Good news! I'm half-way there.
I took Camiel's patch to bridge_input() in if_bridge.c ref:
google:"bridging vlans on a single interface" and modified it slightly
so that the source interface would not get rewritten if the destination
mac address matches, period. (no longer vlan-specific)
This has solved HALF of my problem. Now PF correctly sees traffic FROM
le2 to the OpenBSD box as arriving ON le2, and traffic FROM le0 to the
OpenBSD box as arriving ON le0.
However, all OUTBOUND traffic originating on the OpenBSD box TO
machines on either interface still hits PF rules for le0.
That patch is in the Unicast section.
`arp` shows that this box still thinks it's seeing these machines on
le0 initially. So I'm guessing that the routing tables are getting
written by arp broadcast packets (since those arrive first), and that
routing is established to be on le0, even though the unicast stuff says
it's all inbound from another interface. (Since le2 has no IP address,
I don't think I can add a static route... "route add 192.168.1.130
-interface le2" complains of a "bad address.") This is a little
trickier, because the ethernet address of an arp won't match the
interface ethernet address. My first instinct is that I'll have to
look inside the ARP request, compare the IP address requested, and see
if it's one attached to any of the interfaces on the bridge...
Any thoughts are appreciated.
Thanks,
Jim
