[gentoo-user] netfilter partial MAC filtering

[Laurence Perkins <lperkins@openeye.net>]

[-- Attachment #1: Type: text/plain, Size: 1828 bytes --]

I am designing a small system with a switch and an uplink.  It needs to be able to forward traffic from trusted, and only trusted, devices connected to the switch out through the uplink.

Since all potential trusted devices will have the same MAC OUI prefix in this case, the immediately obvious course of action would be to base the decision on that.

Unfortunately, there doesn't seem to be a good way to do so.  There was https://serverfault.com/questions/877576/shorewall-wildcard-filter-by-source-mac-address from a few years ago, with the answer being "You can't."

While I didn't bother to test it, I'm guessing that adding about 16 million MAC filtering rules to the firewall won't be good for performance.  I briefly thought I could use the string matching or the U32 filters, but unfortunately it appears that they can't access anything prior to the start of the IP section, so picking bytes out of the ethernet header isn't possible.

I did find https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/   But it's old, and has something of a glaring flaw with regard to false wildcard matches.

I can think of a few ways to do this, mostly involving somehow monitoring incoming packets and noting the MAC addresses which have the correct prefix, and then having a little daemon pick up those addresses and add rules to let them through.

Either that, or try to write a custom netfilter module.

None of this seems particularly "fun" to sort out.  Does anybody know of any common solutions for doing packet matching based on just part of a MAC address on Linux?  Failing that, some advice about whether the system daemon and packet inspection route or the netfilter module route is more likely to be stable and maintainable would be appreciated.

Thanks,
LMP

[-- Attachment #2: Type: text/html, Size: 4310 bytes --]