brconfig - manipulate bridge interfaces
brconfig -a
brconfig bridge-name [parameters]
brconfig bridge-name rule { block | pass } { in | out |
in/out } on
interface-name [src address] [dst address] [tag
tagname]
The brconfig utility retrieves kernel state of bridge interfaces and allows
user control of these bridges. Bridge devices create a
logical link
between two or more Ethernet interfaces or encapsulation interfaces (see
gif(4)), which will selectively forward frames from each interface on the
bridge to every other interface on the bridge. This can be
used to isolate
traffic between sets of machines on the same segment
and to provide
a transparent filter for ip(4) datagrams.
In the first synopsis, the -a flag will cause brconfig to
list the status
of all bridges in the system. In the second, its command
line consists
of the name of a bridge and a set of operations to be performed on that
bridge. The commands are executed in the order they were
specified. If
no command is specified in the second synopsis, the brconfig
will display
status information about the bridge. With the third synopsis, rules for
filtering Ethernet MAC addresses can be added to a bridge.
The following parameters may be set with brconfig:
up Start the bridge forwarding packets.
down Stop the bridge from forwarding packets.
addr Display the addresses that have been learned by the
bridge.
add interface-name
Add the interface named by interface-name as a member of the
bridge. The interface is put into promiscuous mode
so that it
can receive every packet sent on the network. An
interface can
be a member of at most one bridge.
delete interface-name
Remove the interface named by interface-name from
the bridge.
Promiscuous mode is turned off for the interface
when it is removed
from the bridge.
del interface-name
Alias for delete.
addspan interface-name
Add the interface named by interface-name as a span
port on the
bridge. See the SPAN PORTS section for more details.
delspan interface-name
Delete the interface named by interface-name from
the list of
span ports of the bridge.
maxaddr size
Set the address cache size to size. The default is
100 entries.
timeout time
Set the timeout, in seconds, for addresses in the
cache to time.
The default is 240 seconds. If time is set to zero,
then entries
will not be expired.
static interface-name address
Add a static entry into the address cache pointing
to interface-
name. Static entries are never aged out of the
cache or replaced,
even if the address is seen on a different
interface.
deladdr address
Delete an address from the cache.
flush Remove all dynamically learned addresses from the
cache.
flushall
Remove all addresses from the cache including static
addresses.
blocknonip interface
Mark an interface so that no non-IPv4, IPv6, ARP, or
Reverse ARP
packets are accepted from it or forwarded to it from
other bridge
member interfaces.
-blocknonip interface
Allow non-IPv4, IPv6, ARP, or Reverse ARP packets
through the
interface.
discover interface
Mark an interface so that packets are sent out of
the interface
if the destination port of the packet is unknown.
If the bridge
has no address cache entry for the destination of a
packet, meaning
that there is no static entry and no dynamically
learned entry
for the destination, the bridge will forward the
packet to
all member interfaces that have this flag set. This
is the default
for interfaces added to the bridge.
-discover interface
Mark an interface so that packets are not sent out
of the interface
if the destination port of the packet is unknown. Turning
this flag off means that the bridge will not send
packets out of
this interface unless the packet is a broadcast
packet, multicast
packet, or a packet with a destination address found
on the interface's
segment. This, in combination with static
address
cache entries, prevents potentially sensitive packets from being
sent on segments that have no need to see the packet.
learn interface
Mark an interface so that the source address of
packets received
from interface are entered into the address cache.
This is the
default for interfaces added to the bridge.
-learn interface
Mark an interface so that the source address of
packets received
from interface are not entered into the address
cache.
flushrule interface
Remove all Ethernet MAC filtering rules from
interface.
link0 Setting this flag stops all non-IP multicast packets
from being
forwarded by the bridge.
-link0 Clear the link0 flag on the bridge interface.
link1 Setting this flags stops all IP multicast packets
from being forwarded
by the bridge.
-link1 Clear the link1 flag on the bridge interface.
link2 Setting this flag causes all packets to be passed on
to ipsec(4)
for processing, based on the policies established by
the administrator
using the ipsecadm(8) command. If appropriate security
associations (SAs) exist, they will be used to encrypt or decrypt
the packets. Otherwise, any key management daemons
such as
isakmpd(8) that are running on the bridge will be
invoked to establish
the necessary SAs. These daemons have to be
configured
as if they were running on the host whose traffic
they are protecting
(i.e., they need to have the appropriate authentication
and authorization material, such as keys and certificates, to impersonate
the protected host(s)).
-link2 Clear the link2 flag on the bridge interface.
rule [rulespec]
Add a filtering rule to an interface. Rules have a
similar syntax
to those in pf.conf(5). Rules can be used to
selectively
block or pass frames based on Ethernet MAC addresses. They can
also tag packets for pf(4) to filter on. Rules are
processed in
the order in which they were added to the interface,
and the
first rule matched takes the action (block or pass)
and, if given,
the tag of the rule. If no source or destination address is
specified, the rule will match all frames (good for
creating a
catchall policy).
rulefile filename
Load a set of rules from the file filename.
rules interface
Display the active filtering rules in use on the
given interface.
stp interface
Enable spanning tree protocol on interface.
-stp interface
Disable spanning tree protocol on interface.
maxage time
Set the time (in seconds) that a spanning tree protocol configuration
is valid. Defaults to 20 seconds, minimum of
1, maximum
of 255.
fwddelay time
Set the time (in seconds) before an interface begins
forwarding
packets. Defaults to 15 seconds, minimum of 1, maximum of 255.
hellotime time
Set the time (in seconds) between broadcasting spanning tree protocol
configuration packets. Defaults to 2 seconds,
minimum of
1, maximum of 255.
priority num
Set the spanning priority of this bridge to num.
Defaults to
32768, minimum of 0, maximum of 65535.
ifpriority interface num
Set the spanning tree priority of interface to num.
Defaults to
128, minimum of 0, maximum of 255.
ifcost interface num
Set the spanning tree path cost of interface to num.
Defaults to
55, minimum of 1, maximum of 65535.
Create a bridge pseudo network device:
# ifconfig bridge0 create
Add the Ethernet interfaces rl0 and xl0 to the bridge
bridge0, and have
the bridge start forwarding packets:
# brconfig bridge0 add rl0 add xl0 up
Retrieve a list of interfaces that are members of bridge0,
and the addresses
learned by the bridge:
# brconfig bridge0
Stop bridge0 from forwarding packets:
# brconfig bridge0 down
Remove the interface xl0 from the bridge bridge0:
# brconfig bridge0 delete xl0
Flush all dynamically learned addresses from the address
cache:
# brconfig bridge0 flush
Remove all addresses, including static addresses, from the
address cache:
# brconfig bridge0 flushall
The following commands mark the xl0 interface so that it
will not learn
addresses and add a static entry for the host
8:0:20:1e:2f:2b on the xl0
segment. Finally, xl0 is marked so that it will not receive
packets with
destinations not found in the address cache of bridge0.
This setup is
the most secure, and means that bogus MAC addresses seen by
the xl0 side
of the bridge will not be propagated to the rest of the network. Also,
no packets will be sent onto the xl0 segment by the bridge
unless they
are broadcast packets or are destined for 8:0:20:1e:2f:2b.
# brconfig bridge0 -learn xl0 static xl0
8:0:20:1e:2f:2b
# brconfig bridge0 -discover xl0
The following commands will set up a filter so that
0:1:2:3:4:5 can send
frames through fxp0 only to 5:4:3:2:1:0, and 5:4:3:2:1:0 can
return
frames through fxp0 only to 0:1:2:3:4:5. All other traffic
trying to go
into or be sent from fxp0 will be blocked.
# brconfig bridge0 rule pass in on fxp0
src 0:1:2:3:4:5 dst 5:4:3:2:1:0
# brconfig bridge0 rule pass out on fxp0
src 5:4:3:2:1:0 dst 0:1:2:3:4:5
# brconfig bridge0 rule block in on fxp0
# brconfig bridge0 rule block out on fxp0
The following commands will tag packets from and to
9:8:7:6:5:4 on fxp0
so that pf(4) can refer to them using the tagged directive:
# brconfig bridge0 rule pass in on fxp0 src
9:8:7:6:5:4 tag boss
# brconfig bridge0 rule pass out on fxp0 dst
9:8:7:6:5:4 tag boss
An example pf.conf(5) rule using this tag is:
pass tagged boss keep state queue q_med
The bridge can also be used to tunnel Ethernet frames over
IPv4 or IPv6
by using the gif(4) interface. In addition to adding Ethernet interfaces,
one or more gif(4), interfaces are added as members
of the bridge.
Ethernet frames sent through the gif(4) interfaces are encapsulated inside
ip(4) datagrams and sent across the network to another
bridge, which
decapsulates the datagram and then processes the resulting
Ethernet frame
as if it had originated on a normal Ethernet interface.
This effectively
allows a layer-2 network to be extended from one point to
another, possibly
through the Internet. This mechanism may be used in
conjunction with
IPsec by specifying the appropriate IPsec flows between the
two bridges.
To only protect the bridge traffic between the two bridges,
the transport
protocol 97 (etherip) selector may be used in ipsecadm(8) or
isakmpd(8).
Otherwise, the Ethernet frames will be sent in the clear between the two
bridges.
For example, given two physically separate Ethernet networks, the bridge
can be used as follows to make them appear as the same local
area network.
If bridge1 on network1 has the external IP address
1.2.3.4 on
fxp0, bridge2 on network2 has the external IP address
4.3.2.1 on fxp0,
and both bridges have fxp1 on their internal network (network1 and network2,
respectively), the following configuration can be
used to bridge
network1 and network2.
Add the encapsulation interface and internal Ethernet interface to the
bridge interface:
# brconfig bridge0 add gif0 add fxp1
Create and configure the gif0 interface:
(on bridge 1) # ifconfig gif0 create
(on bridge 1) # ifconfig gif0 tunnel 1.2.3.4 4.3.2.1
(on bridge 2) # ifconfig gif0 create
(on bridge 2) # ifconfig gif0 tunnel 4.3.2.1 1.2.3.4
Create Security Associations (SAs) between the external IP
address of
each bridge:
# ipsecadm new esp -spi 4242 -dst 4.3.2.1 -src 1.2.3.4
-enc 3des -auth md5 -keyfile keyfile1 -authkeyfile authkeyfile1
# ipsecadm new esp -spi 4243 -dst 1.2.3.4 -src 4.3.2.1
-enc 3des -auth md5 -keyfile keyfile2 -authkeyfile authkeyfile2
Set up ingress flows so that traffic is allowed between the
two bridges
for the above associations:
(on bridge1) # ipsecadm flow -dst 4.3.2.1 -out
-transport etherip -require -addr 1.2.3.4/32 4.3.2.1/32
(on bridge2) # ipsecadm flow -dst 1.2.3.4 -out
-transport etherip -require -addr 4.3.2.1/32 1.2.3.4/32
Bring up the internal interface (if not already up) and encapsulation interface:
# ifconfig fxp1 up
# ifconfig gif0 up
Finally, bring the bridge interface up and allow it to start
processing
frames:
# brconfig bridge0 up
The internal interface, i.e., fxp1, on each bridge need not
have an IP
address; the bridge can function without it.
Note: It is possible to put the above commands in the hostname.if(5) and
bridgename.if(5) files, using the ! operator.
The bridge has support for 802.1D Spanning Tree Protocol
(STP), which can
be used to detect and remove loops in a network topology.
Using the stp
or -stp commands to brconfig, STP can be enabled or disabled
on each
port. STP will not work on gif(4) members because they lack
a hardware
MAC address.
The bridge can have interfaces added to it as span ports.
Span ports
transmit a copy of every frame received by the bridge. This
is most useful
for snooping a bridged network passively on another host
connected to
one of the span ports of the bridge. Span ports cannot be
bridge members;
instead, the addspan and delspan commands are used to
add and
delete span ports to and from a bridge.
bridge(4), gif(4), ip(4), ipsec(4), pf(4), bridgename.if(5),
pf.conf(5),
ifconfig(8), ipsecadm(8), isakmpd(8)
The brconfig command first appeared in OpenBSD 2.5.
The brconfig command and the bridge(4) kernel interface were
written by
Jason L. Wright <[email protected]> as part of an undergraduate independent
study at the University of North Carolina at Greensboro.
There are some rather special network interface chipsets
which will not
work in a bridge configuration. Some chipsets have serious
flaws when
running in promiscuous mode, like the TI ThunderLAN (see
tl(4)), which
receives its own transmissions (this renders the address
learning cache
useless). Most other chipsets work fine though.
OpenBSD 3.6 February 26, 1999
[ Back ] |
