From owner-freebsd-pf@freebsd.org  Sun Oct 11 21:19:43 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 544F39B1612
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun, 11 Oct 2015 21:19:43 +0000 (UTC)
 (envelope-from kp@vega.codepro.be)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1B08C838
 for <freebsd-pf@freebsd.org>; Sun, 11 Oct 2015 21:19:42 +0000 (UTC)
 (envelope-from kp@vega.codepro.be)
Received: from vega.codepro.be (unknown [172.16.1.3])
 by venus.codepro.be (Postfix) with ESMTP id 5DB7B1924C;
 Sun, 11 Oct 2015 23:19:38 +0200 (CEST)
Received: by vega.codepro.be (Postfix, from userid 1001)
 id 56120740C; Sun, 11 Oct 2015 23:19:38 +0200 (CEST)
Date: Sun, 11 Oct 2015 23:19:38 +0200
From: Kristof Provost <kp@FreeBSD.org>
To: =?utf-8?Q?Mi=C5=82osz?= Kaniewski <milosz.kaniewski@gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Creating span interface using 'dup-to' option
Message-ID: <20151011211938.GD10055@vega.codepro.be>
References: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com>
X-Checked-By-NSA: Probably
User-Agent: Mutt/1.5.24 (2015-08-30)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2015 21:19:43 -0000

On 2015-10-11 13:16:08 (+0200), Miłosz Kaniewski <milosz.kaniewski@gmail.com> wrote:
> I have FreeBSD machine which forwards packets between host1 and host2. This
> machine has also an additional interface (em2) which act as span interface
> - all traffic between host1 and host2 is copied into it.
> To achieve this scenario I can set bridge with em0 and em1 as members and
> em2 as span interface. But I would like to get same result using pf
> instead. So I tried to use this rules:
> 
> pass out on em0 dup-to em2 no state
> pass out on em1 dup-to em2 no state
> 
> But it doesn't work. No packets appear on interface em2. I've checked same
> configuration on OpenBSD and everything worked well.
> Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf?
> 
>From a quick test, yes, it looks like something's broken, or we're both
misunderstanding something.

My system complains 'arpresolve: can't allocate llinfo for 8.8.8.8 on vtnet1'.
I think the issue is that we still try to resolve the destination MAC on
'em2'.

Can you open a bug? I'll add this to my TODO list.

Regards,
Kristof