Tim Mullen wrote:
>> Has MAC-layer filtering been implemented yet?
>
> How do I do that? I need to intercept IP.
No, you need to intercept raw MAC frames and then process the IP packets
inside.
The difference isn't too important administratively, but it's a crucial
architectural difference. The current IP Filter implementation works by
establishing hooks in the IP stack. Bridging works with hooks in the
MAC layer. The implication is that for bridging the packet is long gone
by the time IP Filter ever sees it or could do anything about it.
Something like this:
| socket |
+---+----+
|
+---+----+
| UDP |
+---+----+
|
+---+----+ +-----------+
| IP |<--->| IP Filter |
+---+----+ +-----------+
|
+---+----+ +----------+
| MAC |<--->| Bridging |
+---+----+ +----------+
|
+---+----+
| interf |
>> Bridging occurs at the MAC layer, not IP. Setting up
>> IP Filter to
>> forward between ports on a bridge would very likely
>> have painful results.
>
> I'd been following
> http://www.sci.sdsu.edu/People/Bill/ipf-howto.html#TOC_48
> Is this not possible under opensolaris?
Not yet. You need the work done on this project:
http://arc.opensolaris.org/caselog/PSARC/2008/249/
The basic idea is to put the same sort of hooks that are currently in IP
down into the MAC layer. I don't know the current state of that work.
Things are different on BSD because it doesn't have a distinct MAC layer
like OpenSolaris does. In the BSD world, interfaces are represented
using what are nominally IP data structures. It's "all one thing."
--
James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
