From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Subject: Re: Filtering pppoed frames Date: Fri, 16 Dec 2011 19:46:10 +0000 Message-ID: <4EEBA002.4030402@ukfsn.org> References: <4EEA61F1.9020709@ukfsn.org> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Marius Nicolae Cc: netfilter@vger.kernel.org Marius Nicolae wrote: >> If you can't identify from the frame alone and need state from the pppoe >> server or some statistics then it's going to be trickier. > Yes, is possible to identify the frames alone from macs and ethernet > protocol only, in a stateless manner, but it must be rejected only the > "noisy" macs. As a very simplistic description the pppoed protocol is > used to create and terminate pppoe sessions (frames with 0x8864 > ethernet protocol) which encapsulates IP frames by signing and even > encrypting them. Thus is very important to let the good and legitimate > macs to send/receive such frames in order to create/terminate pppoe > sessions. The only tc thing I can think of would be to keep a list of bad macs - maybe from a script parsing pppoe server logs or something and then periodically replace a tc filter that matches and drops those macs + protocol 0x8864.