of the network.
>>
>> My mental model here is that I create an interface lo1 and then 'plug =
it in to the bridge', so that I can subsequently forward packets from lo1=
 to the real network interface.  This mental model is clearly defective, =
but I can't see where.
>>
> Your model is indeed incorrect. An if_bridge is not just a switch, but =
also a NIC that=E2=80=99s plugged into that switch.
> So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair in=
terface for each jail, put one end in the bridge and the other in the jai=
l.
> You=E2=80=99d assign the subnet(s) you want the jails to use to the bri=
dge interface, and to the jailed interfaces.

So it's a switch that already has one port plugged in to the host (ish?)

This is implied by the mention of assigning an address to the bridge, in =
Sect. 32.6.1 of the handbook, but the change in mental model makes that s=
ection a lot more readily parseable.

Incidentally, I tried the specific jails configuration from the MWL Jails=
 book, both in 13.1 and 12.3, and it produces the same BRDGADD error in b=
oth cases, meaning (gasp!) MWL may possibly be fallible!

As ever, the working understood configuration is startlingly simpler than=
 the monstrosities one tries along the way.

Thanks for the pointers.  Best wishes,

Norman


-- =

Norman Gray  :  https://nxg.me.uk