*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> brconfig (8)              
Title
Content
Arch
Section
 

BRCONFIG(8)

Contents


NAME    [Toc]    [Back]

     brconfig - manipulate bridge interfaces

SYNOPSIS    [Toc]    [Back]

     brconfig -a
     brconfig bridge-name [parameters]
     brconfig bridge-name rule { block | pass }  {  in  |  out  |
in/out } on
              interface-name  [src  address]  [dst  address] [tag
tagname]

DESCRIPTION    [Toc]    [Back]

     The brconfig utility retrieves kernel state of bridge interfaces and allows
 user control of these bridges.  Bridge devices create a
logical link
     between two or more Ethernet interfaces or encapsulation interfaces (see
     gif(4)), which will selectively forward frames from each interface on the
     bridge to every other interface on the bridge.  This can  be
used to isolate
  traffic  between  sets of machines on the same segment
and to provide
     a transparent filter for ip(4) datagrams.

     In the first synopsis, the -a flag will  cause  brconfig  to
list the status
     of  all  bridges  in the system.  In the second, its command
line consists
     of the name of a bridge and a set of operations to  be  performed on that
     bridge.   The  commands  are executed in the order they were
specified.  If
     no command is specified in the second synopsis, the brconfig
will display
     status  information about the bridge.  With the third synopsis, rules for
     filtering Ethernet MAC addresses can be added to a bridge.

     The following parameters may be set with brconfig:

     up      Start the bridge forwarding packets.

     down    Stop the bridge from forwarding packets.

     addr    Display the addresses that have been learned by  the
bridge.

     add interface-name
             Add  the interface named by interface-name as a member of the
             bridge.  The interface is put into promiscuous  mode
so that it
             can  receive  every  packet sent on the network.  An
interface can
             be a member of at most one bridge.

     delete interface-name
             Remove the interface named  by  interface-name  from
the bridge.
             Promiscuous  mode  is  turned  off for the interface
when it is removed
 from the bridge.

     del interface-name
             Alias for delete.

     addspan interface-name
             Add the interface named by interface-name as a  span
port on the
             bridge.   See  the  SPAN  PORTS section for more details.

     delspan interface-name
             Delete the interface named  by  interface-name  from
the list of
             span ports of the bridge.

     maxaddr size
             Set  the address cache size to size.  The default is
100 entries.

     timeout time
             Set the timeout, in seconds, for  addresses  in  the
cache to time.
             The default is 240 seconds.  If time is set to zero,
then entries
             will not be expired.

     static interface-name address
             Add a static entry into the address  cache  pointing
to interface-
             name.   Static  entries  are  never  aged out of the
cache or replaced,
 even if the address is seen on  a  different
interface.

     deladdr address
             Delete an address from the cache.

     flush    Remove  all  dynamically learned addresses from the
cache.

     flushall
             Remove all addresses from the cache including static
addresses.

     blocknonip interface
             Mark an interface so that no non-IPv4, IPv6, ARP, or
Reverse ARP
             packets are accepted from it or forwarded to it from
other bridge
             member interfaces.

     -blocknonip interface
             Allow  non-IPv4,  IPv6,  ARP, or Reverse ARP packets
through the
             interface.

     discover interface
             Mark an interface so that packets are  sent  out  of
the interface
             if  the  destination  port of the packet is unknown.
If the bridge
             has no address cache entry for the destination of  a
packet, meaning
 that there is no static entry and no dynamically
learned entry
 for the destination, the bridge will forward the
packet to
             all member interfaces that have this flag set.  This
is the default
 for interfaces added to the bridge.

     -discover interface
             Mark an interface so that packets are not  sent  out
of the interface
  if  the  destination port of the packet is unknown.  Turning
             this flag off means that the bridge  will  not  send
packets out of
             this  interface  unless  the  packet  is a broadcast
packet, multicast
             packet, or a packet with a destination address found
on the interface's
 segment.  This, in combination with static
address
             cache entries, prevents potentially sensitive  packets from being
             sent  on segments that have no need to see the packet.

     learn interface
             Mark an interface so  that  the  source  address  of
packets received
             from  interface  are entered into the address cache.
This is the
             default for interfaces added to the bridge.

     -learn interface
             Mark an interface so  that  the  source  address  of
packets received
             from  interface  are  not  entered  into the address
cache.

     flushrule interface
             Remove  all  Ethernet  MAC  filtering   rules   from
interface.

     link0   Setting this flag stops all non-IP multicast packets
from being
             forwarded by the bridge.

     -link0  Clear the link0 flag on the bridge interface.

     link1   Setting this flags stops all  IP  multicast  packets
from being forwarded
 by the bridge.

     -link1  Clear the link1 flag on the bridge interface.

     link2   Setting this flag causes all packets to be passed on
to ipsec(4)
             for processing, based on the policies established by
the administrator
  using the ipsecadm(8) command.  If appropriate security
             associations (SAs) exist, they will be used  to  encrypt or decrypt
             the  packets.  Otherwise, any key management daemons
such as
             isakmpd(8) that are running on the  bridge  will  be
invoked to establish
 the necessary SAs.  These daemons have to be
configured
             as if they were running on the  host  whose  traffic
they are protecting
 (i.e., they need to have the appropriate authentication
             and authorization material, such as  keys  and  certificates, to impersonate
 the protected host(s)).

     -link2  Clear the link2 flag on the bridge interface.

     rule [rulespec]
             Add  a filtering rule to an interface.  Rules have a
similar syntax
 to those in pf.conf(5).  Rules can  be  used  to
selectively
             block  or pass frames based on Ethernet MAC addresses.  They can
             also tag packets for pf(4) to filter on.  Rules  are
processed in
             the order in which they were added to the interface,
and the
             first rule matched takes the action (block or  pass)
and, if given,
  the  tag of the rule.  If no source or destination address is
             specified, the rule will match all frames (good  for
creating a
             catchall policy).

     rulefile filename
             Load a set of rules from the file filename.

     rules interface
             Display  the  active  filtering  rules in use on the
given interface.

     stp interface
             Enable spanning tree protocol on interface.

     -stp interface
             Disable spanning tree protocol on interface.

     maxage time
             Set the time (in seconds) that a spanning tree  protocol configuration
 is valid.  Defaults to 20 seconds, minimum of
1, maximum
             of 255.

     fwddelay time
             Set the time (in seconds) before an interface begins
forwarding
             packets.  Defaults to 15 seconds, minimum of 1, maximum of 255.

     hellotime time
             Set the time (in seconds) between broadcasting spanning tree protocol
 configuration packets.  Defaults to 2 seconds,
minimum of
             1, maximum of 255.

     priority num
             Set the spanning priority of  this  bridge  to  num.
Defaults to
             32768, minimum of 0, maximum of 65535.

     ifpriority interface num
             Set  the spanning tree priority of interface to num.
Defaults to
             128, minimum of 0, maximum of 255.

     ifcost interface num
             Set the spanning tree path cost of interface to num.
Defaults to
             55, minimum of 1, maximum of 65535.

EXAMPLES    [Toc]    [Back]

     Create a bridge pseudo network device:

           # ifconfig bridge0 create

     Add  the  Ethernet  interfaces  rl0  and  xl0  to the bridge
bridge0, and have
     the bridge start forwarding packets:

           # brconfig bridge0 add rl0 add xl0 up

     Retrieve a list of interfaces that are members  of  bridge0,
and the addresses
 learned by the bridge:

           # brconfig bridge0

     Stop bridge0 from forwarding packets:

           # brconfig bridge0 down

     Remove the interface xl0 from the bridge bridge0:

           # brconfig bridge0 delete xl0

     Flush  all  dynamically  learned  addresses from the address
cache:

           # brconfig bridge0 flush

     Remove all addresses, including static addresses,  from  the
address cache:

           # brconfig bridge0 flushall

     The  following  commands  mark  the xl0 interface so that it
will not learn
     addresses  and   add   a   static   entry   for   the   host
8:0:20:1e:2f:2b on the xl0
     segment.  Finally, xl0 is marked so that it will not receive
packets with
     destinations not found in  the  address  cache  of  bridge0.
This setup is
     the  most secure, and means that bogus MAC addresses seen by
the xl0 side
     of the bridge will not be propagated to the rest of the network.  Also,
     no  packets  will be sent onto the xl0 segment by the bridge
unless they
     are broadcast packets or are destined for 8:0:20:1e:2f:2b.

           #   brconfig   bridge0   -learn   xl0    static    xl0
8:0:20:1e:2f:2b
           # brconfig bridge0 -discover xl0

     The  following  commands  will  set  up  a  filter  so  that
0:1:2:3:4:5 can send
     frames through fxp0 only to 5:4:3:2:1:0, and 5:4:3:2:1:0 can
return
     frames  through fxp0 only to 0:1:2:3:4:5.  All other traffic
trying to go
     into or be sent from fxp0 will be blocked.

           #   brconfig   bridge0   rule   pass   in    on   fxp0
src 0:1:2:3:4:5 dst 5:4:3:2:1:0
           #   brconfig   bridge0   rule   pass   out   on   fxp0
src 5:4:3:2:1:0 dst 0:1:2:3:4:5
           # brconfig bridge0 rule block in  on fxp0
           # brconfig bridge0 rule block out on fxp0

     The  following  commands  will  tag  packets  from  and   to
9:8:7:6:5:4 on fxp0
     so that pf(4) can refer to them using the tagged directive:

           #   brconfig   bridge0  rule  pass  in   on  fxp0  src
9:8:7:6:5:4 tag boss
           #  brconfig  bridge0  rule  pass  out  on   fxp0   dst
9:8:7:6:5:4 tag boss

     An example pf.conf(5) rule using this tag is:

           pass tagged boss keep state queue q_med

IPSEC BRIDGE    [Toc]    [Back]

     The  bridge  can also be used to tunnel Ethernet frames over
IPv4 or IPv6
     by using the gif(4) interface.  In addition to adding Ethernet interfaces,
  one  or more gif(4), interfaces are added as members
of the bridge.
     Ethernet frames sent through the gif(4) interfaces  are  encapsulated inside
  ip(4) datagrams and sent across the network to another
bridge, which
     decapsulates the datagram and then processes  the  resulting
Ethernet frame
     as  if  it  had  originated  on a normal Ethernet interface.
This effectively
     allows a layer-2 network to be extended from  one  point  to
another, possibly
  through  the  Internet.   This mechanism may be used in
conjunction with
     IPsec by specifying the appropriate IPsec flows between  the
two bridges.
     To  only protect the bridge traffic between the two bridges,
the transport
     protocol 97 (etherip) selector may be used in ipsecadm(8) or
isakmpd(8).
     Otherwise, the Ethernet frames will be sent in the clear between the two
     bridges.

     For example, given two  physically  separate  Ethernet  networks, the bridge
     can be used as follows to make them appear as the same local
area network.
  If bridge1 on network1 has the  external  IP  address
1.2.3.4 on
     fxp0,  bridge2  on  network2  has  the  external  IP address
4.3.2.1 on fxp0,
     and both bridges have fxp1 on their internal  network  (network1 and network2,
  respectively),  the  following  configuration can be
used to bridge
     network1 and network2.

     Add the encapsulation interface and internal Ethernet interface to the
     bridge interface:

           # brconfig bridge0 add gif0 add fxp1

     Create and configure the gif0 interface:

           (on bridge 1) # ifconfig gif0 create
           (on bridge 1) # ifconfig gif0 tunnel 1.2.3.4 4.3.2.1
           (on bridge 2) # ifconfig gif0 create
           (on bridge 2) # ifconfig gif0 tunnel 4.3.2.1 1.2.3.4

     Create  Security  Associations (SAs) between the external IP
address of
     each bridge:

           # ipsecadm new esp -spi 4242 -dst 4.3.2.1 -src 1.2.3.4
-enc  3des                     -auth  md5  -keyfile keyfile1 -authkeyfile authkeyfile1
           # ipsecadm new esp -spi 4243 -dst 1.2.3.4 -src 4.3.2.1
-enc  3des                     -auth  md5  -keyfile keyfile2 -authkeyfile authkeyfile2

     Set up ingress flows so that traffic is allowed between  the
two bridges
     for the above associations:

           (on   bridge1)  #  ipsecadm  flow  -dst  4.3.2.1  -out
-transport etherip -require -addr 1.2.3.4/32 4.3.2.1/32
           (on  bridge2)  #  ipsecadm  flow  -dst  1.2.3.4   -out
-transport etherip -require -addr 4.3.2.1/32 1.2.3.4/32

     Bring  up the internal interface (if not already up) and encapsulation interface:


           # ifconfig fxp1 up
           # ifconfig gif0 up

     Finally, bring the bridge interface up and allow it to start
processing
     frames:

           # brconfig bridge0 up

     The  internal interface, i.e., fxp1, on each bridge need not
have an IP
     address; the bridge can function without it.

     Note:  It is possible to put the above commands in the hostname.if(5) and
     bridgename.if(5) files, using the ! operator.

SPANNING TREE    [Toc]    [Back]

     The  bridge  has  support  for 802.1D Spanning Tree Protocol
(STP), which can
     be used to detect and remove loops in  a  network  topology.
Using the stp
     or -stp commands to brconfig, STP can be enabled or disabled
on each
     port.  STP will not work on gif(4) members because they lack
a hardware
     MAC address.

SPAN PORTS    [Toc]    [Back]

     The  bridge  can  have interfaces added to it as span ports.
Span ports
     transmit a copy of every frame received by the bridge.  This
is most useful
 for snooping a bridged network passively on another host
connected to
     one of the span ports of the bridge.  Span ports  cannot  be
bridge members;
  instead, the addspan and delspan commands are used to
add and
     delete span ports to and from a bridge.

SEE ALSO    [Toc]    [Back]

      
      
     bridge(4), gif(4), ip(4), ipsec(4), pf(4), bridgename.if(5),
pf.conf(5),
     ifconfig(8), ipsecadm(8), isakmpd(8)

HISTORY    [Toc]    [Back]

     The brconfig command first appeared in OpenBSD 2.5.

AUTHORS    [Toc]    [Back]

     The brconfig command and the bridge(4) kernel interface were
written by
     Jason L. Wright <jason@thought.net> as part of an undergraduate independent
  study  at  the University of North Carolina at Greensboro.

BUGS    [Toc]    [Back]

     There are some rather  special  network  interface  chipsets
which will not
     work  in a bridge configuration.  Some chipsets have serious
flaws when
     running in promiscuous mode, like  the  TI  ThunderLAN  (see
tl(4)), which
     receives  its  own  transmissions  (this renders the address
learning cache
     useless).  Most other chipsets work fine though.

OpenBSD     3.6                        February     26,      1999
[ Back ]
 Similar pages
Name OS Title
altq NetBSD kernel interfaces for manipulating output queues on network interfaces
altq OpenBSD kernel interfaces for manipulating output queues on network interfaces
ifnet FreeBSD kernel interfaces for manipulating network interfaces
if_data FreeBSD kernel interfaces for manipulating network interfaces
ifaddr FreeBSD kernel interfaces for manipulating network interfaces
ifqueue FreeBSD kernel interfaces for manipulating network interfaces
iicsmb FreeBSD I2C to SMB bridge
pcib OpenBSD PCI-ISA bridge
pchb OpenBSD PCI-Host Bridge
footbridge OpenBSD DC21285 PCI bridge
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service