On Fri, Jan 11, 2013 at 12:56:47PM +0000, Alexey E. Suslikov wrote: > Erling Westenvik <erling.westenvik <at> gmail.com> writes: > > Is it possible to have PF filter on MAC address on a machine with only > > one physical nic? I'm aware that MAC filtering can only be done on a > > machine configured as a bridge, but how to configure such a bridge? > > afaik, bridge(4) mac filtering only affects bridge forwarding. > I think you can cook something using a bridge with a vether(4) > as bridge member.
Thanks. Using vether(4) for general bridging seem to work great. However; after trying to tag ethernet frames on five machines with different hardware and OpenBSD versions, I'm beginning to think that support for this is dodgy at best. FAQ http://www.openbsd.org/faq/faq6.html#Bridge states: "Some NICs don't work properly in [Promiscuous] mode, the TI ThunderLAN chip (tl(4)) is an example of a chip that won't work as part of a bridge." Could this be related? Is there a list over these "some NICs"? So far I have tried testing on machines with dc(4), em(4), bge(4), iwi(4), iwn(4) and fxp(4). On some of the machines, pf will pass tagged frames from some of the other machines/segments but not from the others. On other machines, no tagged packets will pass at all. None of the machines will pass all tagged frames from all of the others. I know I'm putting myself poorly, so please ask me for more spesific information. Cheers, Erling
