The idea is - compare mac addresses and IP address (listed in a hash table for quick lookups)
If there is no entry drop the frame... otherwise let the frame get decapusluted further up the stack.... well thats the idea... shouldn;t be too tricky (in theory.... haven;t looked at any code yet though)
Example scenario.... one of my friends runs a dedicated hosting company.... the users have full root access to each box..... the company wishes to tie IP addrs to mac addrs so that each box on the network can not allocate IP addresses to itself..... the only way i can see this working is by doing MAC address filtering.....
On Thursday, Sep 25, 2003, at 13:30 US/Pacific, Ed White wrote:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=106275731529071&w=2
Bridge tagging doesn't scale to large numbers of hosts or pf rules very well, for the purpose of locking an IP to a specific MAC. I mean that in the rule management sense, not performance.
If this is a routing configuration, one thing you could try is adding static permanent arp entries for the hosts. Even if undesired packets get passed inbound (and forwarded on), replies would go to the arp entry, not the original sender.
