Net:Bridge 网桥

Posted on 2009-04-20 22:26  wanderxjtu  阅读(1552)  评论(0编辑  收藏  举报

A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.


Bridging and Firewalling


A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic. The combination of bridging and firewalling is done with the companion project ebtables




The code is updated as part of the 2.4 and 2.6 kernels available at

Possible future enhancements are:

  • Document STP filtering
  • Netlink interface to control bridges (prototype in 2.6.18)
  • STP should be in user space
  • Support RSTP and other 802.1d STP extensions



  • STP过滤文档
  • 提供控制网桥的Netlink接口
  • STP应该运行于用户空间
  • 支持RSTP和其它802.1dSTP扩展



Bridging is supported in the current 2.4 (and 2.6) kernels from all the major distributors. The required administration utilities are in the bridge-utils package in most distributions. Package releases are maintained on the Download page.

You can also build your own up to date version by getting the latest kernel from and build the utilities based from the source code in bridge-utils GIT repository. 



Kernel Configuration


You need to enable bridging in the kernel. Set "networking -> 802.1d Ethernet Bridging" to either yes or module

你需要在内核中启用桥接。将 "networking -> 802.1d Ethernet Bridging" 设定为 yes 或者 module。

Manual Configuration


Network cards


Before you start make sure both network cards are set up and working properly. Don't set the IP address, and don't let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.

The command ifconfig should show both network cards, and they should be DOWN.


ifconfig 命令应该显示两张网卡并且它们应该处于关闭状态(DOWN)。

Module loading


In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.

If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.



# brctl
# commands:
  addbr <bridge> add bridge
  delbr <bridge> delete bridge
  addif <bridge> <device> add interface to bridge
  delif <bridge> <device> delete interface from bridge
  setageing <bridge> <time> set ageing time
  setbridgeprio <bridge> <prio> set bridge priority
  setfd <bridge> <time> set bridge forward delay
  sethello <bridge> <time> set hello time
  setmaxage <bridge> <time> set max message age
  setpathcost <bridge> <port> <cost> set path cost
  setportprio <bridge> <port> <prio> set port priority
  show show a list of bridges
  showmacs <bridge> show a list of mac addrs
  showstp <bridge> show bridge stp info
  stp <bridge> <state> turn stp on/off

Creating a bridge device


The command


 brctl addbr "bridgename"

creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge as a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface.

The corresponding shutdown command is:

创建一个名称为"bridgename"的逻辑网桥实体。你需要至少一个逻辑网桥来完成桥接。你可以认为逻辑网桥是一个装载组成网桥的网络接口的容器。每一个网桥实体表现为一个新的网络接口。 相关的网桥关闭命令为  brctl delbr bridgename

Adding devices to a bridge


The command


 brctl addif bridgename device

adds the network device device to take part in the bridging of "bridgename." All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn't make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward.

The corresponding command to take an interface out of the bridge is:

device 加入名称为 bridgename 的网桥中。网桥包含的所有网络设备作为一个大的网络运行。将一个设备加入多个网桥或者加一个网桥加入另一个网桥是不可行的,这样做没有任何意义。当设备被加入后,网桥将在开始转发前花费一点时间来获得它的以太网地址。



 brctl delif bridgename device

Showing devices in a bridge


The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:

brctl show 命令将显示所有网桥的归总信息,如下:

 # brctl addbr br549
# brctl addif br549 eth0
# brctl addif br549 eth1
# brctl show
bridge name bridge id STP enabled interfaces
br549 8000.00004c9f0bd2 no eth0

Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).

一旦网桥开始运行, brctl showmacs 将显示网络转发的流量的地址(及其自身)

 # brctl showmacs br549
port no mac addr is local? ageing timer
1 00:00:4c:9f:0b:ae no 17.84
1 00:00:4c:9f:0b:d2 yes 0.00
2 00:00:4c:9f:0b:d3 yes 0.00
1 00:02:55:1a:35:09 no 53.84
1 00:02:55:1a:82:87 no 11.53

The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay around forever. Normally there should be no need to modify this parameter, but it can be changed with (time is in seconds).


 # brctl setageing bridgename time

Setting ageing time to zero makes all entries permanent.


Spanning Tree Protocol


If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.


 # brctl stp br549 on

You can see the STP parameters with:


 # brctl showstp br549
bridge id 8000.00004c9f0bd2
designated root 0000.000480295a00
root port 1 path cost 104
max age 20.00 bridge max age 200.00
hello time 2.00 bridge hello time 20.00
forward delay 150.00 bridge forward delay 15.00
ageing time 300.00 gc interval 0.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 0.33
eth0 (1)
port id 8001 state forwarding
designated root 0000.000480295a00 path cost 100
designated bridge 001e.00048026b901 message age timer 17.84
designated port 80c1 forward delay timer 0.00
designated cost 4 hold timer 0.00
eth1 (2)
port id 8002 state disabled
designated root 8000.00004c9f0bd2 path cost 100
designated bridge 8000.00004c9f0bd2 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00

STP tuning


There are a number of parameters related to the Spanning Tree Protocol that can be configured. The code autodetects the speed of the link and other parameters, so these usually don't need to be changed.


Bridge priority

Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.


 # brctl setbridgeprio bridgename priority

The bridge with the lowest priority will be elected as the root bridge. The root bridge is the "central" bridge in the spanning tree.


Path priority and cost

Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs.


 # brctl setpathcost bridge port cost

For multiple ports with the same cost there is also a priority


Forwarding delay

Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating.


 # brctl setfd bridgename time
Hello time
Hello 时间

Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.


 # brctl sethello bridgename time
Max age

If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead. This timeout is set with:


 # brctl maxage bridgename time

Sample setup


The basic setup of a bridge is done like:


 # ifconfig eth0
# ifconfig eth1
# brctl addbr mybridge
# brctl addif mybridge eth0
# brctl addif mybridge eth1
# ifconfig mybridge up

This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.


Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:


 # ifconfig mybridge netmask

If you want your bridge to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), do this:


 # ifconfig eth0
# ifconfig eth1
# brctl addbr mybridge
# brctl addif mybridge eth0
# brctl addif mybridge eth1
# dhclient mybridge

If you do this many times, you may end up with lots of dhclient processes. Either kill them impolitely or learn about omshell(1).


Configuration with /etc/net

使用 /etc/net 配置

In /etc/net we first configure two ethernet devices port0 and port1:

在 /etc/net 中我们首先配置两个以太网设备 port0 和 port1:

 # cat >> /etc/net/iftab
port0 mac 00:13:46:66:01:5e
port1 mac 00:13:46:66:01:5f
# mkdir /etc/net/ifaces/port0
# cat > /etc/net/ifaces/port0/options
# mkdir /etc/net/ifaces/port1
# cat > /etc/net/ifaces/port1/options

Then we describe the bridge:


 # mkdir /etc/net/ifaces/mybridge
# cat > /etc/net/ifaces/mybridge/options
HOST='port0 port1'
# cat > /etc/net/ifaces/mybridge/brctl
stp AUTO on

Now we can use "ifup mybridge" to bring it up. port0 and port1 will be brought up automatically.

现在我们可以使用 "ifup mybridge" 来启用它。port0 和 port1 会被自动启用。

Copyright © 2024 wanderxjtu
Powered by .NET 8.0 on Kubernetes