Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Mar 2014 12:06:04 +0430
From:      Hooman Fazaeli <hoomanfazaeli@gmail.com>
To:        Rui Paulo <rpaulo@FreeBSD.org>
Cc:        FreeBSD Hackers <freebsd-hackers@freebsd.org>, John-Mark Gurney <jmg@funkthat.com>, Ian Lepore <ian@freebsd.org>
Subject:   Re: mbuf question
Message-ID:  <5326A5E4.1000803@gmail.com>
In-Reply-To: <7FA2AB99-EE03-4E84-A67D-F3FCD734B66B@FreeBSD.org>
References:  <53230214.7010501@gmail.com> <BBAFAB2A-F496-46A2-8FE0-224BE562EAA7@FreeBSD.org> <532405B7.2020007@gmail.com> <96659837-1FDC-421D-A339-87104A0075C7@FreeBSD.org> <5324D669.804@gmail.com> <5324DAC0.9020508@gmail.com> <1394925228.1149.558.camel@revolution.hippie.lan> <BEA4D691-6405-4D5B-B437-DAEB655D45EF@FreeBSD.org> <5325BC99.2060703@gmail.com> <20140316212106.GF32089@funkthat.com> <7FA2AB99-EE03-4E84-A67D-F3FCD734B66B@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3/17/2014 6:09 AM, Rui Paulo wrote:
> On 16 Mar 2014, at 14:21, John-Mark Gurney <jmg@funkthat.com> wrote:
>
>> Why do we need this info in another location?  Isn't this already in
>> the packet?  How else did we get it then?  Or are you dealing w/ the
>> fact that the L2 information was stripped by an upper layer, and if
>> that is the case, shouldn't you be getting the packet soon then?
> It's mostly because the netpfil hooks are in layer 3.  The layer 2 headers are stripped by layer 2 code before it passes the mbuf to layer 3.
>
> I don't know what the goals are, so it's hard to suggest alternatives... Do we want to filter IP packets based on L2 information or do we want to filter L2 packets like ARP?  It's possible that the best alternative is to extend netpfil to layer 2 and then validate the mbuf there.
>
> --
> Rui Paulo
>
My goal is to add src/dst  MAC address constraint to pf filter/nat/rdr/binat/anchor rules to be used in combination with other constraints (protocol, IP address, ...).
When done,  we can write rules like the following:

table <macs> { 00.11.22.33.44.55 00.4d.54.f1.43.33  }
table <ips> { 192.168.1.2 192.168.1.3}
gateway1 = "00.23.45.99.d3.e4"

# Restrict 10.20.30/24 subnet's web traffic to come from gateway1
block in quick on em1 proto tcp from mac ! $gateway1 10.20.30/24 to any port http

# sort of IP/MAC binding
block  in on em0 from mac <macs> ! <ips> to any
block in on em0 from mac ! <macs> <ips> to any


-- 

Best regards.
Hooman Fazaeli

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5326A5E4.1000803>