Linux Ethernet Bridging - Oct 2009 - [Bridge] Linux Dynamic Bridging Support

Hi,

The scenario I have is that I have a computer with one network interface
eth0, that is receiving it's configuration through DHCP, and uses
complex firewalling rules for eth0.

Now I want to add a virtual machine on that computer

According to the usual recipies, I have to do the following:

ifconfig eth0 0.0.0.0
brctl addbr br0
brctl addif br0 eth0
dhclient br0

Afterwards I can add interfaces to the bridge:
brctl addif br0 tun0

This has several disadvantages:
* It causes a network outage for up to a few seconds (mostly due to the
unnecessary DHCP)
* It does not migrate the firewall rules to br0
* It breaks all firewall-rules that were written for eth0
* If I use eth0 in the office today, wlan0 at home, and ppp0 when I am
outside, then I would need lots of different scripts for all the
different bridging combinations.

Now the idea is to add migration support to Linux Bridging.

It could look like this:

brctl addbr br0
brctl takeif br0 eth0

take-interface would migrate the IP address, and routing entries from
the eth0 interface to the bridge, in a more-or-less atomic fashion, and
add eth0 as interface to the brige. It would also adapt iptables-rules
that were written for eth0 to be pointing to br0 now.

To release the bridge again, it could be done like this:
brctl releaseif br0 eth0
brctl delbr br0

Since all that is a bit complex, I still have an alternative proposal:
What if we bridge-enable all normal interfaces?
It could look like this:

brctl enablebr eth0

This would enable bridging mode for the eth0 interface. It automatically
is able to use the DHCP ip address it was given, the firewalling, ...
I can then easily add additional interfaces to the bridge-enabled
interface like this:

brctl addif eth0 tun0

And I don't need to worry about DHCP, firewalls, ... anymore.

So my question now is:
Which way should we go? Migrating interface configuration into bridges,
or bridge-enabling interfaces?

Best regards,
Philipp G?hring

Philipp G?hring a ?crit :
> Hi,
> 
> The scenario I have is that I have a computer with one network interface
> eth0, that is receiving it's configuration through DHCP, and uses
> complex firewalling rules for eth0.
> 
> Now I want to add a virtual machine on that computer
> 
> According to the usual recipies, I have to do the following:
> 
> ifconfig eth0 0.0.0.0
> brctl addbr br0
> brctl addif br0 eth0
> dhclient br0
> 
> Afterwards I can add interfaces to the bridge:
> brctl addif br0 tun0
> 
> This has several disadvantages:
> * It causes a network outage for up to a few seconds (mostly due to the
> unnecessary DHCP)
> * It does not migrate the firewall rules to br0
> * It breaks all firewall-rules that were written for eth0
> * If I use eth0 in the office today, wlan0 at home, and ppp0 when I am
> outside, then I would need lots of different scripts for all the
> different bridging combinations.
> 
> Now the idea is to add migration support to Linux Bridging.
> 
> It could look like this:
> 
> brctl addbr br0
> brctl takeif br0 eth0
> 
> take-interface would migrate the IP address, and routing entries from
> the eth0 interface to the bridge, in a more-or-less atomic fashion, and
> add eth0 as interface to the brige. It would also adapt iptables-rules
> that were written for eth0 to be pointing to br0 now.
> 
> To release the bridge again, it could be done like this:
> brctl releaseif br0 eth0
> brctl delbr br0
> 
> Since all that is a bit complex, I still have an alternative proposal:
> What if we bridge-enable all normal interfaces?
> It could look like this:
> 
> brctl enablebr eth0
> 
> This would enable bridging mode for the eth0 interface. It automatically
> is able to use the DHCP ip address it was given, the firewalling, ...
> I can then easily add additional interfaces to the bridge-enabled
> interface like this:
> 
> brctl addif eth0 tun0
> 
> And I don't need to worry about DHCP, firewalls, ... anymore.
> 
> So my question now is:
> Which way should we go? Migrating interface configuration into bridges,
> or bridge-enabling interfaces?
So you expect some changes in the kernel to reduce the complexity of the scripts
that manage your
different network setup... I'm not sure that adding complexity into the
kernel to reduce a script
complexity is about to happen at some time... :-)

If building a generic script for your network setup is really too complex, you
can try and
dynamically rename your interfaces... For example, you arrange for ppp0, eth0 or
br0 to be named
myinterface0, based on your current needs, then setup myinterface0, with the
setup you expect.

HTH.

	Nicolas.