Discussion:
ifconfig: BRDGADD lo1: invalid argument
o***@io7m.com
2016-06-25 16:42:40 UTC
Permalink
Hello.

I'm trying to create a bridge interface to isolate some jails on
private addresses. I'm on a near-pristine install of 10.3, updated to
10.3-p5 via freebsd-update.

The virtual interface to which the jails will be bound:

# ifconfig lo1 create

The bridge:

# ifconfig bridge create
bridge0
# ifconfig bridge0 addm em0
# ifconfig bridge0 addm lo1
ifconfig: BRDGADD lo1: Invalid argument

I can find one reference to this error message online from 2007:

https://lists.freebsd.org/pipermail/freebsd-net/2007-December/016102.html

... but this doesn't appear to be the problem I'm having (it seems as
though it was caused by an out-of-sync kernel and world, which I
obviously don't have).

Any ideas how to get this working?

M
Marie Helene Kvello-Aune
2016-06-25 19:16:06 UTC
Permalink
Check that lo1 has same MTU as bridge0.

Regards,
Marie Helene
Post by o***@io7m.com
Hello.
I'm trying to create a bridge interface to isolate some jails on
private addresses. I'm on a near-pristine install of 10.3, updated to
10.3-p5 via freebsd-update.
# ifconfig lo1 create
# ifconfig bridge create
bridge0
# ifconfig bridge0 addm em0
# ifconfig bridge0 addm lo1
ifconfig: BRDGADD lo1: Invalid argument
https://lists.freebsd.org/pipermail/freebsd-net/2007-December/016102.html
... but this doesn't appear to be the problem I'm having (it seems as
though it was caused by an out-of-sync kernel and world, which I
obviously don't have).
Any ideas how to get this working?
M
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-net
o***@io7m.com
2016-06-25 19:23:58 UTC
Permalink
On 2016-06-25T19:16:06 +0000
Post by Marie Helene Kvello-Aune
Check that lo1 has same MTU as bridge0.
Regards,
Marie Helene
Hello!

Yes, I checked that (as one of the responses from the original thread
suggested).

Both lo1 and em0 (the real network adapter) have an MTU of 1500.

M
Marko Zec
2016-06-25 21:46:36 UTC
Permalink
On Sat, 25 Jun 2016 16:42:40 +0000
Post by o***@io7m.com
Hello.
I'm trying to create a bridge interface to isolate some jails on
private addresses. I'm on a near-pristine install of 10.3, updated to
10.3-p5 via freebsd-update.
# ifconfig lo1 create
# ifconfig bridge create
bridge0
# ifconfig bridge0 addm em0
# ifconfig bridge0 addm lo1
ifconfig: BRDGADD lo1: Invalid argument
if_bridge(4) works only with ethernet interfaces, and lo(4) isn't such a
thing.

Assuming you are using vnet jails, take a look at if_epair(4): assign
one endpoint to the bridge, and the another one to the jail.

If you're not using vnet jails, you should simply add an alias address
to em0.
Post by o***@io7m.com
https://lists.freebsd.org/pipermail/freebsd-net/2007-December/016102.html
... but this doesn't appear to be the problem I'm having (it seems as
though it was caused by an out-of-sync kernel and world, which I
obviously don't have).
Any ideas how to get this working?
M
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-net
o***@io7m.com
2016-06-25 22:05:51 UTC
Permalink
Hello!

On 2016-06-25T23:46:36 +0200
Post by Marko Zec
if_bridge(4) works only with ethernet interfaces, and lo(4) isn't such a
thing.
Has this always been the case? I'm almost certain that I set up jails
with extra loopback devices that communicated over bridges back in the
FreeBSD 6 days.
Post by Marko Zec
Assuming you are using vnet jails, take a look at if_epair(4): assign
one endpoint to the bridge, and the another one to the jail.
I'm not using vnet jails. I'm actually just trying to get filtering of
outbound traffic (see the other mail I sent to this list a few seconds
before you responded).
Post by Marko Zec
If you're not using vnet jails, you should simply add an alias address
to em0.
Could you explain a little more here?

M
Alan Somers
2016-06-26 00:13:18 UTC
Permalink
Post by o***@io7m.com
Hello!
On 2016-06-25T23:46:36 +0200
Post by Marko Zec
if_bridge(4) works only with ethernet interfaces, and lo(4) isn't such a
thing.
Has this always been the case? I'm almost certain that I set up jails
with extra loopback devices that communicated over bridges back in the
FreeBSD 6 days.
Post by Marko Zec
Assuming you are using vnet jails, take a look at if_epair(4): assign
one endpoint to the bridge, and the another one to the jail.
I'm not using vnet jails. I'm actually just trying to get filtering of
outbound traffic (see the other mail I sent to this list a few seconds
before you responded).
Based on my experience, I highly recommend vnet jails if you want
outbound filtering. It's much simpler than trying to filter outbound
traffic from shared-IP jails.
Post by o***@io7m.com
Post by Marko Zec
If you're not using vnet jails, you should simply add an alias address
to em0.
Could you explain a little more here?
M
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-net
o***@io7m.com
2016-06-26 09:37:54 UTC
Permalink
Hello.

On 2016-06-25T18:13:18 -0600
Post by Alan Somers
Post by o***@io7m.com
I'm not using vnet jails. I'm actually just trying to get filtering of
outbound traffic (see the other mail I sent to this list a few seconds
before you responded).
Based on my experience, I highly recommend vnet jails if you want
outbound filtering. It's much simpler than trying to filter outbound
traffic from shared-IP jails.
I'm trying to look at vnet jails, but they still seem to be mostly
undocumented and not entirely supported. Lots of fairly recent posts
online regarding panics in day-to-day use. Using them in production
seems risky. Is there something I should be looking at in particular?

When you say shared-IP jails, what exactly are you referring to? I'm
not sure what's shared in this case; I have one public IP (it's a VPS)
but individual jails are on their own private loopback addresses.

M
Alan Somers
2016-06-26 15:43:53 UTC
Permalink
Post by o***@io7m.com
Hello.
On 2016-06-25T18:13:18 -0600
Post by Alan Somers
Post by o***@io7m.com
I'm not using vnet jails. I'm actually just trying to get filtering of
outbound traffic (see the other mail I sent to this list a few seconds
before you responded).
Based on my experience, I highly recommend vnet jails if you want
outbound filtering. It's much simpler than trying to filter outbound
traffic from shared-IP jails.
I'm trying to look at vnet jails, but they still seem to be mostly
undocumented and not entirely supported. Lots of fairly recent posts
online regarding panics in day-to-day use. Using them in production
seems risky. Is there something I should be looking at in particular?
I'm not sure how many known bugs they have. Adrian Chadd (adrian@) is
the best person to ask.
Post by o***@io7m.com
When you say shared-IP jails, what exactly are you referring to? I'm
not sure what's shared in this case; I have one public IP (it's a VPS)
but individual jails are on their own private loopback addresses.
A shared-IP jail is the traditional, non-vnet type. You assign an
alias address to one of the host's network interfaces, and then assign
that address to the jail. It's called "shared-IP" because both host
and jail can see a network interface with that IP address.
Post by o***@io7m.com
M
Loading...