combine bridge with PF

[Mij]

Hello,


when combining a bridge with PF.


option for spoofing the client's address for this purpose.



lo0, and pflog0).
I don't have an intuition of the motivation for this.


where they actually came from. If address A is on $int_if, arp -a holds
"A at MAC_A on $ext_if", and all connections made to A cause a SYN to be

like breaking the network transparency of the device, logging noise,
annoyance to IDS et al.


side of $int_if):
- from B, I see the SYN arriving and RST coming back

the bridge
- I see the SYN packet logged by the divert-reply rule
- the application never gets the answer on the socket




I don't have more ideas.

I'm new to OpenBSD and I'm looking for clarification on some issues I have My scenario is as follows: I have two interfaces member of a bridge(4). I want to sort out of the bridge some TCP connections, say to port X. These are assumed to arrive always on one interface and be destined to the other. I divert such connections via PF to 127.0.0.1:Y. A proxy-like daemon listening here processes such data and wants to reconnect to the actual destination. It uses the SO_BINDANY A first problem I get is that the divert-to rule fails to work if none of the interfaces of the bridge are configured with an IP. I see the SYN packet arriving to 127.0.0.1:Y, but I never see the SYN/ACK coming back (both when sniffing the arrival interface, A second problem I have is that the ARP table ends up associating all MAC addresses to one same interface of the bridge (the one configured), no matter copied to both $ext_if and $int_if. Although connections are still successful, it is disturbing to have the garbage SYN on $ext_if for a number of reasons, A third problem I have is with getting back connections with spoofed addresses. When I assign the (spoofed) address A to a socket for connecting to B (on the - this is reflected on $int_if on the bridge, and on pflog0 (with "log (all)") - the packet is *not* copied on $ext_if, for a seemingly successful divert out of - if I change the divert-reply rule making it "on $int_if" only, pflog0 shows the packet is not matched anymore by the rule. Btw, I didn't expect this as bridge(4)'s NOTES section reports that PF will get a packet on both interfaces it is copied to. I use the attached foo.c to reproduce the proxy connecting with SO_BINDANY, and the attached pf.conf file for PF. Any help for further investigation is appreciated,

foo.c
Description: Binary data

pf.conf
Description: Binary data