[lxc-users] Create bridge between LXC Container and Ethernet device

[Guido Jäkel]

Dear Patrick,

a Bridge is a router device at layer 2, not a layer 3 one! At layer 2, all routing is determined by the MAC addresses, not by the IP adresses. In the other hand, an Interface is an L2-to-L3 connector, it will arbitrate between a L3 identifier (an IP) and an L2 identifier (a MAC).

In the vanilla case, you assign eth0 one or more (eth:foo) IP addresses. That means in a certain kind op picture, that the "IP stack" is attached to the MAC address of eth0: All packets catch by this MAC will be advanced to the layer 3, if the IP matches.

Next use case, you attach a Linux software bridge to an interface, say br0 to eth0. Then, eth0 is not used for any L3 job anymore. It will act at L2 in promiscuous mode, i.e. it will accept packets for any IP. To (re-)connect you "host", you have to use the **additional**, "build-in" layer 3 device of the Linux software bridge. Here, you assign the well-known IP level parameters (address, netmask, gateway) in the same way as you had done it before. This setup will work without any difference as in the vanilla case.

Now, you want to add an IP interface of an LXContainer, that's at L3. You'll use a veth device for this. It's a kind of L2 crossover wire with two L3 interface connectors at both namespaces, the host one and the container one. At container side, you'll see it as a eth0 and again, work with this at L3 in the well-known way. At the host side, you will attach it at L2 to the bridge br0 (and don't use L3, again). 

On the bridge, at L2, the routing is driven by the MAC. And in the same way as a switch will act, there is a MAC-to-IP table that will forward any packing that inbounds to the bridge to the "right" attached outbound channel. Please play around with 'brctl show br0', 'brctrl showmacs br0' and 'brctl showstp br0'.


In your case, you may:

* assign 1.2.3.4/24 to br0 instead of eth0, leave IP level of eth0 unconfigured
* assign 5.6.7.8/32 to the inner side of veth0, i.e. eth0 inside the container. In the same way as on the LXC host, use 1.2.3.1 as the gateway to outbound "all other packets" to.
* configure your external net that the packets to 5.6.7.8 are forwarded to the (MAC of) eth0 of the host.


Note: There are other ways to archive the task to deliver packages to a container. But in contrast to the described above, this are more "plumber" ones that use specific low level things. You may e.g. act on level of "iptables"; in comparison this is like using a high level programming language, that compile to assembler that compile to processor binary code.


I hope this picture will give a good imagination


with Best Wishes to 2021 to you and all in this community

Guido


On 01.01.21 20:57, Patrick wrote:
> Hi,
> 
> I'm trying to create a bridge device between my LXC Container and my Ethernet Device, which has 2 public IPs. The bridge device creation fails, as you can see here: https://paste.debian.net/hidden/c81c8832/. I want to bridge the LXC Container with the secondary IP address of the Ethernet interface. Does somebody has an idea how to do that?
> 
> Best Regards,
> Patrick