From a20cd1b1fd4a7840b499c3b5bac4f2787d71c3d8 Mon Sep 17 00:00:00 2001 From: dlg Date: Tue, 23 Feb 2021 04:13:17 +0000 Subject: [PATCH] try and use my words to explain what veb is and does. ok jmatthew@ --- share/man/man4/Makefile | 4 +- share/man/man4/veb.4 | 122 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 share/man/man4/veb.4 diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 4cbe824766e..4f7f98a2088 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.792 2021/02/04 16:25:38 anton Exp $ +# $OpenBSD: Makefile,v 1.793 2021/02/23 04:13:17 dlg Exp $ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \ @@ -91,7 +91,7 @@ MAN= aac.4 abcrtc.4 abl.4 ac97.4 acphy.4 acrtc.4 \ urndis.4 urng.4 urtw.4 urtwn.4 usb.4 uscom.4 uslcom.4 usps.4 \ uthum.4 uticom.4 utpms.4 utwitch.4 utrh.4 uts.4 utvfu.4 uvideo.4 \ uvisor.4 uvscom.4 uwacom.4 uxrcom.4 \ - vether.4 vga.4 vgafb.4 vge.4 \ + veb.4 vether.4 vga.4 vgafb.4 vge.4 \ viapm.4 viasio.4 vic.4 video.4 vio.4 \ vioblk.4 viocon.4 viomb.4 viornd.4 vioscsi.4 virtio.4 vlan.4 \ vmmci.4 vmt.4 vmwpvs.4 vmx.4 vnd.4 vr.4 \ diff --git a/share/man/man4/veb.4 b/share/man/man4/veb.4 new file mode 100644 index 00000000000..00bc6081987 --- /dev/null +++ b/share/man/man4/veb.4 @@ -0,0 +1,122 @@ +.\" $OpenBSD: veb.4,v 1.1 2021/02/23 04:13:17 dlg Exp $ +.\" +.\" Copyright (c) 2021 David Gwynne +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 23 2021 $ +.Dt VEB 4 +.Os +.Sh NAME +.Nm veb , +.Nm vport +.Nd Virtual Ethernet Bridge network device +.Sh SYNOPSIS +.Cd "pseudo-device veb" +.Sh DESCRIPTION +The +.Nm veb +pseudo-device supports the creation of a single layer 2 Ethernet +network between multiple ports. +Ethernet interfaces are added to the bridge to be used as ports. +.Nm veb +takes over the operation of the interfaces that are added as ports +and uses them independently of the host network stack. +The network stack can be connected to the Ethernet network managed +by +.Nm veb +by creating a +.Nm vport +interface and attaching it as a port to the bridge. +From the perspective of the host network stack, a +.Nm vport +interface acts as a normal interface connected to an Ethernet +network. +.Pp +.Nm veb +is a learning bridge that maintains a table of Ethernet addresses +and the port that each address is reachable with. +The bridge learns about the reachability of Ethernet addresses by +reading the source address on packets received by ports, and then +entering the address and port into the table dynamically. +Static address entries may also be configured in the table, disabling +dynamic learning for that address. +Ethernet address learning can be disabled on individual ports. +.Pp +When forwarding a packet, the address table is searched for the +destination Ethernet address and the packet is sent to the associated +port in the table entry. +If no entry is found in the table, or the packet is addressed to a +multicast or broadcast address, the packet is flooded to all other +ports on the bridge. +Flooding of packets to unknown unicast addresses can be disabled +on individual ports. +.Pp +.Nm veb +provides multiple mechanisms for filtering packets traversing the +bridge. +By default it filters IEEE 802.1Q VLAN and SVLAN packets, but can +be configured to forward them by setting the link2 flag. +.Nm veb +can filter Ethernet packets entering or leaving ports using bridge +rules. +Ports can be configured as members of protected domains to restrict +communication between them. +.\" Individual ports can be configured to only allow relaying of IP +.\" (and ARP/RARP) packets by setting the blocknonip flag. +.Pp +.Xr pf 4 +can be used to filter IP packets as they enter or leave the bridge. +By default this filtering is disabled, but can be enabled by setting +the linkX flag. +The exception to this policy is on +.Nm vport +interfaces, where +.Xr pf 4 +runs as packets enter and leave the network stack regardless of +the value of the linkX flag. +A consequence of this behaviour is that packets traversing +.Nm vport +interfaces appear to travel in the opposite direction to packets +travelling over other ports. +.\" Packets traversing vport interfaces get their direction relative +.\" to the host network stack, while other ports get their direction +.\" from their relationship to the bridge. +.\" .Pp +.\" Transparent +.\" .Xr ipsec 4 +.\" processing can be enabled by setting the linkXX flag on the bridge. +.Pp +.Nm veb +supports the addition of span ports to the bridge. +Span ports transmit a copy of every packet received by the bridge, +allowing for passive monitoring of traffic on a separate host. +.\" .Pp +.\" .Nm veb +.\" interfaces support the following +.\" .Xr ioctl 2 +.\" calls: +.Sh SEE ALSO +.Xr ipsec 4 , +.Xr options 4 , +.Xr pf 4 , +.Xr hostname.if 5 , +.Xr ifconfig 8 , +.Xr netstart 8 +.Sh HISTORY +The +.Nm +driver first appeared in +.Ox 6.9 . +.Sh AUTHORS +.An David Gwynne Aq Mt dlg@openbsd.org -- 2.20.1