1 |
27 |
unneback |
|
2 |
|
|
NAME
|
3 |
|
|
bridge - Ethernet bridge interface
|
4 |
|
|
|
5 |
|
|
SYNOPSIS
|
6 |
|
|
pseudo-device bridge 2
|
7 |
|
|
|
8 |
|
|
DESCRIPTION
|
9 |
|
|
The bridge device creates a logical link between two or more Ethernet in
|
10 |
|
|
terfaces. This link between the interfaces selectively forwards frames
|
11 |
|
|
from each interface on the bridge to every other interface on the bridge.
|
12 |
|
|
A bridge can serve several services, including, isolation of traffic be
|
13 |
|
|
tween sets of machines so that traffic local to one set of machines is
|
14 |
|
|
not available on the wire of another set of machines, and it can act as a
|
15 |
|
|
transparent filter for ip(4) datagrams.
|
16 |
|
|
|
17 |
|
|
The bridges provided by this interface are learning bridges with IP fil
|
18 |
|
|
tering, see ipf(4). In general a bridge works like a hub, forwarding
|
19 |
|
|
traffic from one interface to another. It differs from a hub in that it
|
20 |
|
|
will "learn" which machines are on each of its attached segments by ac
|
21 |
|
|
tively listening to incoming traffic and examining the headers of each
|
22 |
|
|
frame. A table is built containing the MAC address and segment to which
|
23 |
|
|
the MAC address is attached. This allows a bridge to be more selective
|
24 |
|
|
about what it forwards, which can be used to reduce traffic on a set of
|
25 |
|
|
segments and also to provide an IP firewall without changing the topology
|
26 |
|
|
of the network.
|
27 |
|
|
|
28 |
|
|
The algorithm works as follows by default, but can be modified via
|
29 |
|
|
ioctl(2) or the utility brconfig(8). When a frame comes in, the origin
|
30 |
|
|
segment and the source address are recorded. If the bridge has no knowl
|
31 |
|
|
edge about where the destination is to be found, the bridge will forward
|
32 |
|
|
the frame to all attached segments. If the destination is known to be on
|
33 |
|
|
a different segment from its origin, the bridge will forward the packet
|
34 |
|
|
only to the destination segment. If the destination is on the same seg
|
35 |
|
|
ment as the origin segment, the bridge will drop the packet because the
|
36 |
|
|
receiver has already had a chance to see the frame. Before forwarding a
|
37 |
|
|
frame, the bridge will check to see if the packet contains an ip(4) data
|
38 |
|
|
gram; if so, the datagram is run through the ipf(4) interface so that it
|
39 |
|
|
can be filtered. Only the ipf(4) input rules for the source interface
|
40 |
|
|
are checked with the datagram; output rules have no effect.
|
41 |
|
|
|
42 |
|
|
IOCTLS
|
43 |
|
|
A bridge interface responds to all of the ioctl(2) calls specific to oth
|
44 |
|
|
er interfaces listed in netintro(4). The following ioctl(2) calls are
|
45 |
|
|
specific to bridge devices. They are defined in <sys/sockio.h>.
|
46 |
|
|
|
47 |
|
|
SIOCBRDGIFS (struct ifbifconf) Retrieve member interface list from a
|
48 |
|
|
bridge. This request takes an ifbifconf structure (see
|
49 |
|
|
below) as a value-result parameter. The ifbic_len field
|
50 |
|
|
should be initially set to the size of the buffer point
|
51 |
|
|
ed to by ifbic_buf. On return it will contain the
|
52 |
|
|
length, in bytes, of the configuration list. Alterna
|
53 |
|
|
tively, if the ifbic_len passed in is set to 0,
|
54 |
|
|
SIOCBRDGIFS will set ifbic_len to the size that
|
55 |
|
|
ifbic_buf needs to be to fit the entire configuration
|
56 |
|
|
list, and will not fill in the other parameters. This
|
57 |
|
|
is useful for determining the exact size that ifbic_buf
|
58 |
|
|
needs to be in advance.
|
59 |
|
|
|
60 |
|
|
The argument structure is defined as follows:
|
61 |
|
|
|
62 |
|
|
struct ifbreq {
|
63 |
|
|
char ifbr_name[IFNAMSIZ]; /* brdg nam */
|
64 |
|
|
char ifbr_ifsname[IFNAMSIZ]; /* if name */
|
65 |
|
|
u_int32_t ifbr_ifsflags; /* if flags */
|
66 |
|
|
};
|
67 |
|
|
|
68 |
|
|
#define IFBIF_LEARNING 0x1 /* learns addrs */
|
69 |
|
|
#define IFBIF_DISCOVER 0x2 /* gets fwd'd pkts */
|
70 |
|
|
|
71 |
|
|
struct ifbifconf {
|
72 |
|
|
char ifbic_name[IFNAMSIZ]; /* brdg name */
|
73 |
|
|
u_int32_t ifbic_len; /* buf size */
|
74 |
|
|
union {
|
75 |
|
|
caddr_t ifbicu_buf; /* buffer */
|
76 |
|
|
struct ifbreq *ifbicu_req;
|
77 |
|
|
} ifbic_ifbicu;
|
78 |
|
|
#define ifbic_buf ifbic_ifbicu.ifbicu_buf
|
79 |
|
|
#define ifbic_req ifbic_ifbicu.ifbicu_req
|
80 |
|
|
};
|
81 |
|
|
|
82 |
|
|
SIOCBRDGADD (struct ifbreq) Add the interface named in ifbr_ifsname
|
83 |
|
|
to the bridge named in ifbr_name.
|
84 |
|
|
|
85 |
|
|
SIOCBRDGDEL (struct ifbreq) Delete the interface named in
|
86 |
|
|
ifbr_ifsname from the bridge named in ifbr_name.
|
87 |
|
|
|
88 |
|
|
SIOCBRDGSIFFLGS (struct ifbreq) Set the bridge member interface flags
|
89 |
|
|
for the interface named in ifbr_ifsname attached to the
|
90 |
|
|
bridge ifbr_name. If the flag IFBIF_LEARNING is set on
|
91 |
|
|
an interface, source addresses from frames received on
|
92 |
|
|
the interface are recorded in the address cache. If the
|
93 |
|
|
flag IFBIF_DISCOVER is set, the interface will receive
|
94 |
|
|
packets destined for unknown destinations, otherwise a
|
95 |
|
|
frame that has a destination not found in the address
|
96 |
|
|
cache is not forwarded to this interface. The default
|
97 |
|
|
for newly added interfaces has both flags set. If the
|
98 |
|
|
flag IFBIF_BLOCKNONIP is set, packets that are one of
|
99 |
|
|
ip(4), ip6(4), arp(4), or Reverse ARP, will not be
|
100 |
|
|
bridged from and to the interface.
|
101 |
|
|
|
102 |
|
|
SIOCBRDGGIFFLGS Retrieve the bridge member interface flags for the in
|
103 |
|
|
terface named in ifbr_ifsname attached to the bridge
|
104 |
|
|
ifbr_name.
|
105 |
|
|
|
106 |
|
|
SIOCBRDGRTS (struct ifbaconf) Retrieve the address cache of the
|
107 |
|
|
bridge named in ifbac_name. This request takes an
|
108 |
|
|
ifbaconf structure (see below) as a value result parame
|
109 |
|
|
ter. The ifbac_len field should be initially set to the
|
110 |
|
|
size of the buffer pointed to by ifbac_buf. On return,
|
111 |
|
|
it will contain the length, in bytes, of the configura
|
112 |
|
|
tion list. Alternatively, if the ifbac_len passed in is
|
113 |
|
|
set to 0, SIOCBRDGRTS will set it to the size that
|
114 |
|
|
ifbac_buf needs to be to fit the entire configuration
|
115 |
|
|
list and not fill in the other parameters. As with
|
116 |
|
|
SIOCBRDGIFS, this is useful for determining the exact
|
117 |
|
|
size that ifbac_buf needs to be in advance.
|
118 |
|
|
|
119 |
|
|
The argument structure is defined as follows:
|
120 |
|
|
|
121 |
|
|
struct ifbareq {
|
122 |
|
|
char ifba_name[IFNAMSIZ]; /* brdg nam */
|
123 |
|
|
char ifba_ifsname[IFNAMSIZ];/* dest ifs */
|
124 |
|
|
u_int8_t ifba_age; /* addr age */
|
125 |
|
|
u_int8_t ifba_flags; /* addr flag */
|
126 |
|
|
struct ether_addr ifba_dst; /* dst addr */
|
127 |
|
|
};
|
128 |
|
|
|
129 |
|
|
#define IFBAF_TYPEMASK 0x03 /* addr type mask */
|
130 |
|
|
#define IFBAF_DYNAMIC 0x00 /* dynamic addr */
|
131 |
|
|
#define IFBAF_STATIC 0x01 /* static address */
|
132 |
|
|
|
133 |
|
|
struct ifbaconf {
|
134 |
|
|
char ifbac_name[IFNAMSIZ]; /* brdg name */
|
135 |
|
|
u_int32_t ifbac_len; /* buf size */
|
136 |
|
|
union {
|
137 |
|
|
caddr_t ifbacu_buf; /* buf */
|
138 |
|
|
struct ifbareq *ifbacu_req;
|
139 |
|
|
} ifbac_ifbacu;
|
140 |
|
|
#define ifbac_buf ifbac_ifbacu.ifbacu_buf
|
141 |
|
|
#define ifbac_req ifbac_ifbacu.ifbacu_req
|
142 |
|
|
};
|
143 |
|
|
Address cache entries with the type set to IFBAF_DYNAMIC
|
144 |
|
|
in ifba_flags are entries learned by the bridge. En
|
145 |
|
|
tries with the type set to IFBAF_STATIC are manually
|
146 |
|
|
added entries.
|
147 |
|
|
|
148 |
|
|
SIOCBRDGSADDR (struct ifbareq) Add an entry, manually, to the address
|
149 |
|
|
cache for the bridge named in ifba_name. The address and
|
150 |
|
|
its associated interface and flags are set in the
|
151 |
|
|
ifba_dst, ifba_ifsname, ifba_flags fields, respectively.
|
152 |
|
|
|
153 |
|
|
SIOCBRDGDADDR (struct ifbareq) Delete an entry from the address cache
|
154 |
|
|
of the bridge named in ifba_name. Entries are deleted
|
155 |
|
|
strictly based on the address field ifba_dst.
|
156 |
|
|
|
157 |
|
|
SIOCBRDGSCACHE (struct ifbcachereq) Set the maximum address cache size
|
158 |
|
|
for the bridge named in ifbc_name to ifbc_size entries.
|
159 |
|
|
|
160 |
|
|
The argument structure is as follows:
|
161 |
|
|
|
162 |
|
|
struct ifbcachereq {
|
163 |
|
|
char ifbc_name[IFNAMSIZ]; /* bridge */
|
164 |
|
|
u_int32_t ifbc_size; /* size */
|
165 |
|
|
};
|
166 |
|
|
|
167 |
|
|
SIOCBRDGGCACHE (struct ifbcachereq) Retrieve the maximum size of the
|
168 |
|
|
address cache for the bridge ifbc_name.
|
169 |
|
|
|
170 |
|
|
SIOCBRDGSTO (struct ifbcachetoreq) Set the time, in seconds, that
|
171 |
|
|
addresses which have not been seen on the network
|
172 |
|
|
(transmitted a packet) remain in the cache. If the time
|
173 |
|
|
is set to zero, no aging is performed on the address
|
174 |
|
|
cache. The argument structure is as follows:
|
175 |
|
|
|
176 |
|
|
struct ifbcachetoreq {
|
177 |
|
|
char ifbct_name[IFNAMSIZ]; /* bridge */
|
178 |
|
|
u_int32_t ifbct_time; /* time */
|
179 |
|
|
};
|
180 |
|
|
|
181 |
|
|
SIOCBRDGGTO (struct ifbcachetoreq) Retrieve the address cache expi
|
182 |
|
|
ration time (see above).
|
183 |
|
|
|
184 |
|
|
SIOCBRDGFLUSH (struct ifbreq) Flush addresses from the cache.
|
185 |
|
|
ifbr_name contains the name of the bridge device, and
|
186 |
|
|
ifbr_ifsflags should be set to IFBF_FLUSHALL to flush
|
187 |
|
|
all addresses from the cache or IFBF_FLUSHDYN to flush
|
188 |
|
|
only the dynamically learned addresses from the cache.
|
189 |
|
|
|
190 |
|
|
SIOCBRDGARL (struct ifbrlreq) Add a filtering rule to the bridge
|
191 |
|
|
named in ifbr_name on the interface named in
|
192 |
|
|
ifbr_ifsname. The argument structure is as follows:
|
193 |
|
|
|
194 |
|
|
struct ifbrlreq {
|
195 |
|
|
char ifbr_name[IFNAMSIZ]; /* bridge */
|
196 |
|
|
char ifbr_ifsname[IFNAMSIZ]; /* ifs */
|
197 |
|
|
u_int8_t ifbr_action; /* handling */
|
198 |
|
|
u_int8_t ifbr_flags; /* flags */
|
199 |
|
|
struct ether_addr ifbr_src; /* src mac */
|
200 |
|
|
struct ether_addr ifbr_dst; /* dst mac */
|
201 |
|
|
};
|
202 |
|
|
#define BRL_ACTION_BLOCK 0x01
|
203 |
|
|
#define BRL_ACTION_PASS 0x02
|
204 |
|
|
#define BRL_FLAG_IN 0x08
|
205 |
|
|
#define BRL_FLAG_OUT 0x04
|
206 |
|
|
#define BRL_FLAG_SRCVALID 0x02
|
207 |
|
|
#define BRL_FLAG_DSTVALID 0x01
|
208 |
|
|
|
209 |
|
|
Rules are applied in the order in which they were added
|
210 |
|
|
to the bridge, and the first matching rule's action pa
|
211 |
|
|
rameter determines the fate of the packet. The
|
212 |
|
|
ifbr_action parameter specifies whether a frame matching
|
213 |
|
|
the rule is to be blocked or passed.
|
214 |
|
|
|
215 |
|
|
If the BRL_FLAG_IN bit is set in ifbr_flags, then the
|
216 |
|
|
rule applies to frames received by the interface. If
|
217 |
|
|
the BRL_FLAG_OUT bit is set, then the rule applies to
|
218 |
|
|
frame transmitted by the interface. At least one of
|
219 |
|
|
BRL_FLAG_IN or BRL_FLAG_OUT must be set.
|
220 |
|
|
|
221 |
|
|
The source ethernet address in ifbr_src is checked if
|
222 |
|
|
the BRL_FLAG_SRCVALID bit is set in ifbr_flags. The des
|
223 |
|
|
tination address in ifbr_dst is check if the
|
224 |
|
|
BRL_FLAG_DSTVALID bit is set. If neither bit is set,
|
225 |
|
|
the rule is matches all frames.
|
226 |
|
|
|
227 |
|
|
SIOCBRDGFRL (struct ifbrlreq) Remove all filtering rules from a
|
228 |
|
|
bridge interface member. ifbr_name contains the name of
|
229 |
|
|
the bridge device, and ifbr_ifsname contains the name of
|
230 |
|
|
the bridge member interface.
|
231 |
|
|
|
232 |
|
|
SIOCBRDGGRL (struct ifbrlconf) Retrieve all of the rules from the
|
233 |
|
|
bridge, ifbrl_name, for the member interface,
|
234 |
|
|
ifbrl_ifsname.
|
235 |
|
|
|
236 |
|
|
This request takes an ifbrlconf structure (see below) as
|
237 |
|
|
a value result parameter. The ifbrl_len field should be
|
238 |
|
|
initially set to the size of the buffer pointed to by
|
239 |
|
|
ifbrl_buf. On return, it will contain the length, in
|
240 |
|
|
bytes, of the configuration list. Alternatively, if the
|
241 |
|
|
ifbrl_len passed in is set to 0, SIOCBRDGGRL will set it
|
242 |
|
|
to the size that ifbrl_buf needs to be to fit the entire
|
243 |
|
|
configuration list and not fill in the other parameters.
|
244 |
|
|
As with SIOCBRDGIFS, this is useful for determining the
|
245 |
|
|
exact size that ifbrl_buf needs to be in advance.
|
246 |
|
|
|
247 |
|
|
The argument structure is defined as follows:
|
248 |
|
|
|
249 |
|
|
struct ifbrlconf {
|
250 |
|
|
char ifbrl_name[IFNAMSIZ]; /* brdg nam */
|
251 |
|
|
char ifbrl_ifsname[IFNAMSIZ];/* ifs name */
|
252 |
|
|
u_int32_t ifbr_len; /* buf len */
|
253 |
|
|
union {
|
254 |
|
|
caddr_t ifbrlu_buf;
|
255 |
|
|
struct ifbrlreq *ifbrlu_req;
|
256 |
|
|
} ifrl_ifbrlu;
|
257 |
|
|
#define ifbrl_buf ifbrl_ifbrlu.ifbrlu_buf
|
258 |
|
|
#define ifbrl_req ifbrl_ifbrlu.ifbrlu_req
|
259 |
|
|
};
|
260 |
|
|
|
261 |
|
|
|
262 |
|
|
ERRORS
|
263 |
|
|
If the ioctl(2) call fails, errno(2) is set to one of the following val
|
264 |
|
|
ues:
|
265 |
|
|
|
266 |
|
|
[ENOENT] For an add request, this means that the named interface is
|
267 |
|
|
not configured into the system. For delete operation, it
|
268 |
|
|
means that the named interface is not a member of the
|
269 |
|
|
bridge. For a address cache deletion, the address was not
|
270 |
|
|
found in the table.
|
271 |
|
|
|
272 |
|
|
[ENOMEM] Memory could not be allocated for an interface or cache en
|
273 |
|
|
try to be added to the bridge.
|
274 |
|
|
|
275 |
|
|
[EEXIST] The named interface is already a member of the bridge.
|
276 |
|
|
|
277 |
|
|
[EBUSY] The named interface is already a member of another bridge.
|
278 |
|
|
|
279 |
|
|
[EINVAL] The named interface is not an Ethernet interface or an in
|
280 |
|
|
valid ioctl was performed on the bridge.
|
281 |
|
|
|
282 |
|
|
[ENETDOWN] Address cache operation (flush, add, delete) on a bridge
|
283 |
|
|
that is in the down state.
|
284 |
|
|
|
285 |
|
|
[EPERM] Super-user privilege is required to add and delete inter
|
286 |
|
|
faces to and from bridges and to set the bridge interface
|
287 |
|
|
flags.
|
288 |
|
|
|
289 |
|
|
[EFAULT] The buffer used in a SIOCBRDGIFS or SIOCBRDGRTS request
|
290 |
|
|
|
291 |
|
|
points outside of the process's allocated address space.
|
292 |
|
|
|
293 |
|
|
[ESRCH] No such member interface in the bridge.
|
294 |
|
|
|
295 |
|
|
SEE ALSO
|
296 |
|
|
errno(2), ioctl(2), ip(4), ipf(4), netintro(4), bridgename.if(5),
|
297 |
|
|
brconfig(8)
|
298 |
|
|
|
299 |
|
|
HISTORY
|
300 |
|
|
The brconfig(8) command and the bridge(4) kernel interface first appeared
|
301 |
|
|
in
|
302 |
|
|
|
303 |
|
|
AUTHOR
|
304 |
|
|
The brconfig(8) command and the bridge(4) kernel interface were written
|
305 |
|
|
by Jason L. Wright <jason@thought.net> as part of an undergraduate inde
|
306 |
|
|
pendent study at the University of North Carolina at Greensboro.
|
307 |
|
|
|
308 |
|
|
BUGS
|
309 |
|
|
There is currently no loop detection. Care must be taken to make sure
|
310 |
|
|
that loops are not created when a bridge is brought up.
|
311 |
|
|
|
312 |
|
|
Only ipf(4) input rules are checked with incoming packet; there is no
|
313 |
|
|
easy way to handle output rules.
|
314 |
|
|
|