Simple addition of VEB right before BRIDGE. All text is copied from other already existing sections, i.e. link flag handling from TPMR and the rest from BIDGE.
Contrary to BRIDGE, I deliberately added a synopsis for VEB such that there's a simple overwie, especially since veb(4) currently does not explain *how* to use the described features. While TPMR and VEB use the same wording for link flags, their semantics are different, i.e. both different flags and swapped polarity for those flags. Feedback? OK? Index: ifconfig.8 =================================================================== RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.365 diff -u -p -r1.365 ifconfig.8 --- ifconfig.8 9 Mar 2021 19:39:20 -0000 1.365 +++ ifconfig.8 9 Mar 2021 19:40:33 -0000 @@ -529,6 +529,104 @@ WoL frames are sent using Disable WoL. WoL is disabled at boot by the driver, if possible. .El +.Sh VEB +.nr nS 1 +.Bk -words +.Nm ifconfig +.Ar veb-interface +.Op Cm add Ar child-iface +.Op Cm addspan Ar child-iface +.Op Cm del Ar child-iface +.Op Cm delspan Ar child-iface +.Op Oo Fl Oc Ns Cm discover Ar child-iface +.It Oo Fl Oc Ns Cm learn Ar child-iface +.Op Oo Fl Oc Ns Cm link0 +.Op Oo Fl Oc Ns Cm link1 +.Op Oo Fl Oc Ns Cm protected Ar child-iface ids +.Ek +.nr nS 0 +.Pp +The following options are available for a +.Xr veb 4 +interface: +.Bl -tag -width Ds +.It Cm add Ar child-iface +Add +.Ar child-iface +as a member. +.It Cm addspan Ar child-iface +Add +.Ar child-iface +as a span port on the bridge. +.It Cm del Ar child-iface +Remove the member +.Ar child-iface . +.It Cm delspan Ar child-iface +Delete +.Ar child-iface +from the list of span ports of the bridge. +.It Cm discover Ar child-iface +Mark +.Ar child-iface +so that packets are sent out of the interface +if the destination port of the packet is unknown. +If the bridge has no address cache entry for the destination of +a packet, meaning that there is no static entry and no dynamically learned +entry for the destination, the bridge will forward the packet to all member +interfaces that have this flag set. +This is the default for interfaces added to the bridge. +.It Cm -discover Ar child-iface +Mark +.Ar child-iface +so that packets are not sent out of the interface +if the destination port of the packet is unknown. +Turning this flag +off means that the bridge will not send packets out of this interface +unless the packet is a broadcast packet, multicast packet, or a +packet with a destination address found on the interface's segment. +This, in combination with static address cache entries, +prevents potentially sensitive packets from being sent on +segments that have no need to see the packet. +.It Cm learn Ar child-iface +Mark +.Ar child-iface +so that the source address of packets received from +the interface +are entered into the address cache. +This is the default for interfaces added to the bridge. +.It Cm -learn Ar child-iface +Mark +.Ar child-iface +so that the source address of packets received from interface +are not entered into the address cache. +.It Cm link0 +Disable the filtering of 802.1Q VLAN and QinQ SVLAN packets. +.It Cm -link0 +Enable the filtering of 802.1Q VLAN and QinQ SVLAN packets. +Packets will appear to enter or leave the member port interfaces. +This is the default. +.It Cm link1 +Enable the filtering of IPv4 and IPv6 packets with +.Xr pf 4 . +.It Cm -link1 +Disable the filtering of IPv4 and IPv6 packets with +.Xr pf 4 . +This is the default. +.It Cm protected Ar child-iface ids +Put +.Ar interface +in protected domains. +.Ar ids +is a comma delimited list of domain IDs, between 1 and 31, to put the +interface in. +Interfaces that are part of a protected domain cannot forward traffic to any +other interface in that domain. +Interfaces do not belong to any protected domain by default. +.It Cm -protected Ar child-iface +Remove +.Ar child-iface +from all protected domains. +.El .Sh BRIDGE The following options are available for a .Xr bridge 4
