1.\" 2.\" $FreeBSD: src/share/man/man4/bridge.4,v 1.6.2.11 2002/02/18 02:00:21 luigi Exp $ 3.\" $DragonFly: src/share/man/man4/bridge.4,v 1.2 2003/06/17 04:36:58 dillon Exp $ 4.\" 5.Dd February 15, 2002 6.Dt BRIDGE 4 7.Os 8.Sh NAME 9.Nm bridge 10.Nd bridging support 11.Sh SYNOPSIS 12.Cd "options BRIDGE" 13.Cd kldload /modules/bridge.ko 14.Sh DESCRIPTION 15.Fx 16supports bridging on Ethernet-type interfaces, including VLANs. 17Bridging support can be either compiled into the kernel, or loaded 18at runtime as a kernel module. 19.Pp 20A single 21.Fx 22host can do bridging on independent sets of interfaces, 23which are called 24.Ar clusters . 25Each cluster connects a set of interfaces, and is 26identified by a "cluster-id" which is a number in the range 1..65535. 27A cluster in fact is very similar to what commercial switches call 28a "VLAN". Note however that there is no relation whatsoever 29between the cluster-id and the IEEE 802.1q VLAN-id which appears 30in the header of packets transmitted on the wire. 31In fact, in most cases there is no relation between the 32so-called "VLAN identifier" used in most commercial switches, and 33the IEEE 802.1q VLAN-id. 34.Pp 35By putting both physical and logical (vlanX) interfaces 36in the same cluster, a FreeBSD box can also implement what in 37commercial terms is called a "trunk" interface. This means packets 38coming from one of the interfaces in the cluster, 39will appear 40on the wire on the "parent" interfaces of any vlan 41interface belonging to the cluster, with the 42proper VLAN tag. Similarly, packets coming from a 43parent interface, will have the VLAN tag stripped and 44will be forwarded to other interfaces on the same cluster. 45See the 46.Sx EXAMPLES 47section for more details. 48.Pp 49Runtime operation of the 50.Nm 51is controlled by several 52.Xr sysctl 8 53variables, as follows. 54.Pp 55.Bl -tag -width indent 56.It Va net.link.ether.bridge 57set to 58.Li 1 59to enable bridging, set to 60.Li 0 61to disable it. 62.Pp 63.It Va net.link.ether.bridge_ipfw 64set to 65.Li 1 66to enable 67.Xr ipfw 8 68filtering on bridged packets. 69Note that 70.Xr ipfw 8 71rules only apply 72to IP packets. 73Non-IP packets are accepted by default. 74See the 75.Sx BUGS 76section and the 77.Xr ipfw 8 78manpage for more details on the interaction of bridging 79and the firewall. 80.Pp 81.It Va net.link.ether.bridge_cfg 82contains a list of interfaces on which bridging is to be performed. 83Interfaces are separated by spaces, commas or tabs. Each interface 84can be optionally followed by a colon and an integer indicating the 85cluster it belongs to (defaults to 1 if the cluster-id is missing), e.g. 86.Pp 87.Ar dc0:1,dc1,vlan0:3 dc2:3 88.Pp 89will put dc0 and dc1 in cluster number 1, and vlan0 and dc2 in cluster 90number 3. 91See the 92.Sx EXAMPLES 93section for more examples. 94.Pp 95The list of interfaces is rescanned every time the list is 96modified, bridging is enabled, or new interfaces are created or 97destroyed. Interfaces that are in the list but cannot be used 98for bridging (because they are non-existing, or not Ethernet or VLAN) 99are not used and a warning message is generated. 100.Pp 101.El 102.Pp 103Bridging requires interfaces to be put in promiscuous mode, 104and transmit packets with Ethernet source addresses. 105Some interfaces (e.g. 106.Xr wi 4 ) 107do not support this functionality. 108Also, bridging is not compatible with interfaces which 109use hardware loopback, because there is no way to tell locally 110generated packets from externally generated ones. 111.Pp 112.Sh EXAMPLES 113A simple bridge configuration with three interfaces in the same 114cluster can be set as follows. No cluster-id is specified here, which 115will cause the interfaces to appear as part of cluster #1. 116.Pp 117.Dl sysctl net.link.ether.bridge_cfg=dc0,dc1,fxp1 118.Pp 119If you do not know what actual interfaces will be present on 120your system, you can just put all existing interfaces in the 121configuration, as follows: 122.Pp 123.Dl sysctl net.link.ether.bridge_cfg="`ifconfig -l`" 124.Pp 125This will result in a space-separated list of interfaces. 126Out of the list, only Ethernet or VLAN interfaces will be 127used for bridging, whereas for others the kernel will produce 128a warning message. 129.Pp 130More complex configurations can be used to create multiple 131clusters, e.g. 132.Pp 133.Dl sysctl net.link.ether.bridge_cfg=dc0:3,dc1:3,fxp0:4,fxp1:4 134.Pp 135will create two completely independent clusters. 136.Pp 137Finally, interesting configurations involve vlans and parent interfaces. 138As an example, the following configuration will use interface dc0 139as a "trunk" interface, and pass packets 140for 802.1q vlans 10 and 20 to physical interfaces dc1 and dc2: 141.Pp 142.Dl sysctl net.link.ether.bridge_cfg=vlan0:34,dc1:34,vlan1:56,dc2:56 143.Dl ifconfig vlan0 vlan 10 vlandev dc0 144.Dl ifconfig vlan1 vlan 20 vlandev dc0 145.Pp 146Note how there is no relation between the 802.1q vlan identifiers 147(10 and 20) and the cluster-id's (34 and 56) used in 148the bridge_cfg variable. 149.Pp 150Note also that the trunk interface 151does not even appear in the bridge_cfg, as vlan tag insertion/removal 152is performed by the 153.Xr vlan 4 154devices. 155When using vlan devices, care must be taken by not creating loops 156between these devices and their parent interfaces. 157.Pp 158.Sh BUGS 159Care must be taken not to construct loops in the 160.Nm 161topology. 162The kernel supports only a primitive form of loop detection, by disabling 163some interfaces when a loop is detected. 164No support for a daemon running the 165spanning tree algorithm is currently provided. 166.Pp 167With bridging active, interfaces are in promiscuous mode, 168thus causing some load on the system to receive and filter 169out undesired traffic. 170.Pp 171When passing bridged packets to 172.Xr ipfw 8 , 173remember that only IP packets are passed to the firewall, while 174other packets are silently accepted. 175Also remember that bridged packets are accepted after the 176first pass through the firewall irrespective of the setting 177of the sysctl variable 178.Nm net.inet.ip.fw.one_pass , 179and that some 180.Nm ipfw 181actions such as 182.Nm divert 183do not apply to bridged packets. 184It might be useful to have a rule of the form 185.Pp 186.Dl skipto 20000 ip from any to any bridged 187.Pp 188near the beginning of your ruleset to implement specific rulesets 189for bridged packets. 190.Sh SEE ALSO 191.Xr ip 4 , 192.Xr ng_bridge 4 , 193.Xr vlan 4 , 194.Xr ipfw 8 , 195.Xr sysctl 8 196.Sh HISTORY 197Bridging was introduced in 198.Fx 2.2.8 199by 200.An Luigi Rizzo Aq luigi@iet.unipi.it . 201