Re: Why can't I add a loopback interface to a bridge?

Reply: Norman Gray : "Re: Why can't I add a loopback interface to a bridge?"
In reply to: Norman Gray : "Why can't I add a loopback interface to a bridge?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 13 Jul 2022 21:09:33 UTC

On 13 Jul 2022, at 22:43, Norman Gray wrote:
> Why can't I add a loopback interface to a bridge?
>
The short answer is: because it’s not an Ethernet interface.

 From the man page:

      The if_bridge driver creates a logical link between two or more 
IEEE 802
      networks that use the same (or “similar enough”) framing 
format.  For

> I thought I should be able to do this, and the fact that I can't 
> suggests I'm misunderstanding something significant.
>
> If I do
>
>     # ifconfig bridge create
>     bridge0
>     # ifconfig lo create
>     lo1
>     # ifconfig bridge0 addm lo1
>     ifconfig: BRDGADD lo1: Invalid argument
>     #
>
That’s expected, yes.
That will happen whenever you try to add something that’s not Ethernet 
(or close enough) to a bridge.

> What I'm aiming to do is to set up a bridge to VNET-isolated jails, so 
> I can subsequently selectively route and NAT packets from those jails 
> to the rest of the network.
>
> My mental model here is that I create an interface lo1 and then 'plug 
> it in to the bridge', so that I can subsequently forward packets from 
> lo1 to the real network interface.  This mental model is clearly 
> defective, but I can't see where.
>
Your model is indeed incorrect. An if_bridge is not just a switch, but 
also a NIC that’s plugged into that switch.
So to do what you’re trying to do you’d add an epair interface for 
each jail, put one end in the bridge and the other in the jail.
You’d assign the subnet(s) you want the jails to use to the bridge 
interface, and to the jailed interfaces.

Kristof