* [LARTC] filtering in layer 2 [but is not a bridge]
@ 2007-01-09 13:52 Luciano Ruete
2007-01-09 14:00 ` Zoilo Gomez
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Luciano Ruete @ 2007-01-09 13:52 UTC (permalink / raw)
To: lartc
I have a linux AP with prism2 (hostap) wireless nic.
I whant to filter traffic that pass betwen clients of the AP, this is layer 2
traffic (802.11) and netfilter does not sees it, at first i think in physdev
target, but is for layer2 bridged interfaces, and this is not the case.
There is a way to filter layer2 traffic independet if it is from a bridged
iface or not?
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] filtering in layer 2 [but is not a bridge]
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
@ 2007-01-09 14:00 ` Zoilo Gomez
2007-01-11 11:56 ` Luciano Ruete
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Zoilo Gomez @ 2007-01-09 14:00 UTC (permalink / raw)
To: lartc
ebtables
Luciano Ruete wrote:
>I have a linux AP with prism2 (hostap) wireless nic.
>
>I whant to filter traffic that pass betwen clients of the AP, this is layer 2
>traffic (802.11) and netfilter does not sees it, at first i think in physdev
>target, but is for layer2 bridged interfaces, and this is not the case.
>
>There is a way to filter layer2 traffic independet if it is from a bridged
>iface or not?
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] filtering in layer 2 [but is not a bridge]
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
2007-01-09 14:00 ` Zoilo Gomez
@ 2007-01-11 11:56 ` Luciano Ruete
2007-01-11 12:01 ` Zoilo Gomez
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Luciano Ruete @ 2007-01-11 11:56 UTC (permalink / raw)
To: lartc
On Tuesday 09 January 2007 11:00, Zoilo Gomez wrote:
> ebtables
from ebtables home page:
"The ebtables utility enables basic Ethernet frame filtering on a Linux
bridge"
I have _not_ a bridge (that's why i put it in the subject), i have a Linux AP
that forward traffic betwen clients at 802.11 level.
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] filtering in layer 2 [but is not a bridge]
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
2007-01-09 14:00 ` Zoilo Gomez
2007-01-11 11:56 ` Luciano Ruete
@ 2007-01-11 12:01 ` Zoilo Gomez
2007-01-13 3:54 ` Grant Taylor
2007-01-13 13:42 ` Zoilo Gomez
4 siblings, 0 replies; 6+ messages in thread
From: Zoilo Gomez @ 2007-01-11 12:01 UTC (permalink / raw)
To: lartc
Isn't an AP just a bridge with a wireless interface?
Luciano Ruete wrote:
>On Tuesday 09 January 2007 11:00, Zoilo Gomez wrote:
>
>
>>ebtables
>>
>>
>
>from ebtables home page:
>"The ebtables utility enables basic Ethernet frame filtering on a Linux
>bridge"
>
>I have _not_ a bridge (that's why i put it in the subject), i have a Linux AP
>that forward traffic betwen clients at 802.11 level.
>
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] filtering in layer 2 [but is not a bridge]
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
` (2 preceding siblings ...)
2007-01-11 12:01 ` Zoilo Gomez
@ 2007-01-13 3:54 ` Grant Taylor
2007-01-13 13:42 ` Zoilo Gomez
4 siblings, 0 replies; 6+ messages in thread
From: Grant Taylor @ 2007-01-13 3:54 UTC (permalink / raw)
To: lartc
On 01/11/07 06:01, Zoilo Gomez wrote:
> Isn't an AP just a bridge with a wireless interface?
In a sense, yes. However the 802.11 wireless side of the bridge is a
very complex physical layer, (IMHO) more so than 802.3 ethernet.
Host AP is probably listening to requests at the physical tranceiver
level. If the Host AP is operating in an AP mode (wouldn't it be?) it
will have to be involved in passing the traffic from one 802.11 client
to another. This is really a form of bridging on the physical layer,
not layer 2 in the kernel. Thus EB / IP Tables will not help here.
I have not (yet) personally worked with Host AP, though I plan to. As
such, I'm not sure if it includes functionality to filter the traffic
that it sees.
I wonder if it would be a possibility to (theoretically) move / extend
the functionality of Host AP such that each associated wireless client
would (logically / theoretically) appear as a separate interface to a
custom bridge that could then be presented / controlled via EBTables.
However, this is quite likely exceeding the 802.11 specification in such
a way that it would really no longer be 802.11.
Something to keep in mind is that in Infrastructure wireless mode, one
wireless client has to talk to the AP and have the AP talk to another
wireless client on it's behalf. I believe this is the ""bridging that
the OP is referring to. Note, I use the term bridging loosely here.
On a side note, how well do you like Host AP?
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] filtering in layer 2 [but is not a bridge]
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
` (3 preceding siblings ...)
2007-01-13 3:54 ` Grant Taylor
@ 2007-01-13 13:42 ` Zoilo Gomez
4 siblings, 0 replies; 6+ messages in thread
From: Zoilo Gomez @ 2007-01-13 13:42 UTC (permalink / raw)
To: lartc
Thank you for your clarification, Grant.
In a different setup, I have been using Access Points (i.e. Trendnet
TEW453APB) with the 'wireless isolation' flag enabled in the
configuration setup. In this configuration, wireless clients cannot see
each other, and all traffic is forwarded to the Linux router.
But I must admit that I never looked into this using Host AP.
Still, I would expect that there should be a way to achieve this kind of
configuration using Host AP....?
Grant Taylor wrote:
> On 01/11/07 06:01, Zoilo Gomez wrote:
>
>> Isn't an AP just a bridge with a wireless interface?
>
>
> In a sense, yes. However the 802.11 wireless side of the bridge is a
> very complex physical layer, (IMHO) more so than 802.3 ethernet.
>
> Host AP is probably listening to requests at the physical tranceiver
> level. If the Host AP is operating in an AP mode (wouldn't it be?) it
> will have to be involved in passing the traffic from one 802.11 client
> to another. This is really a form of bridging on the physical layer,
> not layer 2 in the kernel. Thus EB / IP Tables will not help here.
>
> I have not (yet) personally worked with Host AP, though I plan to. As
> such, I'm not sure if it includes functionality to filter the traffic
> that it sees.
>
> I wonder if it would be a possibility to (theoretically) move / extend
> the functionality of Host AP such that each associated wireless client
> would (logically / theoretically) appear as a separate interface to a
> custom bridge that could then be presented / controlled via EBTables.
> However, this is quite likely exceeding the 802.11 specification in
> such a way that it would really no longer be 802.11.
>
> Something to keep in mind is that in Infrastructure wireless mode, one
> wireless client has to talk to the AP and have the AP talk to another
> wireless client on it's behalf. I believe this is the ""bridging that
> the OP is referring to. Note, I use the term bridging loosely here.
>
> On a side note, how well do you like Host AP?
>
>
>
> Grant. . . .
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-01-13 13:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-09 13:52 [LARTC] filtering in layer 2 [but is not a bridge] Luciano Ruete
2007-01-09 14:00 ` Zoilo Gomez
2007-01-11 11:56 ` Luciano Ruete
2007-01-11 12:01 ` Zoilo Gomez
2007-01-13 3:54 ` Grant Taylor
2007-01-13 13:42 ` Zoilo Gomez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.