From nobody Thu Sep 11 14:58:57 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cN10g2Jmwz66mW9
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Thu, 11 Sep 2025 14:58:59 +0000 (UTC)
	(envelope-from ml@netfence.it)
Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mailserver.netfence.it", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cN10g0QDkz3tk6
	for <freebsd-net@freebsd.org>; Thu, 11 Sep 2025 14:58:58 +0000 (UTC)
	(envelope-from ml@netfence.it)
Authentication-Results: mx1.freebsd.org;
	none
Received: from [10.1.2.18] (alamar.local.netfence.it [10.1.2.18])
	(authenticated bits=0)
	by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 58BEwvuI019047
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
	Thu, 11 Sep 2025 16:58:57 +0200 (CEST)
	(envelope-from ml@netfence.it)
X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be [10.1.2.18]
Message-ID: <ebdbed16-044f-40a5-b111-a26245a0a04a@netfence.it>
Date: Thu, 11 Sep 2025 16:58:57 +0200
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Andrea Venturoli <ml@netfence.it>
Subject: Re: Help with bridge and new IP requirements
To: freebsd-net@freebsd.org
Cc: Ronald Klop <ronald-lists@klop.ws>
References: <24b8c39e-b1a3-4cd3-accc-c86a03e21689@netfence.it>
 <aMHJxF__hASEVQfe@amaryllis.le-fay.org>
 <a6cc314a-d742-4af4-9176-0ef1348fe0ad@netfence.it>
 <940777963.3060.1757580438384@localhost>
Content-Language: en-US
In-Reply-To: <940777963.3060.1757580438384@localhost>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4cN10g0QDkz3tk6

On 9/11/25 10:47, Ronald Klop wrote:
> Hi,
> 
> I can do:
> 
> sysctl net.link.bridge.pfil_member=1
> ipfw add 150 deny ip from any to any via epair4a
> 
> And than my jail which uses epair4b does not get any traffic anymore.
> 
> I don't have any other bridge settings apart from:
> net.link.bridge.member_ifaddrs=0   (so no IP address on the bridge members)
> 
> This is running on 16-CURRENT which is of course still similar to 15 
> nowadays.
> 
> Does this help?

Thanks for your answer.
I'll have to check.

Currently I'm on 14.3, where everything still works with an IP on the 
member interface (vlan1).
I'm testing moving the IP on the bridge in preparation for 15.

On 14, I didn't try "deny" as you suggest, but "allow" (via with the 
member interface) does not work.
It's possible 15 is different.

I guess I'll need to put up a VM and make some tests.

  bye & Thanks
	av.