What's a Linux bridge in terms of a physical one?

on

x-yuri asked:

Generally, a network bridge is a L2 device that connects several network segments into one. It has no IPs, and basically just sends frames to every segment except the one from which it was received (or smarter).

But with a Linux bridge you get an interface with an IP address. Consider the following diagram with docker containers:

In this case the interfaces I’m talking about are docker0 and my_bridge.

Then, you use veth pairs to connect containers to a bridge. One end of a veth pair is represented by an interface with an IP address you can see in a container. The other end has no IP address, it belongs to the host’s network namespace. And you can see master docker0 or something next to it in the ip a output. One can think of this end of a pair as a connector you plug into a bridge’s port.

Also, I can see the 172.17.0.0/16 dev docker0 ... rule in the host’s routing table, which makes it possible to send packets from the host to a container.

But then I can also send packets from a container to the host’s eth0 interface. Which is in a different subnetwork. And I can’t see master docker0 next to host’s eth0 interface in the ip a output. Which probably wouldn’t make sense anyway, since a bridge can’t connect different subnetworks. So, this part (and the one from the previous paragraph) probably can’t be considered part of the bridge. Rather as an extra behavior that comes with a Linux bridge.

Also, when I send packets from one container to another I can see them in the host’s network namespace (host’s iptables processes them).

No matter how I try, I can’t picture a diagram with a Linux bridge I couldn’t pick at. As for the diagram above, it makes it look like the bridge connects different subnetworks, which a physical bridge can’t accomplish.

I’d probably rather put the bridge between my_bridge and veth pairs. But then it must be admitted that you plug the ends of veth pairs into my_bridge, not into the bridge. And that with a bridge comes an ability to send packets from the host to a container, and from a container to the host’s eth0 interface.

So it seems like a Linux bridge is a network bridge with some extra twists. And you can’t easily depict it on a diagram without introducing inaccuracies, can you? Was I wrong about anything above?

My answer:

You have described, and your image depicts, routing between two bridges and a physical interface not part of a bridge. Among the many other things Linux does is Layer 3 routing, and this is what is happening when packets flow between the bridges and the physical interface not part of any bridge.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Related Post

CPU Sockets vs. Cores

Getting rid of if directive in nginx configuration

Alias one set of Subdomains to another

Which services to disable on a CentOs 5.8 web/database server?

DD broke my whole partition – boot failed: not a bootable disk . Any way to recover it?

Do I have to have the IP address of a server to initiate a DMCA takedown if the server is behind a service like Cloudflare?