Re: Why can't I add a loopback interface to a bridge?

Reply: Norman Gray : "Re: Why can't I add a loopback interface to a bridge?"
In reply to: Norman Gray : "Re: Why can't I add a loopback interface to a bridge?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kevin Oberman <rkoberman_at_gmail.com>
Date: Thu, 14 Jul 2022 17:31:50 UTC

On Thu, Jul 14, 2022 at 9:54 AM Norman Gray <gray@nxg.name> wrote:

>
> Kristof, hello.
>
> On 13 Jul 2022, at 22:09, Kristof Provost wrote:
>
> > On 13 Jul 2022, at 22:43, Norman Gray wrote:
> >> Why can't I add a loopback interface to a bridge?
> >>
> > The short answer is: because it’s not an Ethernet interface.
> >
> > From the man page:
> >
> >      The if_bridge driver creates a logical link between two or more
> IEEE 802
> >      networks that use the same (or “similar enough”) framing format.
> For
>
> Aha -- this is key.  I'm pretty sure I've 'read' that manpage before, but
> not, I suspect, when I was in a position to make sufficiently full sense of
> it.
>
> 'Similar enough' is a worryingly vague term, but I suspect it's not one
> I'm likely to fall foul of in any practical sense.
>
> >> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so
> I can subsequently selectively route and NAT packets from those jails to
> the rest of the network.
> >>
> >> My mental model here is that I create an interface lo1 and then 'plug
> it in to the bridge', so that I can subsequently forward packets from lo1
> to the real network interface.  This mental model is clearly defective, but
> I can't see where.
> >>
> > Your model is indeed incorrect. An if_bridge is not just a switch, but
> also a NIC that’s plugged into that switch.
> > So to do what you’re trying to do you’d add an epair interface for each
> jail, put one end in the bridge and the other in the jail.
> > You’d assign the subnet(s) you want the jails to use to the bridge
> interface, and to the jailed interfaces.
>
> So it's a switch that already has one port plugged in to the host (ish?)
>
> This is implied by the mention of assigning an address to the bridge, in
> Sect. 32.6.1 of the handbook, but the change in mental model makes that
> section a lot more readily parseable.
>
> Incidentally, I tried the specific jails configuration from the MWL Jails
> book, both in 13.1 and 12.3, and it produces the same BRDGADD error in both
> cases, meaning (gasp!) MWL may possibly be fallible!
>
> As ever, the working understood configuration is startlingly simpler than
> the monstrosities one tries along the way.
>
> Thanks for the pointers.  Best wishes,
>
> Norman
>
>
> --
> Norman Gray  :  https://nxg.me.uk


What may be missing is the concept of a bridge is that it is a layer 2
connection between two or more 802-like devices. Such devices use MAC
addresses and an IP address is a layer 3 entity. Trying to mix such on a
bridge would imply a routing capability (layer 3) which really does not
make sense with a layer 2 device.
-- 
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683