I've been informed, if I understand correctly, that bridge isn't intended to do
what I want to do with it.
FWIW, anyone who is interested, I'm hanging up the modification effort at "half
complete," because it accomplishes everything I need. That is, I'm interested
in blocking traffic to the router differently depending on which leg of the
bridge it arrives on. I've solved that, and PF sees the correct inbound
interface. The only reason I can think of to care about blocking outbound
traffic originating from the router differently--that is, the only reason that
inbound rules alone would not be sufficient--would be in the event that the
OpenBSD router were compromised. If that were the case, PF rules wouldn't do a
bit of good anyway.
My thanks to everyone who has helped, especially Camiel Dobbelaar for the vlan
patch I found in the archives, which helped me significantly in making my own
patch (appended).
Jim
# Patch to allow machines with multiple interfaces with the same MAC
# address on a bridge to send inbound frames to PF with the correct
# interface. JMF 2005.02.28
#
--- if_bridge.c Wed Aug 18 08:07:47 2004
+++ if_bridge.c Mon Feb 28 11:30:00 2005
@@ -1289,6 +1289,7 @@
struct bridge_iflist *ifl, *srcifl;
struct arpcom *ac;
struct mbuf *mc;
+ int ifsrch = 1;
/*
* Make sure this interface is a bridge member.
@@ -1383,6 +1384,14 @@
* Unicast, make sure it's not for us.
*/
srcifl = ifl;
+
+ /* check to see if it arrived on the destination MAC address */
+ if (srcifl->ifp->if_type == IFT_ETHER) {
+ ac = (struct arpcom *)srcifl->ifp;
+ if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0)
+ ifsrch = 0;
+ }
+
LIST_FOREACH(ifl, &sc->sc_iflist, next) {
if (ifl->ifp->if_type != IFT_ETHER)
continue;
@@ -1397,7 +1406,10 @@
m_freem(m);
return (NULL);
}
- m->m_pkthdr.rcvif = ifl->ifp;
+ /* don't rewrite the packet header interface if the
+ source interface header matched */
+ if (ifsrch)
+ m->m_pkthdr.rcvif = ifl->ifp;
if (ifp->if_type == IFT_GIF) {
m->m_flags |= M_PROTO1;
ether_input(ifl->ifp, eh, m);
