Date: Thu, 14 Jul 2022 10:31:50 -0700 From: Kevin Oberman <rkoberman@gmail.com> To: Norman Gray <gray@nxg.name> Cc: Kristof Provost <kp@freebsd.org>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Why can't I add a loopback interface to a bridge? Message-ID: <CAN6yY1seXEHnk_NmJ%2Bh0_YQb5YBAdKy7CUKB4w51nw-29i-WAQ@mail.gmail.com> In-Reply-To: <E3BC2970-D68C-48AC-84DA-5DC82460C6E4@nxg.name> References: <988896FB-9986-4955-A3B7-9CEC810D8E6E@nxg.name> <D122341F-37FC-48A4-BD1F-D26773A26BCD@FreeBSD.org> <E3BC2970-D68C-48AC-84DA-5DC82460C6E4@nxg.name>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000bb301405e3c748f3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jul 14, 2022 at 9:54 AM Norman Gray <gray@nxg.name> wrote: > > Kristof, hello. > > On 13 Jul 2022, at 22:09, Kristof Provost wrote: > > > On 13 Jul 2022, at 22:43, Norman Gray wrote: > >> Why can't I add a loopback interface to a bridge? > >> > > The short answer is: because it=E2=80=99s not an Ethernet interface. > > > > From the man page: > > > > The if_bridge driver creates a logical link between two or more > IEEE 802 > > networks that use the same (or =E2=80=9Csimilar enough=E2=80=9D) f= raming format. > For > > Aha -- this is key. I'm pretty sure I've 'read' that manpage before, but > not, I suspect, when I was in a position to make sufficiently full sense = of > it. > > 'Similar enough' is a worryingly vague term, but I suspect it's not one > I'm likely to fall foul of in any practical sense. > > >> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so > I can subsequently selectively route and NAT packets from those jails to > the rest of the network. > >> > >> My mental model here is that I create an interface lo1 and then 'plug > it in to the bridge', so that I can subsequently forward packets from lo1 > to the real network interface. This mental model is clearly defective, b= ut > I can't see where. > >> > > Your model is indeed incorrect. An if_bridge is not just a switch, but > also a NIC that=E2=80=99s plugged into that switch. > > So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair in= terface for each > jail, put one end in the bridge and the other in the jail. > > You=E2=80=99d assign the subnet(s) you want the jails to use to the bri= dge > interface, and to the jailed interfaces. > > So it's a switch that already has one port plugged in to the host (ish?) > > This is implied by the mention of assigning an address to the bridge, in > Sect. 32.6.1 of the handbook, but the change in mental model makes that > section a lot more readily parseable. > > Incidentally, I tried the specific jails configuration from the MWL Jails > book, both in 13.1 and 12.3, and it produces the same BRDGADD error in bo= th > cases, meaning (gasp!) MWL may possibly be fallible! > > As ever, the working understood configuration is startlingly simpler than > the monstrosities one tries along the way. > > Thanks for the pointers. Best wishes, > > Norman > > > -- > Norman Gray : https://nxg.me.uk What may be missing is the concept of a bridge is that it is a layer 2 connection between two or more 802-like devices. Such devices use MAC addresses and an IP address is a layer 3 entity. Trying to mix such on a bridge would imply a routing capability (layer 3) which really does not make sense with a layer 2 device. --=20 Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 --000000000000bb301405e3c748f3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"fon= t-family:tahoma,sans-serif;font-size:small">On Thu, Jul 14, 2022 at 9:54 AM= Norman Gray <<a href=3D"mailto:gray@nxg.name">gray@nxg.name</a>> wro= te:<br></div></div><div class=3D"gmail_quote"><blockquote class=3D"gmail_qu= ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20= 4);padding-left:1ex"><br> Kristof, hello.<br> <br> On 13 Jul 2022, at 22:09, Kristof Provost wrote:<br> <br> > On 13 Jul 2022, at 22:43, Norman Gray wrote:<br> >> Why can't I add a loopback interface to a bridge?<br> >><br> > The short answer is: because it=E2=80=99s not an Ethernet interface.<b= r> ><br> > From the man page:<br> ><br> >=C2=A0 =C2=A0 =C2=A0 The if_bridge driver creates a logical link betwee= n two or more IEEE 802<br> >=C2=A0 =C2=A0 =C2=A0 networks that use the same (or =E2=80=9Csimilar en= ough=E2=80=9D) framing format.=C2=A0 For<br> <br> Aha -- this is key.=C2=A0 I'm pretty sure I've 'read' that = manpage before, but not, I suspect, when I was in a position to make suffic= iently full sense of it.<br> <br> 'Similar enough' is a worryingly vague term, but I suspect it's= not one I'm likely to fall foul of in any practical sense.<br> <br> >> What I'm aiming to do is to set up a bridge to VNET-isolated j= ails, so I can subsequently selectively route and NAT packets from those ja= ils to the rest of the network.<br> >><br> >> My mental model here is that I create an interface lo1 and then &#= 39;plug it in to the bridge', so that I can subsequently forward packet= s from lo1 to the real network interface.=C2=A0 This mental model is clearl= y defective, but I can't see where.<br> >><br> > Your model is indeed incorrect. An if_bridge is not just a switch, but= also a NIC that=E2=80=99s plugged into that switch.<br> > So to do what you=E2=80=99re trying to do you=E2=80=99d add an epair i= nterface for each jail, put one end in the bridge and the other in the jail= .<br> > You=E2=80=99d assign the subnet(s) you want the jails to use to the br= idge interface, and to the jailed interfaces.<br> <br> So it's a switch that already has one port plugged in to the host (ish?= )<br> <br> This is implied by the mention of assigning an address to the bridge, in Se= ct. 32.6.1 of the handbook, but the change in mental model makes that secti= on a lot more readily parseable.<br> <br> Incidentally, I tried the specific jails configuration from the MWL Jails b= ook, both in 13.1 and 12.3, and it produces the same BRDGADD error in both = cases, meaning (gasp!) MWL may possibly be fallible!<br> <br> As ever, the working understood configuration is startlingly simpler than t= he monstrosities one tries along the way.<br> <br> Thanks for the pointers.=C2=A0 Best wishes,<br> <br> Norman<br> <br> <br> -- <br> Norman Gray=C2=A0 :=C2=A0 <a href=3D"https://nxg.me.uk" rel=3D"noreferrer" = target=3D"_blank">https://nxg.me.uk</a><span class=3D"gmail_default" style= =3D"font-family:tahoma,sans-serif;font-size:small"></span></blockquote><div= >=C2=A0</div></div><div style=3D"font-family:tahoma,sans-serif;font-size:sm= all" class=3D"gmail_default">What may be missing is the concept of a bridge= is that it is a layer 2 connection between two or more 802-like devices. S= uch devices use MAC addresses and an IP address is a layer 3 entity. Trying= to mix such on a bridge would imply a routing capability (layer 3) which r= eally does not make sense with a layer 2 device.<br></div>-- <br><div dir= =3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><= div><div dir=3D"ltr"><div><div dir=3D"ltr">Kevin Oberman, Part time kid her= der and retired Network Engineer<br>E-mail: <a href=3D"mailto:rkoberman@gma= il.com" target=3D"_blank">rkoberman@gmail.com</a><br></div><div>PGP Fingerp= rint: D03FB98AFA78E3B78C1694B318AB39EF1B055683</div></div></div></div></div= ></div></div></div></div> --000000000000bb301405e3c748f3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1seXEHnk_NmJ%2Bh0_YQb5YBAdKy7CUKB4w51nw-29i-WAQ>