Re: MAC address matching. Or other ideas.

[Daniel <daniel@dev-zone.org>]

Thanks for your reply, I thought that there may be some issues with 
matching dst MAC addresses. You are right though that a better solution 
would be to base it on the gateways IP address. I would be happy to 
implement it myself, but I don't have any experience with C let alone 
kernel programming, though it would be cool to have something I wrote in 
the kernel. It you guys added a method to allow people to write perl 
modules then I would certainly contribute :).
If someone wants to/ has the time the time to implement such a match 
module then kudos to them, otherwise I will just have to find a 
different solution.

Thanks again for your help.
Daniel


Patrick Schaaf wrote:
>>Is it possible to get the MAC match module to match on dst MAC address 
>>rather than just src MAC?
> 
> 
> Not without much much work. The destination MAC is not known, generally,
> while the packet traverses the network stack; only on output, after
> a potentially long time waiting for an ARP reply, will a destination
> MAC be available for checking.
> 
> You could, maybe, be lucky to have it in the POSTROUTING table. But I
> doubt that.
> 
> 
>>So I want to be able to say only gimme traffic that is coming in and
>>out via gateway X, the only way I can figure to do that is by matching
>>the MAC address of the gateway,
> 
> 
> Why not the IP address of the gateway? That is known after routing,
> i.e. in both the INPUT and FORWARD chains, and a 'route' match
> is trivial to write, as far as I know. There is already a nice
> ROUTE target in patch-o-matic, such a route-match could A) be
> patterned after the target (take the same options), and it
> could B) look at the exact same structure (skb->dst) that the
> ROUTE target sets up. Nice mirror work.
> 
> If that's a solution for you, and you set out to implement it,
> just mail me if you have detail questions.
> 
> best regards
>   Patrick