A helpful person on the PF list said he has a similar setup, but does
not experience the problem I'm having. So I'm starting to suspect it
might be an SBUS/Sparc-specific problem. I'm working with
OpenBSD/Sparc on an SS20, and, if it makes any difference at all, my
interfaces are lebuffer and ledma. Issue: bridging causes pf to
mis-apply frames to the wrong interface. This is only a problem if I
want to filter directionally -- that is, allow clients on one side of
the bridged subnet more access than clients on the other.
Using tcpdump on le0 and le2 shows traffic arriving and departing on
the correct interfaces all of the time, regardless of bridge state.
However, traffic appearing in pflog as matching rules from the "wrong"
interface appears to be due to the bridge:
$ sudo brconfig bridge0 down
$ sudo tcpdump -netttvvv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Feb 18 09:51:51.949840 rule 2/0(match): pass in on le0: 192.168.1.9 >
192.168.1.1: icmp: echo request (id:19bc seq:0) (ttl 64, id 30421)
Feb 18 09:51:51.950030 rule 4/0(match): pass out on le0: 192.168.1.1 >
192.168.1.9: icmp: echo reply (id:19bc seq:0) (ttl 255, id 25154)
$ sudo brconfig bridge0 up
$ sudo tcpdump -netttvvv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Feb 18 09:52:29.459668 rule 3/0(match): pass in on le2: 192.168.1.9 >
192.168.1.1: icmp: echo request (id:19bd seq:0) (ttl 64, id 30487)
Feb 18 09:52:29.459838 rule 4/0(match): pass out on le0: 192.168.1.1 >
192.168.1.9: icmp: echo reply (id:19bd seq:0) (ttl 255, id 21188)
Where:
@2 pass in log-all quick on le0 all
@3 pass in log-all quick on le2 all
@4 pass out log-all quick on le0 all
Incidentally, this only happens to traffic TO and FROM the router. The
packets that TRAVERSE the router from one host on le0 to another on
le2, and vice versa, always appear on the correct interface.
I've tried to use bridge rules, but have had even more problems with
those, as applying the following to my bridgename.bridge0:
rule pass in on le0 tag t_lan
rule pass in on le2 tag t_wap
Results in frames that match NEITHER pf rules for 'tagged t_lan' nor
'tagged t_wap.'
So, back to my earlier questions: is this a bug in bridge? For Sparc?
For these specific SBUS cards?
More to the point, whether it is or is not a bug, is this behavior
determinate -- that is, with the bridge up:
inbound traffic from le0 to le2, and vice versa, always matches rules
for the correct interfaces
inbound traffic from le0 AND le2 to the router always appears to match
rules for le2
outbound traffic from the router to le0 AND le2 always appears to match
rules for le0
Why? Can I depend on this to always be the case? How do I know which
interface it will pick for the 'outbound,' and which it will pick for
the 'inbound'? Is that a function of which interface has the IP
assigned? Is it a function of the order in which they were added to
the bridge? Is it a function of boot-time discovery order? Interface
number? Etc.?
Thanks in advance,
Jim
