From owner-freebsd-pf@freebsd.org  Sun Oct 11 11:16:10 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB115A11186
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun, 11 Oct 2015 11:16:10 +0000 (UTC)
 (envelope-from milosz.kaniewski@gmail.com)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com
 [IPv6:2607:f8b0:400c:c05::22d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 69B4368F
 for <freebsd-pf@freebsd.org>; Sun, 11 Oct 2015 11:16:10 +0000 (UTC)
 (envelope-from milosz.kaniewski@gmail.com)
Received: by vkat63 with SMTP id t63so73415707vka.1
 for <freebsd-pf@freebsd.org>; Sun, 11 Oct 2015 04:16:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=RBDrdNaLsoD8OJGQTrdQqDCfoL1pq+nUuCJDJ7Xtjcc=;
 b=DNOIMqlqEpsMIrWrARs7qxXE+QyGOMdnEKeW7jryIj50NnOLrqJTiKUuNcit66wSF7
 T0bIUh+E6TXsI586Oe10OcDtC1y5FzozbqCUg2Fu+ZIXstNeq79wSi/hCjrKw4fhfB8Y
 0louQtRcgUIxKKltjNJ7ib6hCClJyCD4JYfsqMMfnUqhZIdQ7mrstAuStZDPfEAD8UAr
 MLb9CwjxfN+jOAbg9Rjh3V98GtdgQ/YUK5730dlrJC/Rtj6qkLEd6EgTxnn+zjJ/wZRk
 SmAmKyQmuBo24UoGbDxyYKbVH0AFUlk3ai8FwWouY0bHfPuZMjHNHSz1/Z3J1df82QFT
 kf8w==
MIME-Version: 1.0
X-Received: by 10.31.49.67 with SMTP id x64mr14902858vkx.133.1444562168743;
 Sun, 11 Oct 2015 04:16:08 -0700 (PDT)
Received: by 10.31.232.197 with HTTP; Sun, 11 Oct 2015 04:16:08 -0700 (PDT)
Date: Sun, 11 Oct 2015 13:16:08 +0200
Message-ID: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com>
Subject: Creating span interface using 'dup-to' option
From: =?UTF-8?Q?Mi=C5=82osz_Kaniewski?= <milosz.kaniewski@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2015 11:16:10 -0000

uname -a:
FreeBSD freebsd11_master.kvm 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285616:
Thu Jul 16 02:21:59 UTC 2015
root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
 amd64


+----------+        +-----------+        +----------+
|          |     em0|           |em1     |          |
|  host1   +--------+  FreeBSD  +--------+  host2   |
|          |        |           |        |          |
+----------+        +-----------+        +----------+
                          |em2
                          |
                          |
                          v

Hi,

I have FreeBSD machine which forwards packets between host1 and host2. This
machine has also an additional interface (em2) which act as span interface
- all traffic between host1 and host2 is copied into it.
To achieve this scenario I can set bridge with em0 and em1 as members and
em2 as span interface. But I would like to get same result using pf
instead. So I tried to use this rules:

pass out on em0 dup-to em2 no state
pass out on em1 dup-to em2 no state

But it doesn't work. No packets appear on interface em2. I've checked same
configuration on OpenBSD and everything worked well.
Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf?

Thanks for help.

Best regards.