if_bridge(4)

NAME

if_bridge - network bridge device

SYNOPSIS

device if_bridge

DESCRIPTION

The if_bridge driver creates a logical link between two or
more IEEE 802 networks that use the same (or ``similar enough'') framing
format. For example, it is possible to bridge Ethernet and 802.11 net
works together, but it is not possible to bridge Ethernet and Token Ring to
gether.
Each if_bridge interface is created at runtime using inter
face cloning.
This is most easily done with the ifconfig(8) create command
or using the
cloned_interfaces variable in rc.conf(5).
A bridge can be used to provide several services, such as a
simple 802.11-to-Ethernet bridge for wireless hosts, and traffic
isolation.
A bridge works like a hub, forwarding traffic from one in
terface to another. Multicast and broadcast packets are always for
warded to all interfaces that are part of the bridge. For unicast traf
fic, the bridge learns which MAC addresses are associated with which inter
faces and will forward the traffic selectively.
The if_bridge driver implements the IEEE 802.1D Spanning
Tree protocol (STP). Spanning Tree is used to detect and remove loops in
a network topology.
All the bridged member interfaces need to be up in order to
pass network
traffic. These can be enabled using ifconfig(8) or
ifconfig_<interface>="up" in rc.conf(5).
The MTU of the first member interface to be added is used as
the bridge MTU. All additional members are required to have exactly
the same value.
The TXCSUM capability is disabled for any interface added to
the bridge, and it is restored when the interface is removed again.

PACKET FILTERING

Packet filtering can be used with any firewall package that
hooks in via the pfil(9) framework. When filtering is enabled, bridged
packets will pass through the filter inbound on the originating inter
face, on the bridge interface and outbound on the appropriate interfaces.
Either stage can be disabled. The filtering behaviour can be con
trolled using sysctl(8):
net.link.bridge.pfil_onlyip Controls the handling of
non-IP packets: which are not passed to; pfil(9). Set to
1 to only allow IP packets; to pass (subject to firewall rules),; set to 0 to
unconditionally pass all; non-IP Ethernet
frames.
net.link.bridge.pfil_member Set to 1 to enable filter
ing on the: incoming and outgoing mem; ber interfaces,
set to 0 to disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filter
ing on the: bridge interface, set to 0; to disable
it.
net.link.bridge.ipfw Set to 1 to enable layer2
filtering with: ipfirewall(4), set to 0 to; disable it.
This needs to be enabled; for dummynet(4)
support. When ipfw is en; abled,
pfil_bridge and pfil_member; will be disabled so that IPFW is not; run twice;
these can be re-enabled if; desired.
ARP and REVARP packets are forwarded without being filtered
and others that are not IP nor IPv6 packets are not forwarded when
pfil_onlyip is
enabled. IPFW can filter Ethernet types using mac-type so
all packets are passed to the filter for processing.
Note that packets to and from the bridging host will be seen
by the filter on the interface with the appropriate address configured
as well as on the interface on which the packet arrives or departs.

EXAMPLES

The following when placed in the file /etc/rc.conf will

cause a bridge called ``bridge0'' to be created, and will add the inter

faces ``ath0'' and ``fxp0'' to the bridge, and then enable packet forward

ing. Such a configuration could be used to implement a simple 802.11-to

Ethernet bridge (assuming the 802.11 interface is in ad-hoc mode).

cloned_interfaces="bridge0"

ifconfig_bridge0="addm ath0 addm fxp0 up"

For the bridge to forward packets all member interfaces and

the bridge need to be up. The above example would also require:

ifconfig_ath0="up ssid my_ap mode 11g mediaopt hostap"

ifconfig_fxp0="up"

Consider a system with two 4-port Ethernet boards. The fol

lowing will cause a bridge consisting of all 8 ports with Spanning Tree

enabled to be created:

ifconfig bridge0 create

ifconfig bridge0 addm fxp0 stp fxp0

addm fxp1 stp fxp1 addm fxp2 stp fxp2

addm fxp3 stp fxp3 addm fxp4 stp fxp4

addm fxp5 stp fxp5 addm fxp6 stp fxp6

addm fxp7 stp fxp7 up

The bridge can tunnel Ethernet across an IP internet using

the EtherIP protocol. This can be combined with ipsec(4) to provide an

encrypted connection. Create a gif(4) interface and set the local and

remote IP addresses for the tunnel, these are reversed on the remote

bridge.

ifconfig gif0 create

ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 up

ifconfig bridge0 create

ifconfig bridge0 addm fxp0 addm gif0 up

HISTORY

The if_bridge driver first appeared in FreeBSD 6.0.

AUTHORS

The bridge driver was originally written by Jason L. Wright

<jason@thought.net> as part of an undergraduate independent

study at the University of North Carolina at Greensboro.

This version of the if_bridge driver has been heavily modi

fied from the original version by Jason R. Thorpe <thorpej@wasabisystems.com>.

BUGS

The if_bridge driver currently supports only Ethernet and
Ethernet-like (e.g., 802.11) network devices, with exactly the same inter
face MTU size as the bridge device.
The bridge may not forward fragments that have been reassem
bled by a packet filter. In pf(4) fragment reassembly can be disabled
in the scrub option.
BSD April 29, 2006

docs.sk

comprehensive documentation repository

See also