I am designing a small system with a switch and an uplink. It needsHi,
to be able to forward traffic from trusted, and only trusted, devices connected to the switch out through the uplink.
Since all potential trusted devices will have the same MAC OUI prefix
in this case, the immediately obvious course of action would be to
base the decision on that.
Unfortunately, there doesn't seem to be a good way to do so. There
was
https://serverfault.com/questions/877576/shorewall-wildcard-filter- by-source-mac-address from a few years ago, with the answer being
"You can't."
While I didn't bother to test it, I'm guessing that adding about 16
million MAC filtering rules to the firewall won't be good for
performance. I briefly thought I could use the string matching or
the U32 filters, but unfortunately it appears that they can't access
anything prior to the start of the IP section, so picking bytes out
of the ethernet header isn't possible.
I did find https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/
But it's old, and has something of a glaring flaw with regard to
false wildcard matches.
I can think of a few ways to do this, mostly involving somehow
monitoring incoming packets and noting the MAC addresses which have
the correct prefix, and then having a little daemon pick up those
addresses and add rules to let them through.
Either that, or try to write a custom netfilter module.
None of this seems particularly "fun" to sort out. Does anybody know
of any common solutions for doing packet matching based on just part
of a MAC address on Linux? Failing that, some advice about whether
the system daemon and packet inspection route or the netfilter module
route is more likely to be stable and maintainable would be
appreciated.
Thanks,
LMP
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 302 |
Nodes: | 16 (2 / 14) |
Uptime: | 98:10:12 |
Calls: | 6,767 |
Calls today: | 5 |
Files: | 12,295 |
Messages: | 5,376,385 |
Posted today: | 1 |