Dear all, we were thinking of patching PF to filter on encapsulated traffic (pppoe in particular). Applications for this functionality include, but not limited to: transparent (statefull/stateless) QoS bridges for ADSL pppoe and transparent bridge-firewalls for ADSL pppoe.
Let's do a theoretical approach on this proposal. Any comments/thoughts/suggestions are welcomed. The best way to do it seems to be an addon keyword at the scrub directive in the Traffic Normalization routines e.g scrub on $interface all strip_pppoe. The pppoe header striping will take place before any other actions and will pass on a striped ethernet frame to the subsequent functions. The benefit for a bridged connection is obvious. pass/block rules could be applied on the bridged interfaces. However, a certain amount of traffic for pppoe (and other encapsulated protocols) that is used for it's own handshake and control purposes (e.g pppoe discovery frames[PADO/PADI/PADR/PADS/PADT]) will have to be discarded from further evaluation. An extra bonus, as far it concerns pppoe, would be to add another keyword to detect any anomalies in the PPPOE session (e.g injected session_ids) but this is not a main issue. Are there any particular drawbacks(not including a slightly "add-on" overhead) for implementing such a feature? Is by any way, disorienting the aims of PF ? Is there another, more efficient way to do it? thank you for your time, MzOzD
