On Friday 04 June 2004 4:26 pm, PETER-MULLER wrote:
> Hello,
>
> do you know if
>
> 1. Is there any plans to include a --mac-destination parameter for the
> MAC module to check package destinated to a certain MAC address (like as
> --mac-source)
>
> or
>
> 2. Is there any impediments to implement such a parameter
I do not think this is possible in iptables / netfilter (but it may be a
feature, or a possibility, for ebtables?).
The reason I think this is because netfilter works with IP packets, and can
see the TCP / UDP / ICMP headers within them; it is also handed the MAC
address for incoming packets by the networking stack as a kind of bonus bit
of information.
However, for outgoing packets, netfilter (at the IP layer) knows nothing about
the MAC address of the destination machine (it doesn't even know whether it
is a local machine or on the other side of a router, which will make a big
difference to the MAC address which gets associated with a specific IP
address). It's not until netfilter releases the packet to the networking
code and says "send this out on the wire please" that an ARP lookup gets done
and a MAC address is discovered. By then it's too late to send the packet
back to netfilter to tell it what the MAC address was and ask what to
*really* do with the packet.
If anyone else thinks this is wrong, and netfilter can know about the
destination MAC, please correct me.
Regards,
Antony.
--
Ramdisk is not an installation procedure.
Please reply to the list;
please don't CC me.
