Date: Thu, 14 Jul 2022 17:54:43 +0100 From: Norman Gray <gray@nxg.name> To: Kristof Provost <kp@FreeBSD.org> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Why can't I add a loopback interface to a bridge? Message-ID: <E3BC2970-D68C-48AC-84DA-5DC82460C6E4@nxg.name> In-Reply-To: <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org> References: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name> <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kristof, hello. On 13 Jul 2022, at 22:09, Kristof Provost wrote: > On 13 Jul 2022, at 22:43, Norman Gray wrote: >> Why can't I add a loopback interface to a bridge? >> > The short answer is: because it=E2=80=99s not an Ethernet interface. > > From the man page: > > The if_bridge driver creates a logical link between two or more IE= EE 802 > networks that use the same (or =E2=80=9Csimilar enough=E2=80=9D) f= raming format. For Aha -- this is key. I'm pretty sure I've 'read' that manpage before, but= not, I suspect, when I was in a position to make sufficiently full sense= of it. 'Similar enough' is a worryingly vague term, but I suspect it's not one I= 'm likely to fall foul of in any practical sense. >> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so= I can subsequently selectively route and NAT packets from those jails to= the rest of the network. >> >> My mental model here is that I create an interface lo1 and then 'plug = it in to the bridge', so that I can subsequently forward packets from lo1= to the real network interface. This mental model is clearly defective, = but I can't see where. >> > Your model is indeed incorrect. An if_bridge is not just a switch, but = also a NIC that=E2=80=99s plugged into that switch. > So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair in= terface for each jail, put one end in the bridge and the other in the jai= l. > You=E2=80=99d assign the subnet(s) you want the jails to use to the bri= dge interface, and to the jailed interfaces. So it's a switch that already has one port plugged in to the host (ish?) This is implied by the mention of assigning an address to the bridge, in = Sect. 32.6.1 of the handbook, but the change in mental model makes that s= ection a lot more readily parseable. Incidentally, I tried the specific jails configuration from the MWL Jails= book, both in 13.1 and 12.3, and it produces the same BRDGADD error in b= oth cases, meaning (gasp!) MWL may possibly be fallible! As ever, the working understood configuration is startlingly simpler than= the monstrosities one tries along the way. Thanks for the pointers. Best wishes, Norman -- = Norman Gray : https://nxg.me.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E3BC2970-D68C-48AC-84DA-5DC82460C6E4>