First of all most of sysctl's responsible for layer2 filtering were replaced by per interface flags.
net.link.bridge.ipfware replaced by
l2filterinterface flag. So
ifconfig if1 l2tag.
net.link.bridge.ipfw_arpwas renamed to
l2taginterface flag. It's purpose is to add mbuf tag containing source and destination layer2 addresses to every packet passing through interface. Note that l2tag filtering against layer2 addresses is performed in layer3.
When invoked from layer2 ipfw
no longertouches layer2 headers. So they following rule won't work anymore:
ifpw allow ip from 10.1.1.1 to any src-ether 00:11:11:11:11:11 layer2
macoption was replaced by to two options:
dst-ether. ipfw still accepts mac option but translates it into src-ether and dst-ether.
Lookup tables support layer2 addresses now:
ipfw table 1 add 10.1.1.1 ether 00:11:11:11:11:11
ipfw allow ip from table(1) to any
mac-typewas renamed to
ether-type. Support for mac-type preserved.
Stateful filtering remains somewhat special. The problem here is that l2tag is added to a packet only in input path (when invoked from
ether_demux). Such decision was intentional, mainly because it's impossible to get tag added in output path without serious layer violations or entire pfil framework and packet handling redesign. That's why a packet that has no l2tag attached, will pass against layer2
Dynamic rules (state created by the rule) do not check both source and destination layer2 address, but just the addresses specified by the rule created it. For example
ifpw allow ip from 10.1.1.1 to any src-ether 00:11:11:11:11:11 keep-state
will create dynamic rule that checks only source ethernet address of a packet, but not destination.