Linux Bridge With ‘brctl’ Tutorial

Ever wanted to setup your desktop computer as a network bridge? A bridge differs from a router in that it only looks at layer 2 traffic (MAC addresses) whereas a router inspects at layer 3 of the OSI model (IP addresses). An interesting advantage of running a bridge on your Linux machine is that you can configure it as a transparent bridge with firewall filtering, you could even run something like SNORT, an intrusion detection system for monitoring traffic on the wire. But these are discussions for another day. I would like to cover the functionality of the brctl command in Linux.

The brctl command allows the user to interface with the kernel to actually configure the bridge. The brctl binary is from the bridge-utils package that can be found in the Debian or Ubuntu repositories. To utilize the brctl function you must be running as root or under sudo privileges. The set of commands that brctl provides is as follows:

# brctl 
Usage: brctl [commands]
commands:
        addbr           <bridge>                add bridge
        delbr           <bridge>                delete bridge
        addif           <bridge> <device>       add interface to bridge
        delif           <bridge> <device>       delete interface from bridge
        setageing       <bridge> <time>         set ageing time
        setbridgeprio   <bridge> <prio>         set bridge priority
        setfd           <bridge> <time>         set bridge forward delay
        sethello        <bridge> <time>         set hello time
        setmaxage       <bridge> <time>         set max message age
        setpathcost     <bridge> <port> <cost>  set path cost
        setportprio     <bridge> <port> <prio>  set port priority
        show                                    show a list of bridges
        showmacs        <bridge>                show a list of mac addrs
        showstp         <bridge>                show bridge stp info
        stp             <bridge> {on|off}       turn stp on/off

Display All Bridge Interfaces

To see all current bridge interfaces, execute the command:

# brctl show
bridge name     bridge id               STP enabled     interfaces

As you can see, I currently have no bridge interfaces noted by just column output. So lets add a bridge interface.

Create A Bridge

To create a bridge interface simply run the command:

# brctl addbr br0

Most people create their initial bridge as ‘br0′, you will see that on most OpenWRT or DD-WRT routers. Now if we output our interfaces using ifconfig we can see our interface. I will also bring the interface up.

# ifconfig br0 up
# ifconfig br0
br0       Link encap:Ethernet  HWaddr 26:bc:c7:e4:68:20  
          inet6 addr: fe80::24bc:c7ff:fee4:6820/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:168 (168.0 B)

Our bridge is just like any other interface, it can even have an IP address assigned to it if you wanted (using ifconfig). Lets display our current bridges now:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000000000000       no

You will notice that we do not have STP enabled. STP is the spanning tree protocol that is used to avoid bridging loops. We can enable STP using a brctl command I will outline later. As you can also see here, our bridge has no interfaces in it. Lets add an interface.

Add Interfaces To A Bridge

To add an interface to your bridge is simple:

# brctl addif br0 eth0
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001a921ddc9b       no              eth0

Notice how the bridge id changed once I added the interface. The bridge will also take on the MAC address of the first interface added to your bridge.

To make it a true bridge, we should probably have two interfaces within that bridge, executing the same command:

# brctl addif br0 eth1
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001a921ddc9b       no              eth0
                                                        eth1

To remove interfaces from the bridge we utilize the delif flag of the brctl command.

Remove Interface From A Bridge

To remove eth1 from our bridge we can enter the command:

# brctl delif br0 eth1
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001a921ddc9b       no              eth0

Those are the basic features of creating, adding, removing a bridge and its interfaces. There are a few more commands I would like to outline, including STP.

Turning STP On For Your Bridge

To configure your bridge to participate in a spanning tree, you can enter the command:

# brctl stp br0 on
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001a921ddc9b       yes              eth0

Display Learned MAC Address On Your Bridge

For the bridge to properly send traffic out the correct interface it keeps a table of all MAC addresses that it has seen and the interface it arrived on. To display this enter the command:

# brctl showmacs br0
port no mac addr                is local?       ageing timer
  2     00:01:29:d4:bd:59       no               139.95
  1     00:0c:29:2b:3e:77       no                19.50
  1     00:ab:76:ba:d0:22       yes                0.00
  2     00:ce:d6:aa:de:fa       yes                0.00

Notice there is an ageing timer. This is the amount of time (in seconds) since this mac address has been seen on the bridge. A ‘garbage’ collector will check every interval if the age is passed the acceptable limit and remove it from the table.

From the brctl manual page:

brctl setageingtime <brname> <time> sets the ethernet (MAC) address ageing time, in seconds. After seconds of not having seen a frame coming from a certain address, the bridge will time out (delete) that address from the Forwarding DataBase (fdb).

brctl setgcint <brname> <time> sets the garbage collection interval for the bridge to seconds. This means that the bridge will check the forwarding database for timed out entries every seconds.

The areas I have covered include the most used features of the brctl command. There are however, other features as shown by my first output of the brctl command. Refer to the manual page for more information (man brctl).