ipfw layer2+3 firewalling question

Hi,

(originally posted on the forums)

My objective is to protect services on a bhyve host, while allowing traffic 
to the bhyve guests to pass to and from them unprocessed, as these each have pf and 
their own firewall policies. The host running recent -current.

I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes 
layer 3, and to filter on bridge or tap requires layer2, so that is why i want 
to use ipfw on the bhyve host.

So we have bridge0 with igb0 tap0 and tap1 as members.

In this example, 
igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33

How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no 
more rules to frames matching those MACs?

Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 
10.0.0.0/24, and define that rule with the regular layer3 syntax.

and then want 22:22:22:22:22:22 passing unhindered, unprocessed.

Possible? Looking for a worked example but can't seem to find one

Could it be like "$cmd add allow all from any to any via tap0"

or "$cmd add allow all from any to any via 22:22:22:22:22:22"

or something else?

There are a number of ipfw sysctls. Like

net.link.bridge.ipfw
net.link.bridge.allow_llz_overlap
net.link.bridge.pfil_local_phys
net.link.bridge.pfil_member
net.link.bridge.ipfw_arp
net.link.bridge.pfil_bridge
net.link.bridge.pfil_onlyip

Are any of these needed in my context?

I need to allow based on tap, not the bridge (I guess).
The bridge has the real interface (igb0) as a member as well. 
So I think that would preclude me from using the above sysctls.
Is this correct?
--