On Mon, Apr 09, 2012 at 02:14:49PM +0200, Gregory Nietsky wrote: > > Ive got a requirement for disabling / enabling IP based on the > following criteria > > - Only allow pre authenticated traffic [hostapd/wired 802.1x for example] > - Limit this to a predetermined session limit by duration or throughput > - Disable traffic once idle for a predetermined duration > - Ability to read the information / reset sessions from user space > > the application in mind is to deliver small micro servers running > our linux distro > for remote office / SOHO VPN connectivity with out the need for mid > to high end > switches control and monitor the usage on the VPN and or other points after > authenticating to the Remote site. > > i have a embryonic framework of this that is coming together nicely > and consists of the following > > a table structure consisting of 2 list head pointers [arrays] one > for mac one for ipaddr the > list data is linked to each based on jhash of mac address [only > information available from userland pre dhcp] > and the IP[4/6] addr set latter by the target [ideally based on DHCP > i may add a DHCP protocol > based match target] this allows for quick lookups and access based > on IP/MAC pair. > > the block of memory used for this is (2 + 2 * num_buckets) * > sizeof(struct list_head). > struct list_head consists of 2 pointers [next/prev]. > > this is similar to the method borrowed from the xt_recent match. > > the userland interface is done via a char dev with sysfs/udev support > > - /proc/net/ interface using seq operations for listing all sessions > > - /dev/ char dev for reading / writing session information memory is > allocated > for each access and a buffer used for reading / writing userland > will write a > action [add/delete/view/....] the output will be placed in a > buffer to be read > > - netfilter target and iptables extension that will restrict traffic > im currently busy with this. it at the moment passes traffic has no check > and allows 2 flags --use-dest [should not be needed] --save-ip [to > assosiate the > ip with MAC this should ideally be done based on the IP assigned > via DHCP] this > will only be done if there is no IP set. as the MAC is only > available on INPUT traffic > we need to have the IP for accounting of traffic from dest. > > using the incoming packet look up the session by mac addr and store > the source IP > to match returning traffic latter if there is no session traffic is > DROPED if the ip > is set and the IP/MAC is mismatched drop the packet > > iptables -A [INPUT/FORWARD/PREROUTING] -j SESSION --save-ip > > once the IP has been set returning packets will be allowed as the IP > will be > looked up and if assosiated to a valid session it will be allowed to > continue > > iptables -A [ANY] -j SESSION [--use-dest] > > for every packet that is allowd the len / time will be updated in > the session. > > a session is only valid when a MAC[if avail]/IP match or the session > timer has not > expired or the last packet seen and current packet do not differ by > more than optional > idle time. > > the current code is available here > http://pbx.distrotech.co.za/svn/netfilter_session/ > > please note work is been done on the actual target and what is > written here is a proposal > the current target passes all traffic. > > once the module is loaded the following works > echo "[6 char]" > /dev/8021x > cat /proc/net/8021x > > ie > echo "abcdef" > /dev/8021x > cat /proc/net/8021x > 61:62:63:64:65:66 1333973169 > > this creates the session for MAC 61:62:63:64:65:66 @ timestamp there > is no session limit or time out so all traffic will pass once the ip > is registered. > > Hope this is found to be potentially useful something that is > suitable for inclusion once complete. This looks to me like an ad-hoc all-in-one target. I'm not telling that this is not useful for you, but there's no room for this in mainline, sorry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
