* MAC address matching. Or other ideas. @ 2003-05-04 23:34 Daniel 2003-05-10 10:59 ` Patrick Schaaf 0 siblings, 1 reply; 5+ messages in thread From: Daniel @ 2003-05-04 23:34 UTC (permalink / raw) To: netfilter-devel Quick version: Is it possible to get the MAC match module to match on dst MAC address rather than just src MAC? Longer Version: My network is peered to an internet exchange. I am running Debian stable with Zebra to handle all of the routing. I only want to measure traffic that is going through our ISP. So I want to be able to say only gimme traffic that is coming in and out via gateway X, the only way I can figure to do that is by matching the MAC address of the gateway, but the match only works on incoming traffic. Is it even technically possible to match on out going? Or if someone has a better way of doing it I would be happy to hear that as well. I am not subscribed to the list so if it is possible to reply to me and the list that would be great, but I will read the list archive for the next couple of days anyway. Thanks Daniel Griggs ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC address matching. Or other ideas. 2003-05-04 23:34 MAC address matching. Or other ideas Daniel @ 2003-05-10 10:59 ` Patrick Schaaf 2003-05-10 13:24 ` Maciej Soltysiak 2003-05-11 22:44 ` Daniel 0 siblings, 2 replies; 5+ messages in thread From: Patrick Schaaf @ 2003-05-10 10:59 UTC (permalink / raw) To: Daniel; +Cc: netfilter-devel > Is it possible to get the MAC match module to match on dst MAC address > rather than just src MAC? Not without much much work. The destination MAC is not known, generally, while the packet traverses the network stack; only on output, after a potentially long time waiting for an ARP reply, will a destination MAC be available for checking. You could, maybe, be lucky to have it in the POSTROUTING table. But I doubt that. > So I want to be able to say only gimme traffic that is coming in and > out via gateway X, the only way I can figure to do that is by matching > the MAC address of the gateway, Why not the IP address of the gateway? That is known after routing, i.e. in both the INPUT and FORWARD chains, and a 'route' match is trivial to write, as far as I know. There is already a nice ROUTE target in patch-o-matic, such a route-match could A) be patterned after the target (take the same options), and it could B) look at the exact same structure (skb->dst) that the ROUTE target sets up. Nice mirror work. If that's a solution for you, and you set out to implement it, just mail me if you have detail questions. best regards Patrick ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC address matching. Or other ideas. 2003-05-10 10:59 ` Patrick Schaaf @ 2003-05-10 13:24 ` Maciej Soltysiak 2003-05-10 13:43 ` Patrick Schaaf 2003-05-11 22:44 ` Daniel 1 sibling, 1 reply; 5+ messages in thread From: Maciej Soltysiak @ 2003-05-10 13:24 UTC (permalink / raw) To: Patrick Schaaf; +Cc: Daniel, netfilter-devel > You could, maybe, be lucky to have it in the POSTROUTING table. But I > doubt that. Hmm, how about an another netfilter hook somewhere in the output code path, when the dst mac is known? Regards, Maciej ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC address matching. Or other ideas. 2003-05-10 13:24 ` Maciej Soltysiak @ 2003-05-10 13:43 ` Patrick Schaaf 0 siblings, 0 replies; 5+ messages in thread From: Patrick Schaaf @ 2003-05-10 13:43 UTC (permalink / raw) To: Maciej Soltysiak; +Cc: Patrick Schaaf, Daniel, netfilter-devel On Sat, May 10, 2003 at 03:24:16PM +0200, Maciej Soltysiak wrote: > > You could, maybe, be lucky to have it in the POSTROUTING table. But I > > doubt that. > Hmm, how about an another netfilter hook somewhere in the output code > path, when the dst mac is known? There was a proposal for such a thing, some time ago, I think by Don Cohen. The intent, there, was to have a way to do things after traffic control. As a personal example, it could be nice to have a way to do accounting only for those packets that really made it through; customers could complain that they are billed for dropped packets. In principle, such a chain would have to sit in the network card driver output path, just before a packet is really handed over to the hardware. The destination MAC will surely be resolved, there. One thing that I find a bit icky, is that there, we are clearly "out and below" the IPv4 stack, so we have left the native scope of the iptables tool. Thus, another iptables table could be problematic, and another clone like arptables or ebtables, maybe called devtables, would be more appropriate. best regards Patrick ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC address matching. Or other ideas. 2003-05-10 10:59 ` Patrick Schaaf 2003-05-10 13:24 ` Maciej Soltysiak @ 2003-05-11 22:44 ` Daniel 1 sibling, 0 replies; 5+ messages in thread From: Daniel @ 2003-05-11 22:44 UTC (permalink / raw) To: Patrick Schaaf; +Cc: netfilter-devel Thanks for your reply, I thought that there may be some issues with matching dst MAC addresses. You are right though that a better solution would be to base it on the gateways IP address. I would be happy to implement it myself, but I don't have any experience with C let alone kernel programming, though it would be cool to have something I wrote in the kernel. It you guys added a method to allow people to write perl modules then I would certainly contribute :). If someone wants to/ has the time the time to implement such a match module then kudos to them, otherwise I will just have to find a different solution. Thanks again for your help. Daniel Patrick Schaaf wrote: >>Is it possible to get the MAC match module to match on dst MAC address >>rather than just src MAC? > > > Not without much much work. The destination MAC is not known, generally, > while the packet traverses the network stack; only on output, after > a potentially long time waiting for an ARP reply, will a destination > MAC be available for checking. > > You could, maybe, be lucky to have it in the POSTROUTING table. But I > doubt that. > > >>So I want to be able to say only gimme traffic that is coming in and >>out via gateway X, the only way I can figure to do that is by matching >>the MAC address of the gateway, > > > Why not the IP address of the gateway? That is known after routing, > i.e. in both the INPUT and FORWARD chains, and a 'route' match > is trivial to write, as far as I know. There is already a nice > ROUTE target in patch-o-matic, such a route-match could A) be > patterned after the target (take the same options), and it > could B) look at the exact same structure (skb->dst) that the > ROUTE target sets up. Nice mirror work. > > If that's a solution for you, and you set out to implement it, > just mail me if you have detail questions. > > best regards > Patrick ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-05-11 22:44 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-05-04 23:34 MAC address matching. Or other ideas Daniel 2003-05-10 10:59 ` Patrick Schaaf 2003-05-10 13:24 ` Maciej Soltysiak 2003-05-10 13:43 ` Patrick Schaaf 2003-05-11 22:44 ` Daniel
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.