Simon Walter <simon@???> writes:
> After some testing, I have a question about an option in
> /etc/default/shorewall:
> wait_interface
> If I add the bridge interface to that line, shorewall will not start
> unless a container is brought up. I suppose that is why I was thinking
> of bridging the bridge inerface with a tap interface so that it's
> always available.
>
> It seems that bridges do not start with ifup (-a) unless one of their
> bridged interfaces are up.

Quoting from bridge-utils-interfaces(5)

    bridge_ports interface specification

              this option must exist for the scripts to setup the
              bridge, with it you specify the ports you want to add to
              your bridge, either using "none" if you want a bridge
              without any interfaces or you want to add them later using
              brctl, or a list of the interfaces you want to add
              separated by spaces

IOW, the way to configure a bridge with no interfaces assigned by
default via /etc/network/interface is

auto bridge
    iface bridge inet manual
        bridge_fd 0
    bridge_stp 0
    bridge_ports none

The additional two lines disable the spanning-tree protocol. That's
usually sensible unless one deal with a complicated, physicial topology
which may or does contain loops. Then, it's needed so that the bridge
can work out a loop-less virtual topology utilizing the existing
physical one.

Interfaces supposed to be used as bridge ports don't have to be up. The
bridge manages this, IOW, it will initially disable all newly assigned
ports and enable or disable them as required to implement the
negotiated, virtual topology (if STP is being used) after the
'forwarding delay' (bridge_fd) has passed.