How to configure a bridge so that packets are only exchanged with the bridge interface?

To recreate a mesh network topology, I like to connect multiple network namespaces. Each connection end is an interface in such a namespace.

Now I need to connect all end point interfaces in a namespace into one. Bridges come into mind, but they do not behave the way I need to, because the do routing on their own.

So I need to need to make the bridge to act as a hub and block communication between the interfaces of the bridge.

To configure the bridge to act as a hub:

ip link set "br0" type bridge stp_state 0
ip link set "br0" type bridge ageing_time 0
ip link set "br0" type bridge forward_delay 0

(this should cause all packets to be flooded to all other interfaces, except the sender)

But how do I block any traffic between the interfaces of the bridge?

bridge

mwarning

Posted 2019-10-08T16:14:57.690

Reputation: 113

Is there other interfaces besides eth0 and eth1? If not, then why are you bridging them if you don't want them to talk? – LawrenceC – 2019-10-08T16:24:26.713

It's for testing mesh routing software. I want to create a network topology. This means that packets need to be resend by applications and not to be forwarded by the bridge between eth0 and eth1. – mwarning – 2019-10-08T20:18:42.847

Then don't put them in a bridge. – LawrenceC – 2019-10-08T20:21:34.240

but the packets have to arrive on the same interface (which is the bridge interface) – mwarning – 2019-10-08T20:41:55.290

Bridges take multiple interfaces and make them act as one. They are like the software version of Ethernet switches. If you don't want traffic to move between them then you don't want a bridge. You may be wanting to do VLANs or tunnels which is something different. Update your question to include the mesh routing software you're working with because at the moment what you're asking doesn't make much sense. :) – LawrenceC – 2019-10-08T21:22:44.377

@LawrenceC ok, I rewrote pretext of the question. – mwarning – 2019-10-08T21:39:11.397

Answers

You can do this by setting all bridge's ports as isolated, except one: the one left not isolated so isolated ports can still communicate with. It's a concept similar to Private VLAN aka port isolation, where the non isolated port will be called uplink.

from man bridge:

bridge link set - set bridge specific attributes on a port

[...]

isolated on or isolated off
Controls whether a given port will be isolated, which means it will be able to communicate with non-isolated ports only. By default this flag is off.

This non-isolated port can't be the bridge's self implicit port (at least so could I figure out from tests). So you can't put for example directly an IP on the bridge. Instead, you leave the bridge blank and add a new veth pair: one as bridge port, the other with the IP. This will be the "uplink".

Let's suppose you already enslaved interfaces veth0 veth1 and veth2, linking other namespaces, to br0. You'd have to do, after they became bridge ports:

for i in veth0 veth1 veth2; do bridge link set $i isolated on; done

Now these ports can't communicate between themselves, only with non isolated ports.

Add the uplink interface (with a veth with both ends staying in the same current namespace) and configure it:

ip link add name uplink type veth peer name bridgeuplinkport
ip link set bridgeuplinkport master br0
ip link set bridgeuplinkport up
ip link set uplink up
ip address add dev uplink 192.0.2.10/24 # for example

A.B

Posted 2019-10-08T16:14:57.690

Reputation: 2 008

Thanks, this looks good. I will respond as soon as I can test it. – mwarning – 2019-10-09T09:59:37.153

Looks good! https://github.com/mwarning/meshnet-lab

– mwarning – 2019-10-09T15:25:08.180