if_bridge(4)
NAME
if_bridge - network bridge device
SYNOPSIS
device if_bridge
DESCRIPTION
- The if_bridge driver creates a logical link between two or
- more IEEE 802
networks that use the same (or ``similar enough'') framing - format. For
example, it is possible to bridge Ethernet and 802.11 net - works together,
but it is not possible to bridge Ethernet and Token Ring to - gether.
- Each if_bridge interface is created at runtime using inter
- face cloning.
This is most easily done with the ifconfig(8) create command - or using the
cloned_interfaces variable in rc.conf(5). - A bridge can be used to provide several services, such as a
- simple
802.11-to-Ethernet bridge for wireless hosts, and traffic - isolation.
- A bridge works like a hub, forwarding traffic from one in
- terface to
another. Multicast and broadcast packets are always for - warded to all
interfaces that are part of the bridge. For unicast traf - fic, the bridge
learns which MAC addresses are associated with which inter - faces and will
forward the traffic selectively. - The if_bridge driver implements the IEEE 802.1D Spanning
- Tree protocol
(STP). Spanning Tree is used to detect and remove loops in - a network
topology. - All the bridged member interfaces need to be up in order to
- pass network
traffic. These can be enabled using ifconfig(8) or
ifconfig_<interface>="up" in rc.conf(5). - The MTU of the first member interface to be added is used as
- the bridge
MTU. All additional members are required to have exactly - the same value.
- The TXCSUM capability is disabled for any interface added to
- the bridge,
and it is restored when the interface is removed again.
PACKET FILTERING
- Packet filtering can be used with any firewall package that
- hooks in via
the pfil(9) framework. When filtering is enabled, bridged - packets will
pass through the filter inbound on the originating inter - face, on the
bridge interface and outbound on the appropriate interfaces. - Either
stage can be disabled. The filtering behaviour can be con - trolled using
sysctl(8): - net.link.bridge.pfil_onlyip Controls the handling of
- non-IP packets
- which are not passed to
- pfil(9). Set to
1 to only allow IP packets - to pass (subject to firewall rules),
- set to 0 to
unconditionally pass all - non-IP Ethernet
frames. - net.link.bridge.pfil_member Set to 1 to enable filter
- ing on the
- incoming and outgoing mem
- ber interfaces,
set to 0 to disable it. - net.link.bridge.pfil_bridge Set to 1 to enable filter
- ing on the
- bridge interface, set to 0
- to disable
it. - net.link.bridge.ipfw Set to 1 to enable layer2
- filtering with
- ipfirewall(4), set to 0 to
- disable it.
This needs to be enabled - for dummynet(4)
support. When ipfw is en - abled,
pfil_bridge and pfil_member - will be disabled so that IPFW is not
- run twice;
these can be re-enabled if - desired.
- ARP and REVARP packets are forwarded without being filtered
- and others
that are not IP nor IPv6 packets are not forwarded when - pfil_onlyip is
enabled. IPFW can filter Ethernet types using mac-type so - all packets
are passed to the filter for processing. - Note that packets to and from the bridging host will be seen
- by the filter on the interface with the appropriate address configured
- as well as
on the interface on which the packet arrives or departs.
EXAMPLES
- The following when placed in the file /etc/rc.conf will
- cause a bridge
called ``bridge0'' to be created, and will add the inter - faces ``ath0''
and ``fxp0'' to the bridge, and then enable packet forward - ing. Such a
configuration could be used to implement a simple 802.11-to - Ethernet
bridge (assuming the 802.11 interface is in ad-hoc mode).
cloned_interfaces="bridge0"
ifconfig_bridge0="addm ath0 addm fxp0 up"- For the bridge to forward packets all member interfaces and
- the bridge
need to be up. The above example would also require:
ifconfig_ath0="up ssid my_ap mode 11g mediaopt hostap"
ifconfig_fxp0="up"- Consider a system with two 4-port Ethernet boards. The fol
- lowing will
cause a bridge consisting of all 8 ports with Spanning Tree - enabled to be
created:
ifconfig bridge0 create
ifconfig bridge0 addm fxp0 stp fxp0- addm fxp1 stp fxp1 addm fxp2 stp fxp2
- addm fxp3 stp fxp3 addm fxp4 stp fxp4
- addm fxp5 stp fxp5 addm fxp6 stp fxp6
- addm fxp7 stp fxp7 up
- The bridge can tunnel Ethernet across an IP internet using
- the EtherIP
protocol. This can be combined with ipsec(4) to provide an - encrypted
connection. Create a gif(4) interface and set the local and - remote IP
addresses for the tunnel, these are reversed on the remote - bridge.
ifconfig gif0 create
ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up
ifconfig bridge0 create
ifconfig bridge0 addm fxp0 addm gif0 up
SEE ALSO
gif(4), ipf(4), ipfw(4), pf(4), ifconfig(8)
HISTORY
The if_bridge driver first appeared in FreeBSD 6.0.
AUTHORS
- The bridge driver was originally written by Jason L. Wright
<jason@thought.net> as part of an undergraduate independent - study at the
University of North Carolina at Greensboro. - This version of the if_bridge driver has been heavily modi
- fied from the
original version by
Jason R. Thorpe <thorpej@wasabisystems.com>.
BUGS
- The if_bridge driver currently supports only Ethernet and
- Ethernet-like
(e.g., 802.11) network devices, with exactly the same inter - face MTU size
as the bridge device. - The bridge may not forward fragments that have been reassem
- bled by a
packet filter. In pf(4) fragment reassembly can be disabled - in the scrub
option. - BSD April 29, 2006