On 2021-02-20, Eric Zylstra <[email protected]> wrote: > -But- make one simple change to filter on the bridge0 interface-- > pf.conf: > > filtered = "{ bridge0 }" > not_filtered = "{ lo, dc0, em0, em1 }" > block log on $filtered > set skip on $not_filtered > > >> doas pfctl -f /etc/pf.conf > >> doas pfctl -sr > > block drop log on bridge0 all > > > > Despite the rules displayed by pfctl, traffic is NOT filtered. (!?) > `tcpdump -nettti pflog0` shows no packets being filtered. > > > > What am I overlooking?
bridge(4) doesn't work like that on OpenBSD. You need to filter the member ports instead. On the whole bridge and PF interactions are a bit complicated. Keep an eye out for veb(4) (https://marc.info/?l=openbsd-tech&m=161335364329307&w=2) which maybe coming to a tree near you soon which will simplify things a lot.
