Odd filter behavior: bridge, net.link.bridge.pfil_* tunables

[pfry]

OPNsense 24.7.11-amd64. Simply put, the net.link.bridge.pfil_bridge and net.link.bridge.pfil_member tunables seem to have no effect. Filters on the bridge interface(s) function, count packets, etc.; member interface filters are never matched (according to behavior and Firewall -> Diagnostics -> Statistics: rules). The default anti-spoofing filters (which would appear to block packets evaluated on the member interfaces) are also never matched. I may not have poked every combination of net.link.bridge.pfil_*, but I've done the obvious ones. From what I've read, the sysctls normally behave as advertised (with ipfw). I have not yet tried passing traffic through the firewall (just to it).

This is likely why the setup guide doesn't lock everyone out, as the "lan" default pass and anti-lockout rules end up on the bridge.

Yes, I'm looking into filtering on the bridge member interfaces directly. In theory it shouldn't be difficult. Am I missing something obvious?