Linux Bridges

2025-03-11 · 4 min read
linux

Adding a bridge to a Linux host

Bridge

In the realms of hypervisors on Linux, it's more or less essential to understand bridge networking. I won't go over the ins and outs of bridges here, it's a deep topic with some debate about performance vs flexibility, using OVS vs the kernel bridge module, using OVS vs tc, etc. Each has its place, and this is not the right post to declare one better than the other.

Conceptually, a bridge is a switch, it controls traffic at layer 2. Typically, a bridge will have at least one physical interface and one or more virtual interfaces assigned to it. This allows creating new containers with virtual interfaces simply added to the bridge. It also allows me to be lazy and have containers show up on the "physical" subnet.

Incus creates a bridge a bridge for use by its own containers, but will create a separate subnet for them and NAT all virtual interfaces bound to said bridge. This isn't exactly ideal if you want to present services on an existing subnet, unless you setup a proxy and a bit of routing glue, but I don't need that.

A nice basic guide on linux kernel bridges exists at this Debian wiki page, bridging should be done with bridge-utils in this way:

brctl addbr br0
brctl show

Now you've got a new bridge br0, but you need to bind a physical interface to it if you want to talk to the outside world:

brctl addif br0 eno1

Now reassign the management ip from interface eno1to the bridge. Your /etc/network/interfaces should look more or less like this, with different ip values:

auto lo
iface lo inet loopback

iface eno1 inet manual

auto br0
iface br0 inet static
	address 10.10.10.4/24
	gateway 10.10.10.1
	bridge-ports eno1
	bridge-stp off
	bridge-fd 0
	dns-domain your.domain.suffix
	dns-nameservers <whatever your dns servers are>

I had to re-run incus admin init and specify the bridge used for networking to be br0. Be warned that this is literally like dropping each container interface on your local network, so incus won't be managing any DNS or DHCP for these containers. You'll either have to specify hard-configured static ips, or be lazy like me and make static reservations in your router DHCP.

*
Jules