[UPDATE] The only possible solution that I have found for now is that I have to create an vether interface, add it to the bridge and use the filtered vether interface as main. So I would deduce(but maybe I am wrong) that a single interface added to bridge cannot participate in this kind of filtering. I did not found some docs mentioning what is happening in a bridge configuration: if the filtered traffic is the one that is forwarded between interfaces by the bridge itself or the interface itself is doing filtering when it is marked as being part of a bridge. My concern with this new vether interface is that I am not sure yet how much overhead introduces in the process. I will try to look into sourcecode maybe I will find something useful.
On Tue, Jul 26, 2022, 15:10 Cristian Danila <clau...@postmail.ro> wrote: > > Good day! > I've been having a headache for days(I still fight, no success yet) > in trying to find a way to block ARP for specific > MAC address(example 00:50:56:c0:00:08). > I want to see how I can achieve this on OpenBSD, > I would appreciate a technical answer or a hint/site/doc/book where > I can research more to expand my knowledge. > I've tried lot of combinations on config, many lookups over the > internet and I was not able to find an answer yet. > > This is what I've found and tried. > > OpenBSD can filter level 2 traffic only if the interface > is part of a BRIDGE. > By adding it to a bridge it put it in promiscuous mode so that it can > receive every packet sent on the network. > > So by having this requirement I have hostname.bridge0 > ---------------hostname.vic0---------------- > inet autoconf > up > ---------------hostname.bridge0---------------- > #add my network card to bridge > add vic0 > blocknonip vic0 > rule block in on vic0 > rule block out on vic0 src 00:50:56:c0:00:08 > rule block out on vic0 dst 00:50:56:c0:00:08 > up > ----------------------------------------------- > now I reboot and expect to see the packets blocked for 00:50:56:c0:00:08 > However these are not blocked and here is the log: > > 00:50:56:c0:00:08 ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 192.168.121.131 tell 102.168.121.1 > 00:50:56:c0:00:08 ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 192.168.121.131 tell 102.168.121.1 > 00:0c:29:c3:d9:a7 00:50:56:c0:00:08 0806 60: arp reply 192.168.121.131 > is-at 00:0c:29:c4:d9:a7 > > So I see a success request/response for 00:50:56:c0:00:08 > I would appreciate any help. > > Kind Regards, > Claudiu