From owner-freebsd-net@FreeBSD.ORG  Sat Nov 19 20:33:42 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DD9D416A41F
	for <freebsd-net@freebsd.org>; Sat, 19 Nov 2005 20:33:42 +0000 (GMT)
	(envelope-from thompsa@freebsd.org)
Received: from heff.fud.org.nz (60-234-149-201.bitstream.orcon.net.nz
	[60.234.149.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C66243D70
	for <freebsd-net@freebsd.org>; Sat, 19 Nov 2005 20:33:38 +0000 (GMT)
	(envelope-from thompsa@freebsd.org)
Received: by heff.fud.org.nz (Postfix, from userid 1001)
	id 869E12841A; Sun, 20 Nov 2005 09:33:37 +1300 (NZDT)
Date: Sun, 20 Nov 2005 09:33:37 +1300
From: Andrew Thompson <thompsa@freebsd.org>
To: Csaba Urban <ucsaba@freemail.hu>
Message-ID: <20051119203337.GA804@heff.fud.org.nz>
References: <freemail.20051018155042.52205@fm12.freemail.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <freemail.20051018155042.52205@fm12.freemail.hu>
User-Agent: Mutt/1.5.11
Cc: freebsd-net@freebsd.org
Subject: Re: PF rule on bridged interface won't match
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2005 20:33:43 -0000

On Fri, Nov 18, 2005 at 03:50:42PM +0100, Csaba Urban wrote:
> Hi,
> 
> I can't have packets match on PF rules on a member of if_bridge if it is 
> not bridged but comes from an other IP interface. Bridged packets 
> match correctly.
> 
> bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500
>         inet 192.168.1.1 netmask 0xffffffe0
>         ether ac:de:48:af:bc:8f
>         priority 32768 hellotime 2 fwddelay 15 maxage 20
>         member: vlan3 flags=3<LEARNING,DISCOVER>
>         member: vlan2 flags=3<LEARNING,DISCOVER>
>         member: vlan1 flags=3<LEARNING,DISCOVER>
> 
> PF rule:
> pass in on vlan1 all
> pass out on vlan1 all
> 
> This rule matches only if traffic is bridged (goes directly layer2 from 
> vlan1 to vlan2 or vlan3). If it is delivered to the IP layer or it comes from 
> there then it won't match.

This is how its currently implemented. You can match locally generated
packets on the bridge0 interface, is that sufficient for your setup?


Andrew