I've been informed, if I understand correctly, that bridge isn't intended to do what I want to do with it.
FWIW, anyone who is interested, I'm hanging up the modification effort at "half complete," because it accomplishes everything I need. That is, I'm interested in blocking traffic to the router differently depending on which leg of the bridge it arrives on. I've solved that, and PF sees the correct inbound interface. The only reason I can think of to care about blocking outbound traffic originating from the router differently--that is, the only reason that inbound rules alone would not be sufficient--would be in the event that the OpenBSD router were compromised. If that were the case, PF rules wouldn't do a bit of good anyway. My thanks to everyone who has helped, especially Camiel Dobbelaar for the vlan patch I found in the archives, which helped me significantly in making my own patch (appended). Jim # Patch to allow machines with multiple interfaces with the same MAC # address on a bridge to send inbound frames to PF with the correct # interface. JMF 2005.02.28 # --- if_bridge.c Wed Aug 18 08:07:47 2004 +++ if_bridge.c Mon Feb 28 11:30:00 2005 @@ -1289,6 +1289,7 @@ struct bridge_iflist *ifl, *srcifl; struct arpcom *ac; struct mbuf *mc; + int ifsrch = 1; /* * Make sure this interface is a bridge member. @@ -1383,6 +1384,14 @@ * Unicast, make sure it's not for us. */ srcifl = ifl; + + /* check to see if it arrived on the destination MAC address */ + if (srcifl->ifp->if_type == IFT_ETHER) { + ac = (struct arpcom *)srcifl->ifp; + if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0) + ifsrch = 0; + } + LIST_FOREACH(ifl, &sc->sc_iflist, next) { if (ifl->ifp->if_type != IFT_ETHER) continue; @@ -1397,7 +1406,10 @@ m_freem(m); return (NULL); } - m->m_pkthdr.rcvif = ifl->ifp; + /* don't rewrite the packet header interface if the + source interface header matched */ + if (ifsrch) + m->m_pkthdr.rcvif = ifl->ifp; if (ifp->if_type == IFT_GIF) { m->m_flags |= M_PROTO1; ether_input(ifl->ifp, eh, m);