Hi list,

I am running a router/firewall based on OpenBSD and pf(4) for some years now and it works great - never had any problems.
I want to add MAC filtering now on one interface and i have learned so far that i have to tag packets based on MAC address using bridge(4), as pf does not support MAC filtering directly.
I have done some experiments with bridge tagging some packets and pf filtering on the tags - seems to work.

However, i do not quite understand how and in which order packets are handled. Obviously a packet enters the system trough a bridge interface and is then passed on to pf - otherwise tagging would not work. But how does the packet leave the system? Is is passed back to the bridge, or does it leave pf directly?

Or, to put it this way: Would

Bridge: pass in on xl0; pass out on xl1
pf:     pass in on xl0; pass out on xl1

be neccesary, or would:

Bridge: pass in on xl0
pf:     pass out on xl1

be enough to let a packet traverse from xl0 to xl1 ?

I hope you understand my question. I just want to know how bridge and pf are connected together, is bridge bracketed by pf or the other way round?

FAQ, HowTos, and googling did not help me so far, is there some indepth documentation available? I simply want to understand what's happening.

Thank you very much for any help,

