1.\" 2.\" $FreeBSD: src/share/man/man4/bridge.4,v 1.6.2.11 2002/02/18 02:00:21 luigi Exp $ 3.\" $DragonFly: src/share/man/man4/bridge.4,v 1.3 2004/03/11 12:28:55 hmp Exp $ 4.\" 5.Dd February 15, 2002 6.Dt BRIDGE 4 7.Os 8.Sh NAME 9.Nm bridge 10.Nd bridging support 11.Sh SYNOPSIS 12.Cd "options BRIDGE" 13.Cd kldload /modules/bridge.ko 14.Sh DESCRIPTION 15.Dx 16supports bridging on Ethernet-type interfaces, including VLANs. 17Bridging support can be either compiled into the kernel, or loaded 18at runtime as a kernel module. 19.Pp 20A single 21.Dx 22host can do bridging on independent sets of interfaces, 23which are called 24.Ar clusters . 25Each cluster connects a set of interfaces, and is 26identified by a "cluster-id" which is a number in the range 1..65535. 27A cluster in fact is very similar to what commercial switches call 28a "VLAN". Note however that there is no relation whatsoever 29between the cluster-id and the IEEE 802.1q VLAN-id which appears 30in the header of packets transmitted on the wire. 31In fact, in most cases there is no relation between the 32so-called "VLAN identifier" used in most commercial switches, and 33the IEEE 802.1q VLAN-id. 34.Pp 35By putting both physical and logical (vlanX) interfaces 36in the same cluster, a 37.Dx 38box can also implement what in 39commercial terms is called a "trunk" interface. This means packets 40coming from one of the interfaces in the cluster, 41will appear 42on the wire on the "parent" interfaces of any vlan 43interface belonging to the cluster, with the 44proper VLAN tag. Similarly, packets coming from a 45parent interface, will have the VLAN tag stripped and 46will be forwarded to other interfaces on the same cluster. 47See the 48.Sx EXAMPLES 49section for more details. 50.Pp 51Runtime operation of the 52.Nm 53is controlled by several 54.Xr sysctl 8 55variables, as follows. 56.Pp 57.Bl -tag -width indent 58.It Va net.link.ether.bridge 59set to 60.Li 1 61to enable bridging, set to 62.Li 0 63to disable it. 64.Pp 65.It Va net.link.ether.bridge_ipfw 66set to 67.Li 1 68to enable 69.Xr ipfw 8 70filtering on bridged packets. 71Note that 72.Xr ipfw 8 73rules only apply 74to IP packets. 75Non-IP packets are accepted by default. 76See the 77.Sx BUGS 78section and the 79.Xr ipfw 8 80manpage for more details on the interaction of bridging 81and the firewall. 82.Pp 83.It Va net.link.ether.bridge_cfg 84contains a list of interfaces on which bridging is to be performed. 85Interfaces are separated by spaces, commas or tabs. Each interface 86can be optionally followed by a colon and an integer indicating the 87cluster it belongs to (defaults to 1 if the cluster-id is missing), e.g. 88.Pp 89.Ar dc0:1,dc1,vlan0:3 dc2:3 90.Pp 91will put dc0 and dc1 in cluster number 1, and vlan0 and dc2 in cluster 92number 3. 93See the 94.Sx EXAMPLES 95section for more examples. 96.Pp 97The list of interfaces is rescanned every time the list is 98modified, bridging is enabled, or new interfaces are created or 99destroyed. Interfaces that are in the list but cannot be used 100for bridging (because they are non-existing, or not Ethernet or VLAN) 101are not used and a warning message is generated. 102.Pp 103.El 104.Pp 105Bridging requires interfaces to be put in promiscuous mode, 106and transmit packets with Ethernet source addresses. 107Some interfaces (e.g. 108.Xr wi 4 ) 109do not support this functionality. 110Also, bridging is not compatible with interfaces which 111use hardware loopback, because there is no way to tell locally 112generated packets from externally generated ones. 113.Pp 114.Sh EXAMPLES 115A simple bridge configuration with three interfaces in the same 116cluster can be set as follows. No cluster-id is specified here, which 117will cause the interfaces to appear as part of cluster #1. 118.Pp 119.Dl sysctl net.link.ether.bridge_cfg=dc0,dc1,fxp1 120.Pp 121If you do not know what actual interfaces will be present on 122your system, you can just put all existing interfaces in the 123configuration, as follows: 124.Pp 125.Dl sysctl net.link.ether.bridge_cfg="`ifconfig -l`" 126.Pp 127This will result in a space-separated list of interfaces. 128Out of the list, only Ethernet or VLAN interfaces will be 129used for bridging, whereas for others the kernel will produce 130a warning message. 131.Pp 132More complex configurations can be used to create multiple 133clusters, e.g. 134.Pp 135.Dl sysctl net.link.ether.bridge_cfg=dc0:3,dc1:3,fxp0:4,fxp1:4 136.Pp 137will create two completely independent clusters. 138.Pp 139Finally, interesting configurations involve vlans and parent interfaces. 140As an example, the following configuration will use interface dc0 141as a "trunk" interface, and pass packets 142for 802.1q vlans 10 and 20 to physical interfaces dc1 and dc2: 143.Pp 144.Dl sysctl net.link.ether.bridge_cfg=vlan0:34,dc1:34,vlan1:56,dc2:56 145.Dl ifconfig vlan0 vlan 10 vlandev dc0 146.Dl ifconfig vlan1 vlan 20 vlandev dc0 147.Pp 148Note how there is no relation between the 802.1q vlan identifiers 149(10 and 20) and the cluster-id's (34 and 56) used in 150the bridge_cfg variable. 151.Pp 152Note also that the trunk interface 153does not even appear in the bridge_cfg, as vlan tag insertion/removal 154is performed by the 155.Xr vlan 4 156devices. 157When using vlan devices, care must be taken by not creating loops 158between these devices and their parent interfaces. 159.Pp 160.Sh BUGS 161Care must be taken not to construct loops in the 162.Nm 163topology. 164The kernel supports only a primitive form of loop detection, by disabling 165some interfaces when a loop is detected. 166No support for a daemon running the 167spanning tree algorithm is currently provided. 168.Pp 169With bridging active, interfaces are in promiscuous mode, 170thus causing some load on the system to receive and filter 171out undesired traffic. 172.Pp 173When passing bridged packets to 174.Xr ipfw 8 , 175remember that only IP packets are passed to the firewall, while 176other packets are silently accepted. 177Also remember that bridged packets are accepted after the 178first pass through the firewall irrespective of the setting 179of the sysctl variable 180.Nm net.inet.ip.fw.one_pass , 181and that some 182.Nm ipfw 183actions such as 184.Nm divert 185do not apply to bridged packets. 186It might be useful to have a rule of the form 187.Pp 188.Dl skipto 20000 ip from any to any bridged 189.Pp 190near the beginning of your ruleset to implement specific rulesets 191for bridged packets. 192.Sh SEE ALSO 193.Xr ip 4 , 194.Xr ng_bridge 4 , 195.Xr vlan 4 , 196.Xr ipfw 8 , 197.Xr sysctl 8 198.Sh HISTORY 199Bridging was introduced in 200.Fx 2.2.8 201by 202.An Luigi Rizzo Aq luigi@iet.unipi.it . 203