Bridge network¶
As one of the possible network configuration types under Incus, Incus supports creating and managing network bridges.
A network bridge creates a virtual L2 Ethernet switch that instance NICs can connect to, making it possible for them to communicate with each other and the host. Incus bridges can leverage underlying native Linux bridges and Open vSwitch.
The bridge
network type allows to create an L2 bridge that connects the instances that use it together into a single network L2 segment.
Bridges created by Incus are managed, which means that in addition to creating the bridge interface itself, Incus also sets up a local dnsmasq
process to provide DHCP, IPv6 route announcements and DNS services to the network.
By default, it also performs NAT for the bridge.
See How to configure your firewall for instructions on how to configure your firewall to work with Incus bridge networks.
Note
Static DHCP assignments depend on the client using its MAC address as the DHCP identifier. This method prevents conflicting leases when copying an instance, and thus makes statically assigned leases work properly.
IPv6 prefix size¶
If you’re using IPv6 for your bridge network, you should use a prefix size of 64.
Larger subnets (i.e., using a prefix smaller than 64) should work properly too, but they aren’t typically that useful for SLAAC.
Smaller subnets are in theory possible (when using stateful DHCPv6 for IPv6 allocation), but they aren’t properly supported by dnsmasq
and might cause problems.
If you must create a smaller subnet, use static allocation or another standalone router advertisement daemon.
Configuration options¶
The following configuration key namespaces are currently supported for the bridge
network type:
bgp
(BGP peer configuration)bridge
(L2 interface configuration)dns
(DNS server and resolution configuration)ipv4
(L3 IPv4 configuration)ipv6
(L3 IPv6 configuration)security
(network ACL configuration)raw
(raw configuration file content)tunnel
(cross-host tunneling configuration)user
(free-form key/value for user metadata)
Note
Incus uses the CIDR notation where network subnet information is required, for example, 192.0.2.0/24
or 2001:db8::/32
. This does not apply to cases where a single address is required, for example, local/remote addresses of tunnels, NAT addresses or specific addresses to apply to an instance.
The following configuration options are available for the bridge
network type:
Key |
Type |
Condition |
Default |
Description |
---|---|---|---|---|
|
string |
BGP server |
- |
Peer address (IPv4 or IPv6) |
|
integer |
BGP server |
- |
Peer AS number |
|
string |
BGP server |
- (no password) |
Peer session password (optional) |
|
integer |
BGP server |
|
Peer session hold time (in seconds; optional) |
|
string |
BGP server |
local address |
Override the next-hop for advertised prefixes |
|
string |
BGP server |
local address |
Override the next-hop for advertised prefixes |
|
string |
- |
|
Bridge driver: |
|
string |
- |
- |
Comma-separated list of unconfigured network interfaces to include in the bridge |
|
string |
- |
- |
MAC address for the bridge |
|
integer |
- |
|
Bridge MTU (default varies if tunnel in use) |
|
string |
- |
|
Domain to advertise to DHCP clients and use for DNS resolution |
|
string |
- |
|
DNS registration mode: |
|
string |
- |
- |
Full comma-separated domain search list, defaulting to |
|
string |
- |
|
Comma-separated list of DNS zone names for forward DNS records |
|
string |
- |
|
DNS zone name for IPv4 reverse DNS records |
|
string |
- |
|
DNS zone name for IPv6 reverse DNS records |
|
string |
standard mode |
- (initial value on creation: |
IPv4 address for the bridge (use |
|
bool |
IPv4 address |
|
Whether to allocate addresses using DHCP |
|
string |
IPv4 DHCP |
|
When to expire DHCP leases |
|
string |
IPv4 DHCP |
IPv4 address |
Address of the gateway for the subnet |
|
string |
IPv4 DHCP |
all addresses |
Comma-separated list of IP ranges to use for DHCP (FIRST-LAST format) |
|
bool |
IPv4 address |
|
Whether to generate filtering firewall rules for this network |
|
bool |
IPv4 address |
|
Whether to NAT |
|
string |
IPv4 address |
- |
The source address used for outbound traffic from the bridge |
|
string |
IPv4 address |
|
Whether to add the required NAT rules before or after any pre-existing rules |
|
string |
- |
- |
Comma-separated list of IPv4 ranges to use for child OVN network routers (FIRST-LAST format) |
|
string |
IPv4 address |
- |
Comma-separated list of additional IPv4 CIDR subnets to route to the bridge |
|
bool |
IPv4 address |
|
Whether to route traffic in and out of the bridge |
|
string |
standard mode |
- (initial value on creation: |
IPv6 address for the bridge (use |
|
bool |
IPv6 address |
|
Whether to provide additional network configuration over DHCP |
|
string |
IPv6 DHCP |
|
When to expire DHCP leases |
|
string |
IPv6 stateful DHCP |
all addresses |
Comma-separated list of IPv6 ranges to use for DHCP (FIRST-LAST format) |
|
bool |
IPv6 DHCP |
|
Whether to allocate addresses using DHCP |
|
bool |
IPv6 address |
|
Whether to generate filtering firewall rules for this network |
|
bool |
IPv6 address |
|
Whether to NAT |
|
string |
IPv6 address |
- |
The source address used for outbound traffic from the bridge |
|
string |
IPv6 address |
|
Whether to add the required NAT rules before or after any pre-existing rules |
|
string |
- |
- |
Comma-separated list of IPv6 ranges to use for child OVN network routers (FIRST-LAST format) |
|
string |
IPv6 address |
- |
Comma-separated list of additional IPv6 CIDR subnets to route to the bridge |
|
bool |
IPv6 address |
|
Whether to route traffic in and out of the bridge |
|
string |
- |
- |
Additional |
|
string |
- |
- |
Comma-separated list of Network ACLs to apply to NICs connected to this network (see Bridge limitations) |
|
string |
|
|
Action to use for egress traffic that doesn’t match any ACL rule |
|
bool |
|
|
Whether to log egress traffic that doesn’t match any ACL rule |
|
string |
|
|
Action to use for ingress traffic that doesn’t match any ACL rule |
|
bool |
|
|
Whether to log ingress traffic that doesn’t match any ACL rule |
|
string |
|
|
Multicast address for |
|
integer |
|
|
Specific tunnel ID to use for the |
|
string |
|
- |
Specific host interface to use for the tunnel |
|
string |
|
- |
Local address for the tunnel (not necessary for multicast |
|
integer |
|
|
Specific port to use for the |
|
string |
standard mode |
- |
Tunneling protocol: |
|
string |
|
- |
Remote address for the tunnel (not necessary for multicast |
|
integer |
|
|
Specific TTL to use for multicast routing topologies |
|
string |
- |
- |
User-provided free-form key/value pairs |
Note
The bridge.external_interfaces
option supports an extended format allowing the creation of missing VLAN interfaces.
The extended format is <interfaceName>/<parentInterfaceName>/<vlanId>
.
When the external interface is added to the list with the extended format, the system will automatically create the interface upon the network’s creation and subsequently delete it when the network is terminated. The system verifies that the <interfaceName>
does not already exist. If the interface name is in use with a different parent or VLAN ID, or if the creation of the interface is unsuccessful, the system will revert with an error message.
Supported features¶
The following features are supported for the bridge
network type: