pf filtering on bridge totally blown my mind

Fri, 27 Nov 2020 01:06:46 -0800 

Mine configuration requires to use a brigde:

I have files:

cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

files hostname.em1 and tap1 just contain "up"

and file hostname.vether0 contain:

inet 172.16.0.1 255.240.0.0 NONE description "LAN Link"

this is ifconfig:
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 
    lladdr 68:05:ca:22:d8:d3
    index 3 priority 0 llprio 3
    media: Ethernet autoselect (1000baseT full-duplex)
    status: active
bridge0: flags=41<UP,RUNNING>
    index 6 llprio 3
    groups: bridge
    priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
    tap1 flags=3<LEARNING,DISCOVER>
        port 7 ifpriority 0 ifcost 0
    em1 flags=3<LEARNING,DISCOVER>
        port 3 ifpriority 0 ifcost 0
    vether0 flags=3<LEARNING,DISCOVER>
        port 8 ifpriority 0 ifcost 0
tap1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    lladdr fe:e1:ba:d0:c5:d9
    index 7 priority 0 llprio 3
    groups: tap
    status: active
vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    lladdr fe:e1:ba:d1:e5:18
    description: LAN Link
    index 8 priority 0 llprio 3
    groups: vether
    media: Ethernet autoselect
    status: active
    inet 172.16.0.1 netmask 0xfff00000 broadcast 172.31.255.255
The only option i wanted is to redirect ntp packets to router local interface: 

gater:~$ doas pfctl -sr
block return all
pass all flags S/SA
block drop in on em0 all
pass out on em0 inet from 172.16.0.0/12 to any flags S/SA nat-to 212.233.112.10 pass in log on bridge0 inet proto tcp from ! 172.16.0.5 to any port = 123 flags S/SA rdr-to 127.0.0.1 pass in log on bridge0 inet proto udp from ! 172.16.0.5 to any port = 123 rdr-to 127.0.0.1 

But this rule just not working, and i cannot fix it.
I've tryed to change "bridge0" to "em0", it doen't change anything. pflog doesn't log anything too. 

This is from the client:

[kasak@kasakoff ~]$ ntpdate -q pool.ntp.org
server 195.3.254.2, stratum 2, offset +0.004216, delay 0.03334
server 192.36.143.130, stratum 1, offset +0.000088, delay 0.04488
server 193.192.36.3, stratum 3, offset -0.000007, delay 0.04155
server 80.240.216.155, stratum 2, offset +0.000807, delay 0.02821
27 Nov 12:04:17 ntpdate[155506]: adjust time server 192.36.143.130 offset +0.000088 sec 
[kasak@kasakoff ~]$ ntpdate -q 172.16.0.1
server 172.16.0.1, stratum 4, offset -0.000107, delay 0.02589
27 Nov 12:04:19 ntpdate[155511]: adjust time server 172.16.0.1 offset -0.000107 sec 

Is there some secret, I've failed to found in man?

Reply via email to