From owner-freebsd-net@FreeBSD.ORG  Wed Aug 29 11:14:20 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1374C16A419;
	Wed, 29 Aug 2007 11:14:20 +0000 (UTC)
	(envelope-from jon.otterholm@ide.resurscentrum.se)
Received: from mail1.cil.se (mail1.cil.se [217.197.56.125])
	by mx1.freebsd.org (Postfix) with ESMTP id 84BCA13C458;
	Wed, 29 Aug 2007 11:14:19 +0000 (UTC)
	(envelope-from jon.otterholm@ide.resurscentrum.se)
Received: from onob2.irc.local ([192.168.2.10]) by mail1.cil.se with Microsoft
	SMTPSVC(6.0.3790.1830); Wed, 29 Aug 2007 13:14:17 +0200
Message-ID: <46D5550C.6020209@ide.resurscentrum.se>
Date: Wed, 29 Aug 2007 13:14:20 +0200
From: Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
User-Agent: Thunderbird 2.0.0.0 (X11/20070614)
MIME-Version: 1.0
To: freebsd-net@freebsd.org, Andrew Thompson <thompsa@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 Aug 2007 11:14:17.0374 (UTC)
	FILETIME=[BD4D5BE0:01C7EA2D]
Cc: 
Subject: if_bridge and filtering on member interface
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2007 11:14:20 -0000

Hi.

It seems that filtering on member interfaces are a bit buggy at the moment.

For testing I tried to use the following 3 rules to block traffic using PF:

The following works and blocks traffic:
block log quick on bridge0 from xx.xx.xx.xx to any

The following does not work:
block log quick on em0.400 from xx.xx.xx.xx to any

The following does not work either:
block log quick on em0.400 from any to any

su-2.05b# ifconfig bridge0 | more
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet xx.xx.xx.xx netmask 0xfffffe00 broadcast xx.xx.xx.xx
        inet xx.xx.xx.xx netmask 0xffffff80 broadcast xx.xx.xx.xx
        ether XX:XX:XX:XX:XX:XX
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp maxaddr 500 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: em0.400 flags=9c0<PRIVATE,AUTOEDGE,PTP,AUTOPTP>

su-2.05b# sysctl net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0

su-2.05b# uname -a
FreeBSD hostname.domain 6.2-STABLE FreeBSD 6.2-STABLE #6: Mon Aug 20 
11:48:40 CEST 2007

Anything I missed? Accordingly to if_bridge(4) I am supposed to be able 
to block traffic on the interface it enters, on the bridge and on the 
interface it leaves.

//JO