RE: [gentoo-user] netfilter partial MAC filtering
> -Original Message- > From: Samuraiii > Sent: Thursday, June 16, 2022 9:48 PM > To: gentoo-user@lists.gentoo.org > Subject: Re: [gentoo-user] netfilter partial MAC filtering > > On Fri, 2022-06-17 at 01:32 +, Laurence Perkins wrote: > > I am designing a small system with a switch and an uplink. It needs > > to be able to forward traffic from trusted, and only trusted, devices > > connected to the switch out through the uplink. > > > > Since all potential trusted devices will have the same MAC OUI prefix > > in this case, the immediately obvious course of action would be to > > base the decision on that. > > > > Unfortunately, there doesn't seem to be a good way to do so. There > > was > > https://serverfault.com/questions/877576/shorewall-wildcard-filter- > > by-source-mac-address from a few years ago, with the answer being "You > > can't." > > > > While I didn't bother to test it, I'm guessing that adding about 16 > > million MAC filtering rules to the firewall won't be good for > > performance. I briefly thought I could use the string matching or the > > U32 filters, but unfortunately it appears that they can't access > > anything prior to the start of the IP section, so picking bytes out of > > the ethernet header isn't possible. > > > > I did find > > https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter > > -linux-kernel-and-iptables/ > >But it's old, and has something of a glaring flaw with regard to > > false wildcard matches. > > > > I can think of a few ways to do this, mostly involving somehow > > monitoring incoming packets and noting the MAC addresses which have > > the correct prefix, and then having a little daemon pick up those > > addresses and add rules to let them through. > > > > Either that, or try to write a custom netfilter module. > > > > None of this seems particularly "fun" to sort out. Does anybody know > > of any common solutions for doing packet matching based on just part > > of a MAC address on Linux? Failing that, some advice about whether > > the system daemon and packet inspection route or the netfilter module > > route is more likely to be stable and maintainable would be > > appreciated. > > > > Thanks, > > LMP > Hi, > I would recommend to look into nftables and its set feature... > It should perform better with one rule for multiple matches. > I bet no one had tried it with 16M items, but it is the best, as far as I > know. > Cheers > S > > > https://wiki.nftables.org/wiki-nftables/index.php/Sets > https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test > I guess it's worth a shot. If it has enough intelligence to collapse the search list so it only has to look for the prefix once then it would at least reject forbidden connections quickly... I'll generate out the whole list and see what happens and let you guys know. LMP
Re: [gentoo-user] netfilter partial MAC filtering
On Fri, 2022-06-17 at 01:32 +, Laurence Perkins wrote: > I am designing a small system with a switch and an uplink. It needs > to be able to forward traffic from trusted, and only trusted, devices > connected to the switch out through the uplink. > > Since all potential trusted devices will have the same MAC OUI prefix > in this case, the immediately obvious course of action would be to > base the decision on that. > > Unfortunately, there doesn't seem to be a good way to do so. There > was > https://serverfault.com/questions/877576/shorewall-wildcard-filter- > by-source-mac-address from a few years ago, with the answer being > "You can't." > > While I didn't bother to test it, I'm guessing that adding about 16 > million MAC filtering rules to the firewall won't be good for > performance. I briefly thought I could use the string matching or > the U32 filters, but unfortunately it appears that they can't access > anything prior to the start of the IP section, so picking bytes out > of the ethernet header isn't possible. > > I did find > https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/ > But it's old, and has something of a glaring flaw with regard to > false wildcard matches. > > I can think of a few ways to do this, mostly involving somehow > monitoring incoming packets and noting the MAC addresses which have > the correct prefix, and then having a little daemon pick up those > addresses and add rules to let them through. > > Either that, or try to write a custom netfilter module. > > None of this seems particularly "fun" to sort out. Does anybody know > of any common solutions for doing packet matching based on just part > of a MAC address on Linux? Failing that, some advice about whether > the system daemon and packet inspection route or the netfilter module > route is more likely to be stable and maintainable would be > appreciated. > > Thanks, > LMP Hi, I would recommend to look into nftables and its set feature... It should perform better with one rule for multiple matches. I bet no one had tried it with 16M items, but it is the best, as far as I know. Cheers S https://wiki.nftables.org/wiki-nftables/index.php/Sets https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test
[gentoo-user] netfilter partial MAC filtering
I am designing a small system with a switch and an uplink. It needs to be able to forward traffic from trusted, and only trusted, devices connected to the switch out through the uplink. Since all potential trusted devices will have the same MAC OUI prefix in this case, the immediately obvious course of action would be to base the decision on that. Unfortunately, there doesn't seem to be a good way to do so. There was https://serverfault.com/questions/877576/shorewall-wildcard-filter-by-source-mac-address from a few years ago, with the answer being "You can't." While I didn't bother to test it, I'm guessing that adding about 16 million MAC filtering rules to the firewall won't be good for performance. I briefly thought I could use the string matching or the U32 filters, but unfortunately it appears that they can't access anything prior to the start of the IP section, so picking bytes out of the ethernet header isn't possible. I did find https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/ But it's old, and has something of a glaring flaw with regard to false wildcard matches. I can think of a few ways to do this, mostly involving somehow monitoring incoming packets and noting the MAC addresses which have the correct prefix, and then having a little daemon pick up those addresses and add rules to let them through. Either that, or try to write a custom netfilter module. None of this seems particularly "fun" to sort out. Does anybody know of any common solutions for doing packet matching based on just part of a MAC address on Linux? Failing that, some advice about whether the system daemon and packet inspection route or the netfilter module route is more likely to be stable and maintainable would be appreciated. Thanks, LMP
