Re: Why can't I add a loopback interface to a bridge?

Reply: Kevin Oberman : "Re: Why can't I add a loopback interface to a bridge?"
In reply to: Kristof Provost : "Re: Why can't I add a loopback interface to a bridge?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Norman Gray <gray_at_nxg.name>
Date: Thu, 14 Jul 2022 16:54:43 UTC

Kristof, hello.

On 13 Jul 2022, at 22:09, Kristof Provost wrote:

> On 13 Jul 2022, at 22:43, Norman Gray wrote:
>> Why can't I add a loopback interface to a bridge?
>>
> The short answer is: because it’s not an Ethernet interface.
>
> From the man page:
>
>      The if_bridge driver creates a logical link between two or more IEEE 802
>      networks that use the same (or “similar enough”) framing format.  For

Aha -- this is key.  I'm pretty sure I've 'read' that manpage before, but not, I suspect, when I was in a position to make sufficiently full sense of it.

'Similar enough' is a worryingly vague term, but I suspect it's not one I'm likely to fall foul of in any practical sense.

>> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so I can subsequently selectively route and NAT packets from those jails to the rest of the network.
>>
>> My mental model here is that I create an interface lo1 and then 'plug it in to the bridge', so that I can subsequently forward packets from lo1 to the real network interface.  This mental model is clearly defective, but I can't see where.
>>
> Your model is indeed incorrect. An if_bridge is not just a switch, but also a NIC that’s plugged into that switch.
> So to do what you’re trying to do you’d add an epair interface for each jail, put one end in the bridge and the other in the jail.
> You’d assign the subnet(s) you want the jails to use to the bridge interface, and to the jailed interfaces.

So it's a switch that already has one port plugged in to the host (ish?)

This is implied by the mention of assigning an address to the bridge, in Sect. 32.6.1 of the handbook, but the change in mental model makes that section a lot more readily parseable.

Incidentally, I tried the specific jails configuration from the MWL Jails book, both in 13.1 and 12.3, and it produces the same BRDGADD error in both cases, meaning (gasp!) MWL may possibly be fallible!

As ever, the working understood configuration is startlingly simpler than the monstrosities one tries along the way.

Thanks for the pointers.  Best wishes,

Norman

-- 
Norman Gray  :  https://nxg.me.uk