MAC address matching. Or other ideas.

MAC address matching. Or other ideas.

[Daniel]

Quick version:

Is it possible to get the MAC match module to match on dst MAC address 
rather than just src MAC?

Longer Version:

My network is peered to an internet exchange. I am running Debian stable 
with Zebra to handle all of the routing. I only want to measure traffic 
that is going through our ISP. So I want to be able to say only gimme 
traffic that is coming in and out via gateway X, the only way I can 
figure to do that is by matching the MAC address of the gateway, but the 
match only works on incoming traffic. Is it even technically possible to 
match on out going? Or if someone has a better way of doing it I would 
be happy to hear that as well.

I am not subscribed to the list so if it is possible to reply to me and 
the list that would be great, but I will read the list archive for the 
next couple of days anyway.

Thanks
Daniel Griggs

Re: MAC address matching. Or other ideas.

[Patrick Schaaf]

> Is it possible to get the MAC match module to match on dst MAC address 
> rather than just src MAC?

Not without much much work. The destination MAC is not known, generally,
while the packet traverses the network stack; only on output, after
a potentially long time waiting for an ARP reply, will a destination
MAC be available for checking.

You could, maybe, be lucky to have it in the POSTROUTING table. But I
doubt that.

> So I want to be able to say only gimme traffic that is coming in and
> out via gateway X, the only way I can figure to do that is by matching
> the MAC address of the gateway,

Why not the IP address of the gateway? That is known after routing,
i.e. in both the INPUT and FORWARD chains, and a 'route' match
is trivial to write, as far as I know. There is already a nice
ROUTE target in patch-o-matic, such a route-match could A) be
patterned after the target (take the same options), and it
could B) look at the exact same structure (skb->dst) that the
ROUTE target sets up. Nice mirror work.

If that's a solution for you, and you set out to implement it,
just mail me if you have detail questions.

best regards
  Patrick

Re: MAC address matching. Or other ideas.

[Maciej Soltysiak]

> You could, maybe, be lucky to have it in the POSTROUTING table. But I
> doubt that.
Hmm, how about an another netfilter hook somewhere in the output code
path, when the dst mac is known?

Regards,
Maciej

Re: MAC address matching. Or other ideas.

[Patrick Schaaf]

On Sat, May 10, 2003 at 03:24:16PM +0200, Maciej Soltysiak wrote:
> > You could, maybe, be lucky to have it in the POSTROUTING table. But I
> > doubt that.
> Hmm, how about an another netfilter hook somewhere in the output code
> path, when the dst mac is known?

There was a proposal for such a thing, some time ago, I think by Don Cohen.
The intent, there, was to have a way to do things after traffic control.
As a personal example, it could be nice to have a way to do accounting
only for those packets that really made it through; customers could
complain that they are billed for dropped packets.

In principle, such a chain would have to sit in the network card driver
output path, just before a packet is really handed over to the hardware.
The destination MAC will surely be resolved, there.

One thing that I find a bit icky, is that there, we are clearly
"out and below" the IPv4 stack, so we have left the native scope of
the iptables tool. Thus, another iptables table could be problematic,
and another clone like arptables or ebtables, maybe called devtables,
would be more appropriate.

best regards
  Patrick

Re: MAC address matching. Or other ideas.

[Daniel]

Thanks for your reply, I thought that there may be some issues with 
matching dst MAC addresses. You are right though that a better solution 
would be to base it on the gateways IP address. I would be happy to 
implement it myself, but I don't have any experience with C let alone 
kernel programming, though it would be cool to have something I wrote in 
the kernel. It you guys added a method to allow people to write perl 
modules then I would certainly contribute :).
If someone wants to/ has the time the time to implement such a match 
module then kudos to them, otherwise I will just have to find a 
different solution.

Thanks again for your help.
Daniel


Patrick Schaaf wrote:
>>Is it possible to get the MAC match module to match on dst MAC address 
>>rather than just src MAC?
> 
> 
> Not without much much work. The destination MAC is not known, generally,
> while the packet traverses the network stack; only on output, after
> a potentially long time waiting for an ARP reply, will a destination
> MAC be available for checking.
> 
> You could, maybe, be lucky to have it in the POSTROUTING table. But I
> doubt that.
> 
> 
>>So I want to be able to say only gimme traffic that is coming in and
>>out via gateway X, the only way I can figure to do that is by matching
>>the MAC address of the gateway,
> 
> 
> Why not the IP address of the gateway? That is known after routing,
> i.e. in both the INPUT and FORWARD chains, and a 'route' match
> is trivial to write, as far as I know. There is already a nice
> ROUTE target in patch-o-matic, such a route-match could A) be
> patterned after the target (take the same options), and it
> could B) look at the exact same structure (skb->dst) that the
> ROUTE target sets up. Nice mirror work.
> 
> If that's a solution for you, and you set out to implement it,
> just mail me if you have detail questions.
> 
> best regards
>   Patrick