1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • Re: [gentoo-user] netfilter partial MAC filtering

    From Samuraiii@21:1/5 to Laurence Perkins on Fri Jun 17 06:50:01 2022
    On Fri, 2022-06-17 at 01:32 +0000, Laurence Perkins wrote:
    I am designing a small system with a switch and an uplink.  It needs
    to be able to forward traffic from trusted, and only trusted, devices connected to the switch out through the uplink.
     
    Since all potential trusted devices will have the same MAC OUI prefix
    in this case, the immediately obvious course of action would be to
    base the decision on that.
     
    Unfortunately, there doesn't seem to be a good way to do so.  There
    was
    https://serverfault.com/questions/877576/shorewall-wildcard-filter- by-source-mac-address from a few years ago, with the answer being
    "You can't."
     
    While I didn't bother to test it, I'm guessing that adding about 16
    million MAC filtering rules to the firewall won't be good for
    performance.  I briefly thought I could use the string matching or
    the U32 filters, but unfortunately it appears that they can't access
    anything prior to the start of the IP section, so picking bytes out
    of the ethernet header isn't possible.
     
    I did find https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/
       But it's old, and has something of a glaring flaw with regard to
    false wildcard matches.
     
    I can think of a few ways to do this, mostly involving somehow
    monitoring incoming packets and noting the MAC addresses which have
    the correct prefix, and then having a little daemon pick up those
    addresses and add rules to let them through.
     
    Either that, or try to write a custom netfilter module.
     
    None of this seems particularly "fun" to sort out.  Does anybody know
    of any common solutions for doing packet matching based on just part
    of a MAC address on Linux?  Failing that, some advice about whether
    the system daemon and packet inspection route or the netfilter module
    route is more likely to be stable and maintainable would be
    appreciated.
     
    Thanks,
    LMP
    Hi,
    I would recommend to look into nftables and its set feature...
    It should perform better with one rule for multiple matches.
    I bet no one had tried it with 16M items, but it is the best, as far as
    I know.
    Cheers
    S


    https://wiki.nftables.org/wiki-nftables/index.php/Sets https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)