A network bridge is a device that is installed on a network and does not require any subsequent configuration. The network switch is basically a multiple-port network bridge. This means that the bridge is a two-port switch. Linux can support a network bridge with multiple interfaces and become a real exchanger.
Bridges are often used to improve the http://www.aliyun.com/zixun/aggregation/7317.html of those who are not working well but cannot be modified. Because the bridge is a 2-tier device (the layer below the IP), routers and servers are unaware of its existence. This means that you can block or modify data packets completely and transparently, or even flow-shaping.
Another good thing is that if a network bridge crashes, you can use a hub or even a crossover line to replace it.
The bad news is that if it is not explicitly documented in the engineering document, the bridge can cause confusion. It does not appear in the traceroute, but it causes the packet to disappear from point A to point B ("Haunted online!"). ”)。 You should also want to know whether an organization that "doesn't want to change anything" is doing what it should.
The Linux 2.4/2.5 Network Bridge document is on this page.
1. Bridging and Iptables relations
As of Linux 2.4.20, bridges and iptables cannot see each other without the help of other conditions. If you take the packet from the Eth0 Bridge to the eth1, it will not pass the iptables. This means you can't do packet filtering, NAT, mangle, etc. Starting with Linux 2.5.45, this problem has been resolved.
You may have heard of another so-called "Ebtables" program, which can achieve Macnat and "brouting" and so on crazy functions. It's really exciting!
2. Bridging and Flow shaping
Advertise: No problem!
Just want to be clear which network card is on which side, otherwise you may in the Internal network card configuration external network flow shaping, that certainly cannot work. Use sniffer to confirm if necessary.
3. Using ARP proxy to realize pseudo-network bridge
If you just want to implement a pseudo network bridge, read the "Implementation" section directly, but it's not a bad thing to see how it works.
The work of the Pseudo Network bridge is somewhat special. By default, a network bridge sends data frames from one port to another without change. It simply looks at the hardware address of the data frame to determine where the frame should be sent. That is, as long as the data frame has the appropriate hardware address, you can let Linux forward the data frame it does not know.
The work of the Pseudo network bridge is somewhat different, it looks more like a stealth router, not a network bridge. But similar to the Network Bridge is, the network design does not have much influence.
Because it is not a bridge, it has an advantage: Data frames (packets) pass through the kernel, so you can filter, modify, redirect, or reroute.
A true network bridge can also implement the above techniques, but that requires specific code, like the Ethernet frame splitter or the patch mentioned above.
Another advantage of the pseudo-network bridge is that it does not forward the packets it does not know, which prevents some cruft from flooding the network, thereby purifying your network environment. If you really need these cruft (such as SAP Packages or NetBEUI), you should use the real bridge.