* MAC/IP pair match submission
@ 2004-04-08 13:51 Chris Wilson
2004-04-08 15:51 ` Nicholas E. Walker
2004-04-21 16:42 ` Chris Wilson
0 siblings, 2 replies; 3+ messages in thread
From: Chris Wilson @ 2004-04-08 13:51 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I would like to submit a new IPtables match, developed by Netservers, for
inclusion into the main IPtables tree.
The new match is called "macmatch" because it matches against a
(potentially very large) list of MAC/IP/Device triples, using a hash
table. This is much more efficient (faster to match) than having thousands
of rules like:
"--mac-source MAC -s IP -i DEV"
It also leads to shorter ruleset loading times, and allows triples to be
added or removed from the list without modifying any iptables rules.
I have tried to get the patch into a format suitable for POM, using
Rusty's NEWPATCHES guide, but I couldn't figure out what to do with the
user-space part, so I've just included libipt_macmatch.c and
.macmatch-test as simple files in my distribution tarball.
You can find the code at
[http://www.netservers.co.uk/gpl/macmatch.tar.gz]. Comments are very
welcome. Please let me know if anything stands in the way of its
integration into IPtables and POM.
It does have some known bugs, but the most serious (system instability)
has only been observed when debugging is explicitly turned on. Please read
the BUGS section of macmatch.patch.help for details.
Cheers, Chris.
--
_ __ __ _
/ __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: MAC/IP pair match submission
2004-04-08 13:51 MAC/IP pair match submission Chris Wilson
@ 2004-04-08 15:51 ` Nicholas E. Walker
2004-04-21 16:42 ` Chris Wilson
1 sibling, 0 replies; 3+ messages in thread
From: Nicholas E. Walker @ 2004-04-08 15:51 UTC (permalink / raw)
To: netfilter-devel
Chris,
Your patch would be even more useful if it were to allow one to specify
a target for every entry in the table. I currently use MAC:IP matching
to jump to tables that implement ACLs and marking policies for QoS.
It would also be interesting/useful to have similar functionality for
marking packets. In the case that one wishes to allocate a certain
amount of bandwidth to each customer when each customer has multiple
links, one could generate a table that specifies a mark based on the
MAC:IP combination, and then one could later take some action on
unmarked packets.
Thanks for this. Work in this direction is going to allow me to
implement filtering at more points in my network because of the
possibility of using slower hardware, etc.
Nicholas
On Thu, Apr 08, 2004 at 02:51:50PM +0100, Chris Wilson wrote:
> Hi all,
>
> I would like to submit a new IPtables match, developed by Netservers, for
> inclusion into the main IPtables tree.
>
> The new match is called "macmatch" because it matches against a
> (potentially very large) list of MAC/IP/Device triples, using a hash
> table. This is much more efficient (faster to match) than having thousands
> of rules like:
>
> "--mac-source MAC -s IP -i DEV"
>
> It also leads to shorter ruleset loading times, and allows triples to be
> added or removed from the list without modifying any iptables rules.
>
> I have tried to get the patch into a format suitable for POM, using
> Rusty's NEWPATCHES guide, but I couldn't figure out what to do with the
> user-space part, so I've just included libipt_macmatch.c and
> .macmatch-test as simple files in my distribution tarball.
>
> You can find the code at
> [http://www.netservers.co.uk/gpl/macmatch.tar.gz]. Comments are very
> welcome. Please let me know if anything stands in the way of its
> integration into IPtables and POM.
>
> It does have some known bugs, but the most serious (system instability)
> has only been observed when debugging is explicitly turned on. Please read
> the BUGS section of macmatch.patch.help for details.
>
> Cheers, Chris.
> --
> _ __ __ _
> / __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
> / (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
> \__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: MAC/IP pair match submission
2004-04-08 13:51 MAC/IP pair match submission Chris Wilson
2004-04-08 15:51 ` Nicholas E. Walker
@ 2004-04-21 16:42 ` Chris Wilson
1 sibling, 0 replies; 3+ messages in thread
From: Chris Wilson @ 2004-04-21 16:42 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I would like to announce a new version of the "macmatch" patch, v0.0.5.
This increases the size of the /proc write buffer, to fix some problems
with long interface names, and includes a fix for an error message that
was logged at too low a priority.
The download locations have also changed. You can find all the
documentation (that exists so far) at:
[http://www.firerack.com/devel/iptables_macmatch]
and download the source code itself at:
[http://www.firerack.com/downloads/iptables_macmatch]
I still haven't heard from anyone regarding integration into POM. Can
anyone tell me if there is a procedure for this, or someone who I should
be pestering, or if there's a reason why this isn't appropriate for POM?
Cheers, Chris.
--
_ __ __ _
/ __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-04-21 16:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-08 13:51 MAC/IP pair match submission Chris Wilson
2004-04-08 15:51 ` Nicholas E. Walker
2004-04-21 16:42 ` Chris Wilson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.