From owner-freebsd-pf@FreeBSD.ORG  Thu Apr  4 19:05:49 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 38118288
 for <freebsd-pf@freebsd.org>; Thu,  4 Apr 2013 19:05:49 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com
 [IPv6:2a00:1450:400c:c03::231])
 by mx1.freebsd.org (Postfix) with ESMTP id CA4AD8AB
 for <freebsd-pf@freebsd.org>; Thu,  4 Apr 2013 19:05:48 +0000 (UTC)
Received: by mail-we0-f177.google.com with SMTP id o45so2285623wer.8
 for <freebsd-pf@freebsd.org>; Thu, 04 Apr 2013 12:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:x-received:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type;
 bh=Lo6nmYFM9HanYG3Fq1AaYJG78fhVUYzGsPTrI40H7vA=;
 b=FYNKdqhMqyGkilfDRE4s5rnbwy27WKeVwRA2p4/r6ezfZotmquo5EGpZSApfTpv+W5
 JsBFYohcALO0jlmJNvH60guBtu1AoS32VrnzSsoFhzwmgO4vPQu7bPbFcLWM9zT74bNO
 GfK06Nl6pU/1BFrZTsc0rfK4cQjd3jLnXNT1OCw0/Xhx6/3EQP3vhcDjGbDrF0ADJT4s
 3COEwXYpm/r17PL40v/z6hb/nKkfbwY8B1fLvZcgBADCOdMPjZo5iODEqcKqsRi66vLS
 MlgDZmWz1RYXbmkpvrhPINmudBlY7etZaY1lDTAoI8U8IP1Wew9FwkcBrga2gQhljNsw
 642w==
MIME-Version: 1.0
X-Received: by 10.194.60.195 with SMTP id j3mr11521783wjr.33.1365102347982;
 Thu, 04 Apr 2013 12:05:47 -0700 (PDT)
Received: by 10.216.139.72 with HTTP; Thu, 4 Apr 2013 12:05:47 -0700 (PDT)
In-Reply-To: <515DCCD2.3010102@gibfest.dk>
References: <515D8F9D.3080001@innolan.dk>
	<515DCCD2.3010102@gibfest.dk>
Date: Thu, 4 Apr 2013 22:05:47 +0300
Message-ID: <CA+7WWSe5RYSa18UWwJ+ErFqWqA4wk=WjdyRW185Exa2xdFkBkA@mail.gmail.com>
Subject: Re: Filtering bridge with pf.
From: Kimmo Paasiala <kpaasial@gmail.com>
To: Thomas Steen Rasmussen <thomas@gibfest.dk>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 19:05:49 -0000

On Thu, Apr 4, 2013 at 9:56 PM, Thomas Steen Rasmussen
<thomas@gibfest.dk> wrote:
> On 04-04-2013 16:35, Carsten Sonne Larsen wrote:
>>
>> I am using the keyword *quick* and would expect a certain rule match
>> instead of rule 2..16777216
>>
>
> It has been like this since FreeBSD 9 I believe, and the situation
> is the same in the new smp pf from head. I don't know what causes
> it, but just to let you know it is not related to your specific ruleset.
>
> I also use the "quick" keyword on all my rules if that helps.
>
>
> Best regards,
>
> Thomas Steen Rasmussen
> _______________________________________________

I believe this is the same what you see with the UDP broadcast traffic
that SAMBA uses. Basically the interface that is used to send the
broadcast also receives the same broadcast because it's in same
broadcast domain. That's why the log entries say "block IN on..." with
the source address in the packet matching the address bound to the
same interface.

To OP: Are you using antispoof on the interface? That would explain
the log entry I think.

-Kimmo