From owner-freebsd-ipfw@FreeBSD.ORG  Fri Oct 15 20:53:46 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A697116A4CE
	for <freebsd-ipfw@freebsd.org>; Fri, 15 Oct 2004 20:53:46 +0000 (GMT)
Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97])
	by mx1.FreeBSD.org (Postfix) with SMTP id 1F32E43D66
	for <freebsd-ipfw@freebsd.org>; Fri, 15 Oct 2004 20:53:46 +0000 (GMT)
	(envelope-from jon@abccom.bc.ca)
Received: (qmail 58345 invoked by uid 1000); 15 Oct 2004 20:53:10 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 15 Oct 2004 20:53:10 -0000
Date: Fri, 15 Oct 2004 13:53:10 -0700 (PDT)
From: Jon Simola <jon@abccom.bc.ca>
To: Andrew Friedley <saai@uni.edu>
In-Reply-To: <20041015185302.GA27894@thor>
Message-ID: <20041015134812.A57067-100000@tyberius.abccom.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw with bridging
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2004 20:53:46 -0000

On Fri, 15 Oct 2004, Andrew Friedley wrote:

> What i need to do is to be able to drop or accept packets based on the
> interface they came in on, the interface they are going out on, and their
> source mac address.
>
> Matching on source mac addresses is no problem, nor is matching on the
> interface a packet comes in on.  However, i am unable to write a rule that
> matches packets going out on a specific interface.  Is this possible?

Not on a bridge as packets take the bdg_forward path. "out via xl2 layer2"
can only match packets going through ether_output_frame.

Check the man page, there's a great ascii drawing of how it works in the
PACKET FLOW section.

You may be able to get some similar functionality to what you desire using
bridge groups.

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS