From owner-freebsd-net@FreeBSD.ORG  Fri Nov 18 14:50:48 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3F3316A424
	for <freebsd-net@freebsd.org>; Fri, 18 Nov 2005 14:50:48 +0000 (GMT)
	(envelope-from ucsaba@freemail.hu)
Received: from fmx11.freemail.hu (fmx11.freemail.hu [195.228.245.61])
	by mx1.FreeBSD.org (Postfix) with SMTP id D1AC543D45
	for <freebsd-net@freebsd.org>; Fri, 18 Nov 2005 14:50:47 +0000 (GMT)
	(envelope-from ucsaba@freemail.hu)
Received: (qmail 76096 invoked from network); 18 Nov 2005 15:50:45 +0100
Received: from fm12.freemail.hu (195.228.245.112)
	by fmx11.freemail.hu with SMTP; 18 Nov 2005 15:50:45 +0100
Received: (qmail 52211 invoked by uid 227048); 18 Nov 2005 15:50:42 +0100
Date: Fri, 18 Nov 2005 15:50:42 +0100 (CET)
From: Csaba Urban <ucsaba@freemail.hu>
To: freebsd-net@freebsd.org
Message-ID: <freemail.20051018155042.52205@fm12.freemail.hu>
X-Originating-IP: [85.159.48.68]
X-HTTP-User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
X-Freemail: message scanned
Subject: PF rule on bridged interface won't match
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2005 14:50:48 -0000

Hi,

I can't have packets match on PF rules on a member of if_bridge if it is=20
not bridged but comes from an other IP interface. Bridged packets=20
match correctly.

bridge0: flags=3D8041<UP,RUNNING,MULTICAST> mtu 1500
        inet 192.168.1.1 netmask 0xffffffe0
        ether ac:de:48:af:bc:8f
        priority 32768 hellotime 2 fwddelay 15 maxage 20
        member: vlan3 flags=3D3<LEARNING,DISCOVER>
        member: vlan2 flags=3D3<LEARNING,DISCOVER>
        member: vlan1 flags=3D3<LEARNING,DISCOVER>

PF rule:
pass in on vlan1 all
pass out on vlan1 all

This rule matches only if traffic is bridged (goes directly layer2 from=20
vlan1 to vlan2 or vlan3). If it is delivered to the IP layer or it comes fr=
om=20
there then it won't match.
The appropriate sysctls (net.link.bridge.pfil_member and=20
net.link.bridge.pfil_bridge) are set.

Any ideas?


csaba
=0A=0A_____________________________________________________________________=
__=0ARendelj k=E9pet =E9s nyerj=E9l g=E9pet a T-Online Fot=F3t=E1r=E1val de=
cember 15-ig.=0Ahttp://www.t-online.hu=0A=0A