On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote: > I'm trying to set up spamd on my firewall system. > > The configuration is tricky because my upstream provider > (Verizon) only gives me 5 IPs, all on the same subnet. > > The firewall system is acting as a bridge and as a router.
I've been looking through pf.c, if_bridge.c in -current The changes seem to answer some of my complaints. I'm going to have to update & run some tests... I hope all of the team's effort has made this much, much better. There's one set of tests at lines 5770-5773 of net/pf.c: kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS] += pd.tot_len; kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS]++; if (action == PF_PASS || r->action == PF_DROP) { Where I wonder if the tests for PF_PASS should also include PF_DIVERT? It looks like PF_DIVERT packets would be incorrectly accounted for in the two single lines and completely missed in the large block. thanks geoff