\fB\-s\fR[\fItatistics\fR] |
\fB\-n\fR[\fIetns\fR] name |
\fB\-b\fR[\fIatch\fR] filename |
-\fB\-j\fR[\fIson\fR] }
+\fB\-c\fR[\folor\fR] |
+\fB\-p\fR[\fIretty\fR] |
+\fB\-j\fR[\fIson\fR] |
+\fB\-o\fR[\fIneline\fr] }
.ti -8
-.BR "bridge link set"
+.B "bridge link set"
.B dev
-.IR DEV
-.IR " [ "
+.IR DEV " [ "
.B cost
.IR COST " ] [ "
.B priority
.IR PRIO " ] [ "
.B state
-.IR STATE "] ["
+.IR STATE " ] [ "
.BR guard " { " on " | " off " } ] [ "
.BR hairpin " { " on " | " off " } ] [ "
.BR fastleave " { " on " | " off " } ] [ "
.BR learning_sync " { " on " | " off " } ] [ "
.BR flood " { " on " | " off " } ] [ "
.BR hwmode " { " vepa " | " veb " } ] [ "
-.BR self " ] [ " master " ] "
+.BR mcast_flood " { " on " | " off " } ] [ "
+.BR mcast_to_unicast " { " on " | " off " } ] [ "
+.BR neigh_suppress " { " on " | " off " } ] [ "
+.BR vlan_tunnel " { " on " | " off " } ] [ "
+.BR isolated " { " on " | " off " } ] [ "
+.B backup_port
+.IR DEVICE " ] ["
+.BR nobackup_port " ] [ "
+.BR self " ] [ " master " ]"
.ti -8
.BR "bridge link" " [ " show " ] [ "
.B dev
.IR DEV " { "
.BR local " | " static " | " dynamic " } [ "
-.BR self " ] [ " master " ] [ " router " ] [ " use " ] [ "
+.BR self " ] [ " master " ] [ " router " ] [ " use " ] [ " extern_learn " ] [ " sticky " ] [ "
+.B src_vni
+.IR VNI " ] { ["
.B dst
.IR IPADDR " ] [ "
.B vni
.B port
.IR PORT " ] ["
.B via
-.IR DEVICE " ]"
+.IR DEVICE " ] | "
+.B nhid
+.IR NHID " } "
.ti -8
-.BR "bridge fdb" " [ " show " ] [ "
-.B dev
-.IR DEV " ]"
+.BR "bridge fdb" " [ [ " show " ] [ "
+.B br
+.IR BRDEV " ] [ "
+.B brport
+.IR DEV " ] [ "
+.B vlan
+.IR VID " ] [ "
+.B state
+.IR STATE " ] ["
+.B dynamic
+.IR "] ]"
+
+.ti -8
+.BR "bridge fdb get" " ["
+.B to
+.IR "]"
+.I LLADDR "[ "
+.B br
+.IR BRDEV " ]"
+.B { brport | dev }
+.IR DEV " [ "
+.B vlan
+.IR VID " ] [ "
+.B vni
+.IR VNI " ] ["
+.BR self " ] [ " master " ] [ " dynamic " ]"
.ti -8
.BR "bridge mdb" " { " add " | " del " } "
.B dev
-.IR DEV
+.I DEV
.B port
-.IR PORT
+.I PORT
.B grp
.IR GROUP " [ "
.BR permanent " | " temp " ] [ "
.ti -8
.BR "bridge vlan" " { " add " | " del " } "
.B dev
-.IR DEV
+.I DEV
.B vid
.IR VID " [ "
+.B tunnel_info
+.IR TUNNEL_ID " ] [ "
.BR pvid " ] [ " untagged " ] [ "
.BR self " ] [ " master " ] "
.ti -8
-.BR "bridge vlan" " [ " show " ] [ "
+.BR "bridge vlan" " [ " show " | " tunnelshow " ] [ "
.B dev
.IR DEV " ]"
Actually it just simplifies executing of:
.B ip netns exec
-.IR NETNS
+.I NETNS
.B bridge
.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
.BR help " }"
First failure will cause termination of bridge command.
.TP
-.BR "\-force"
+.B "\-force"
Don't terminate bridge command on errors in batch mode.
If there were any errors during execution of the commands, the application
return code will be non zero.
.TP
-.BR "\-json"
-Display results in JSON format. Currently available for vlan and fdb.
+.BR \-c [ color ][ = { always | auto | never }
+Configure color output. If parameter is omitted or
+.BR always ,
+color output is enabled regardless of stdout state. If parameter is
+.BR auto ,
+stdout is checked to be a terminal before enabling color output. If parameter is
+.BR never ,
+color output is disabled. If specified multiple times, the last one takes
+precedence. This flag is ignored if
+.B \-json
+is also given.
+
+.TP
+.BR "\-j", " \-json"
+Output results in JavaScript Object Notation (JSON).
+
+.TP
+.BR "\-p", " \-pretty"
+When combined with -j generate a pretty JSON output.
+
+.TP
+.BR "\-o", " \-oneline"
+output each record on a single line, replacing line feeds
+with the
+.B '\e'
+character. This is convenient when you want to count records
+with
+.BR wc (1)
+or to
+.BR grep (1)
+the output.
+
.SH BRIDGE - COMMAND SYNTAX
.BI priority " PRIO "
the STP port priority. The priority value is an unsigned 8-bit quantity
(number between 0 and 255). This metric is used in the designated port an
-droot port selectio algorithms.
+droot port selection algorithms.
.TP
.BI state " STATE "
-the operation state of the port. This is primarily used by user space STP/RSTP
-implementation. One may enter a lowercased port state name, or one of the
+the operation state of the port. Except state 0 (disable STP or BPDU filter feature),
+this is primarily used by user space STP/RSTP
+implementation. One may enter port state name (case insensitive), or one of the
numbers below. Negative inputs are ignored, and unrecognized names return an
error.
.B 0
-- port is DISABLED. Make this port completely inactive.
+- port is in STP
+.B DISABLED
+state. Make this port completely inactive for STP. This is also called
+BPDU filter and could be used to disable STP on an untrusted port, like
+a leaf virtual devices.
.sp
.B 1
-- STP LISTENING state. Only valid if STP is enabled on the bridge. In this
+- port is in STP
+.B LISTENING
+state. Only valid if STP is enabled on the bridge. In this
state the port listens for STP BPDUs and drops all other traffic frames.
.sp
.B 2
-- STP LEARNING state. Only valid if STP is enabled on the bridge. In this
+- port is in STP
+.B LEARNING
+state. Only valid if STP is enabled on the bridge. In this
state the port will accept traffic only for the purpose of updating MAC
address tables.
.sp
.B 3
-- STP FORWARDING state. Port is fully active.
+- port is in STP
+.B FORWARDING
+state. Port is fully active.
.sp
.B 4
-- STP BLOCKING state. Only valid if STP is enabled on the bridge. This state
+- port is in STP
+.B BLOCKING
+state. Only valid if STP is enabled on the bridge. This state
is used during the STP election process. In this state, port will only process
STP BPDUs.
.sp
.BR "guard on " or " guard off "
Controls whether STP BPDUs will be processed by the bridge port. By default,
the flag is turned off allowed BPDU processing. Turning this flag on will
-cause the port to stop processing STP BPDUs.
+disables
+the bridge port if a STP BPDU packet is received.
+
+If running Spanning Tree on bridge, hostile devices on the network
+may send BPDU on a port and cause network failure. Setting
+.B guard on
+will detect and stop this by disabling the port.
+The port will be restarted if link is brought down, or
+removed and reattached. For example if guard is enable on
+eth0:
+
+.B ip link set dev eth0 down; ip link set dev eth0 up
.TP
.BR "hairpin on " or " hairpin off "
Controls whether traffic may be send back out of the port on which it was
-received. By default, this flag is turned off and the bridge will not forward
+received. This option is also called reflective relay mode, and is used to support
+basic VEPA (Virtual Ethernet Port Aggregator) capabilities.
+By default, this flag is turned off and the bridge will not forward
traffic back out of the receiving port.
.TP
Controls whether a given port is allowed to become root port or not. Only used
when STP is enabled on the bridge. By default the flag is off.
+This feature is also called root port guard.
+If BPDU is received from a leaf (edge) port, it should not
+be elected as root port. This could be used if using STP on a bridge and the downstream bridges are not fully
+trusted; this prevents a hostile guest from rerouting traffic.
+
.TP
.BR "learning on " or " learning off "
Controls whether a given port will learn MAC addresses from received traffic or
bridge FDB.
.TP
-.BR "flooding on " or " flooding off "
+.BR "flood on " or " flood off "
Controls whether a given port will flood unicast traffic for which there is no FDB entry. By default this flag is on.
.TP
-.BI hwmode
+.B hwmode
Some network interface cards support HW bridge functionality and they may be
configured in different modes. Currently support modes are:
- bridging happens in hardware.
.TP
-.BI self
+.BR "mcast_flood on " or " mcast_flood off "
+Controls whether a given port will flood multicast traffic for which
+there is no MDB entry. By default this flag is on.
+
+.TP
+.BR "mcast_to_unicast on " or " mcast_to_unicast off "
+Controls whether a given port will replicate packets using unicast
+instead of multicast. By default this flag is off.
+
+This is done by copying the packet per host and
+changing the multicast destination MAC to a unicast one accordingly.
+
+.B mcast_to_unicast
+works on top of the multicast snooping feature of
+the bridge. Which means unicast copies are only delivered to hosts which
+are interested in it and signalized this via IGMP/MLD reports
+previously.
+
+This feature is intended for interface types which have a more reliable
+and/or efficient way to deliver unicast packets than broadcast ones
+(e.g. WiFi).
+
+However, it should only be enabled on interfaces where no IGMPv2/MLDv1
+report suppression takes place. IGMP/MLD report suppression issue is usually
+overcome by the network daemon (supplicant) enabling AP isolation and
+by that separating all STAs.
+
+Delivery of STA-to-STA IP multicast is made possible again by
+enabling and utilizing the bridge hairpin mode, which considers the
+incoming port as a potential outgoing port, too (see
+.B hairpin
+option).
+Hairpin mode is performed after multicast snooping, therefore leading to
+only deliver reports to STAs running a multicast router.
+
+.TP
+.BR "neigh_suppress on " or " neigh_suppress off "
+Controls whether neigh discovery (arp and nd) proxy and suppression is
+enabled on the port. By default this flag is off.
+
+.TP
+.BR "vlan_tunnel on " or " vlan_tunnel off "
+Controls whether vlan to tunnel mapping is enabled on the port. By
+default this flag is off.
+
+.TP
+.BR "isolated on " or " isolated off "
+Controls whether a given port will be isolated, which means it will be
+able to communicate with non-isolated ports only. By default this
+flag is off.
+
+.TP
+.BI backup_port " DEVICE"
+If the port loses carrier all traffic will be redirected to the
+configured backup port
+
+.TP
+.B nobackup_port
+Removes the currently configured backup port
+
+.TP
+.B self
link setting is configured on specified physical device
.TP
-.BI master
+.B master
link setting is configured on the software bridge (default)
.TP
.BR "\-t" , " \-timestamp"
display current time when using monitor option.
-.SS bridge link show - list bridge port configuration.
+.SS bridge link show - list ports configuration for all bridges.
-This command displays the current bridge port configuration and flags.
+This command displays port configuration and flags for all bridges.
+
+To display port configuration and flags for a specific bridge, use the
+"ip link show master <bridge_device>" command.
.SH bridge fdb - forwarding database management
This command creates a new fdb entry.
.TP
-.BI "LLADDR"
+.B LLADDR
the Ethernet MAC address.
.TP
.B router
- the destination address is associated with a router.
Valid if the referenced device is a VXLAN type device and has
-route shortcircuit enabled.
+route short circuit enabled.
.sp
.B use
indicate to the kernel that the fdb entry is in use.
.sp
+.B extern_learn
+- this entry was learned externally. This option can be used to
+indicate to the kernel that an entry was hardware or user-space
+controller learnt dynamic entry. Kernel will not age such an entry.
+.sp
+
+.B sticky
+- this entry will not change its port due to learning.
+.sp
+
.in -8
The next command line parameters apply only
when the specified device
the IP address of the destination
VXLAN tunnel endpoint where the Ethernet MAC ADDRESS resides.
+.TP
+.BI src_vni " VNI"
+the src VNI Network Identifier (or VXLAN Segment ID)
+this entry belongs to. Used only when the vxlan device is in
+external or collect metadata mode. If omitted the value specified at
+vxlan device creation will be used.
+
.TP
.BI vni " VNI"
the VXLAN VNI Network Identifier (or VXLAN Segment ID)
VXLAN device driver to reach the
remote VXLAN tunnel endpoint.
+.TP
+.BI nhid " NHID "
+ecmp nexthop group for the VXLAN device driver
+to reach remote VXLAN tunnel endpoints.
+
.SS bridge fdb append - append a forwarding database entry
This command adds a new fdb entry with an already known
.IR LLADDR .
option, the command becomes verbose. It prints out the last updated
and last used time for each entry.
+.SS bridge fdb get - get bridge forwarding entry.
+
+lookup a bridge forwarding table entry.
+
+.TP
+.B LLADDR
+the Ethernet MAC address.
+
+.TP
+.BI dev " DEV"
+the interface to which this address is associated.
+
+.TP
+.BI brport " DEV"
+the bridge port to which this address is associated. same as dev above.
+
+.TP
+.BI br " DEV"
+the bridge to which this address is associated.
+
+.TP
+.B self
+- the address is associated with the port drivers fdb. Usually hardware.
+
+.TP
+.B master
+- the address is associated with master devices fdb. Usually software (default).
+.sp
+
.SH bridge mdb - multicast group database management
.B mdb
the VLAN ID that identifies the vlan.
.TP
-.BI pvid
+.BI tunnel_info " TUNNEL_ID"
+the TUNNEL ID that maps to this vlan. The tunnel id is set in
+dst_metadata for every packet that belongs to this vlan (applicable to
+bridge ports with vlan_tunnel flag set).
+
+.TP
+.B pvid
the vlan specified is to be considered a PVID at ingress.
Any untagged frames will be assigned to this VLAN.
.TP
-.BI untagged
+.B untagged
the vlan specified is to be treated as untagged on egress.
.TP
-.BI self
+.B self
the vlan is configured on the specified physical device. Required if the
device is the bridge device.
.TP
-.BI master
+.B master
the vlan is configured on the software bridge (default).
.SS bridge vlan delete - delete a vlan filter entry
.B -statistics
option, the command displays per-vlan traffic statistics.
+.SS bridge vlan tunnelshow - list vlan tunnel mapping.
+
+This command displays the current vlan tunnel info mapping.
+
.SH bridge monitor - state monitoring
The
projects / mirror_iproute2.git / blobdiff