A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.
网桥是一种协议无关的连接两个以太网段的方式。包基于以太网地址被转发而非基于IP地址(如同路由器)。由于是在第二层被转发,因此所有的协议均能透明的通过。
Bridging and Firewalling
桥接与防火墙
A Linux bridge is more powerful than a pure hardware bridge because it can also filter and shape traffic. The combination of bridging and firewalling is done with the companion project ebtables
相较于单纯的硬件网桥,Linux网桥还能过滤流量,功能更加强大。网桥与防火墙的组合是通过ebtables这一相关项目完成的。
Status
现状
The code is updated as part of the 2.4 and 2.6 kernels available at kernel.org.
Possible future enhancements are:
- Document STP filtering
- Netlink interface to control bridges (prototype in 2.6.18)
- STP should be in user space
- Support RSTP and other 802.1d STP extensions
这一部分代码已经做为2.4和2.6内核的一部分,你可以在kernel.org获取它们。
将来可能的提升包括:
- STP过滤文档
- 提供控制网桥的Netlink接口
- STP应该运行于用户空间
- 支持RSTP和其它802.1dSTP扩展
Downloading
下载
Bridging is supported in the current 2.4 (and 2.6) kernels from all the major distributors. The required administration utilities are in the bridge-utils package in most distributions. Package releases are maintained on the Download page.
You can also build your own up to date version by getting the latest kernel from kernel.org and build the utilities based from the source code in bridge-utils GIT repository.
所有主流发行版所带有的2.4(及2.6)内核都支持桥接。对于大多数发行版,必须的管理程序包含在bridge-utils包中。已发布的包可以在下载页找到。
你也可以通过kernel.org下载最新的内核来建立你自己的更新版本,并且通过GIT仓库中得到的源码来建立bridge-utils。
Kernel Configuration
内核配置
You need to enable bridging in the kernel. Set "networking -> 802.1d Ethernet Bridging" to either yes or module
你需要在内核中启用桥接。将 "networking -> 802.1d Ethernet Bridging" 设定为 yes 或者 module。
Manual Configuration
手动配置
Network cards
网卡
Before you start make sure both network cards are set up and working properly. Don't set the IP address, and don't let the startup scripts run DHCP on the ethernet interfaces either. The IP address needs to be set after the bridge has been configured.
The command ifconfig should show both network cards, and they should be DOWN.
开始前请确保两张网卡配置正确且工作正常。不要设置IP地址,也不要在其中任何一张网卡上启用DHCP。IP地址要在网桥配置完成后配置。
ifconfig 命令应该显示两张网卡并且它们应该处于关闭状态(DOWN)。
Module loading
加载内核
In most cases, the bridge code is built as a module. If the module is configured and installed correctly, it will get automatically loaded on the first brctl command.
If your bridge-utilities have been correctly built and your kernel and bridge-module are OK, then issuing a brctl should show a small command synopsis.
大多数情况下,桥接代码被编译为模块。如果此模块安装配置正确的话,它会在第一次使用brctl命令时被加载。
如果你的bridge-utilities已被正确建立并且桥接模块完好,运行brctl应该会显示一个简单的命令提示(如下)。
# brctl
# commands:
addbr <bridge> add bridge
delbr <bridge> delete bridge
addif <bridge> <device> add interface to bridge
delif <bridge> <device> delete interface from bridge
setageing <bridge> <time> set ageing time
setbridgeprio <bridge> <prio> set bridge priority
setfd <bridge> <time> set bridge forward delay
sethello <bridge> <time> set hello time
setmaxage <bridge> <time> set max message age
setpathcost <bridge> <port> <cost> set path cost
setportprio <bridge> <port> <prio> set port priority
show show a list of bridges
showmacs <bridge> show a list of mac addrs
showstp <bridge> show bridge stp info
stp <bridge> <state> turn stp on/off
Creating a bridge device
创建一个网桥设备
The command
命令
brctl addbr "bridgename"
creates a logical bridge instance with the name bridgename. You will need at least one logical instance to do any bridging at all. You can interpret the logical bridge as a container for the interfaces taking part in the bridging. Each bridging instance is represented by a new network interface.
The corresponding shutdown command is:
创建一个名称为"bridgename"的逻辑网桥实体。你需要至少一个逻辑网桥来完成桥接。你可以认为逻辑网桥是一个装载组成网桥的网络接口的容器。每一个网桥实体表现为一个新的网络接口。 相关的网桥关闭命令为Adding devices to a bridge
给网桥加入设备
The command
命令
brctl addif bridgename device
adds the network device device to take part in the bridging of "bridgename." All the devices contained in a bridge act as one big network. It is not possible to add a device to multiple bridges or bridge a bridge device, because it just wouldn't make any sense! The bridge will take a short amount of time when a device is added to learn the Ethernet addresses on the segment before starting to forward.
The corresponding command to take an interface out of the bridge is:
将device 加入名称为 bridgename 的网桥中。网桥包含的所有网络设备作为一个大的网络运行。将一个设备加入多个网桥或者加一个网桥加入另一个网桥是不可行的,这样做没有任何意义。当设备被加入后,网桥将在开始转发前花费一点时间来获得它的以太网地址。
相关的从网桥中断开设备的命令为
brctl delif bridgename device
Showing devices in a bridge
显示桥接设备
The brctl show command gives you a summary about the overall bridge status, and the instances running as shown below:
brctl show 命令将显示所有网桥的归总信息,如下:
# brctl addbr br549 # brctl addif br549 eth0 # brctl addif br549 eth1 # brctl show bridge name bridge id STP enabled interfaces br549 8000.00004c9f0bd2 no eth0 eth1
Once a bridge is running the brctl showmacs will show information about network addresses of traffic being forwarded (and the bridge itself).
一旦网桥开始运行, brctl showmacs 将显示网络转发的流量的地址(及其自身)
# brctl showmacs br549 port no mac addr is local? ageing timer 1 00:00:4c:9f:0b:ae no 17.84 1 00:00:4c:9f:0b:d2 yes 0.00 2 00:00:4c:9f:0b:d3 yes 0.00 1 00:02:55:1a:35:09 no 53.84 1 00:02:55:1a:82:87 no 11.53 ...
The aging time is the number of seconds a MAC address will be kept in the forwarding database after having received a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure they won't stay around forever. Normally there should be no need to modify this parameter, but it can be changed with (time is in seconds).
生存期是在接收一个包后其MAC地址保存在转发数据库中的秒数。转发数据库中的信息项的超时周期可以保证它们不会被永久的保存。
# brctl setageing bridgename time
Setting ageing time to zero makes all entries permanent.
将生存期设置为0将永久保存所有的转发项。
Spanning Tree Protocol
生成树协议
If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to handle multiple hops and avoid cyclic routes.
如果你正在运行多个或者冗余网桥,那么你需要开启生成树协议(STP)来控制多次跳转,避免回环路由。
# brctl stp br549 on
You can see the STP parameters with:
你可以查看STP参数如下:
# brctl showstp br549 br549 bridge id 8000.00004c9f0bd2 designated root 0000.000480295a00 root port 1 path cost 104 max age 20.00 bridge max age 200.00 hello time 2.00 bridge hello time 20.00 forward delay 150.00 bridge forward delay 15.00 ageing time 300.00 gc interval 0.00 hello timer 0.00 tcn timer 0.00 topology change timer 0.00 gc timer 0.33 flags eth0 (1) port id 8001 state forwarding designated root 0000.000480295a00 path cost 100 designated bridge 001e.00048026b901 message age timer 17.84 designated port 80c1 forward delay timer 0.00 designated cost 4 hold timer 0.00 flags eth1 (2) port id 8002 state disabled designated root 8000.00004c9f0bd2 path cost 100 designated bridge 8000.00004c9f0bd2 message age timer 0.00 designated port 8002 forward delay timer 0.00 designated cost 0 hold timer 0.00 flags
STP tuning
STP调整
There are a number of parameters related to the Spanning Tree Protocol that can be configured. The code autodetects the speed of the link and other parameters, so these usually don't need to be changed.
有一组与STP相关的参数可供调整。代码可以自动检测链路速度及其它参数,所以通常不需要改变它们。
Bridge priority
桥接优先级
Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. Each has a priority and a cost, that is used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces then you may need to adjust the priorities to achieve optimium performance.
每一个网桥都有一个相关的优先级和代价。在STP代码中每个接口都与一个端口(数字)关连。每一个都具有优先级和代价以决定转发包的最短路径。除非不可用,否则代价最小的路径总是被使用。如果你有多个网桥和接口,那么你需要调整它们的优先级以优化性能。
# brctl setbridgeprio bridgename priority
The bridge with the lowest priority will be elected as the root bridge. The root bridge is the "central" bridge in the spanning tree.
最低优先级的网桥将被视为根结点网桥。根网桥是生成树的中心网桥。
Path priority and cost
路径优先级与代价
Each interface in a bridge could have a different speed and this value is used when deciding which link to use. Faster interfaces should have lower costs.
不同的接口和网桥可能有不同的速度,当选择链路时这个值将用做参考。快速的接口应该具有较小的代价。
# brctl setpathcost bridge port cost
For multiple ports with the same cost there is also a priority
对于多个具有相同代价的端口,可以使用优先级。
Forwarding delay
转发延时
Forwarding delay time is the time spent in each of the Listening and Learning states before the Forwarding state is entered. This delay is so that when a new bridge comes onto a busy network it looks at some traffic before participating.
转发延时是进入转发状态前的监听状态的时间开销。延时产生于一个新的网桥加入一个高负载网络时它需要先进行流量观察以参与进来所花费的时间。
# brctl setfd bridgename time
Hello time
Hello 时间
Periodically, a hello packet is sent out by the Root Bridge and the Designated Bridges. Hello packets are used to communicate information about the topology throughout the entire Bridged Local Area Network.
根网桥和指定的网桥周期的发送hello包。它被用于交换整个桥接局域网的拓扑信息。
# brctl sethello bridgename time
Max age
最大存活期
If a another bridge in the spanning tree does not send out a hello packet for a long period of time, it is assumed to be dead. This timeout is set with:
如果另一个生成树中的网桥长时间没有发送hello包,它会被认为已消失。超时时间设置如下:
# brctl maxage bridgename time
Sample setup
配置实例
The basic setup of a bridge is done like:
建立一个基本的网桥如下:
# ifconfig eth0 0.0.0.0 # ifconfig eth1 0.0.0.0 # brctl addbr mybridge # brctl addif mybridge eth0 # brctl addif mybridge eth1 # ifconfig mybridge up
This will set the host up as a pure bridge, it will not have an IP address for itself, so it can not be remotely accessed (or hacked) via TCP/IP.
这将会建立一个纯粹的网桥,它没有自己的IP地址,因此不能通过远程TCP/IP访问(或攻击)。
Optionally you can configure the virtual interface mybridge to take part in your network. It behaves like one interface (like a normal network card). Exactly that way you configure it, replacing the previous command with something like:
可选的,你也可以配置一个虚拟接口mybridge到你的网络中。它表现如同一个网络接口(像个普通网卡)。用下面的命令替换之前的一条命令。
# ifconfig mybridge 192.168.100.5 netmask 255.255.255.0
If you want your bridge to automatically get its IP address from the ADSL modem via DHCP (or a similar configuration), do this:
如果你希望网桥自动从ADSL调制解调器通过DHCP(或其它类似配置)获得IP地址,按如下配置:
# ifconfig eth0 0.0.0.0 # ifconfig eth1 0.0.0.0 # brctl addbr mybridge # brctl addif mybridge eth0 # brctl addif mybridge eth1 # dhclient mybridge
If you do this many times, you may end up with lots of dhclient processes. Either kill them impolitely or learn about omshell(1).
如果你运行多次,你可能会生成多个dhclient进程。强制结束它们或者使用omshell。
Configuration with /etc/net
使用 /etc/net 配置
In /etc/net we first configure two ethernet devices port0 and port1:
在 /etc/net 中我们首先配置两个以太网设备 port0 和 port1:
# cat >> /etc/net/iftab port0 mac 00:13:46:66:01:5e port1 mac 00:13:46:66:01:5f ^D # mkdir /etc/net/ifaces/port0 # cat > /etc/net/ifaces/port0/options TYPE=eth MODULE=via-rhine # mkdir /etc/net/ifaces/port1 # cat > /etc/net/ifaces/port1/options TYPE=eth MODULE=via-rhine ^D
Then we describe the bridge:
然后我们配置网桥:
# mkdir /etc/net/ifaces/mybridge # cat > /etc/net/ifaces/mybridge/options TYPE=bri HOST='port0 port1' ^D # cat > /etc/net/ifaces/mybridge/brctl stp AUTO on ^D
Now we can use "ifup mybridge" to bring it up. port0 and port1 will be brought up automatically.
现在我们可以使用 "ifup mybridge" 来启用它。port0 和 port1 会被自动启用。
