Sorry, I was replying only to Andy. ---------- Forwarded message ---------- From: Marius Nicolae <marius.e.nicolae@xxxxxxxxx> Date: Fri, Dec 16, 2011 at 10:16 AM Subject: Re: Filtering pppoed frames To: Andy Furniss <andyqos@xxxxxxxxx> Hi Andy, Thanks for your response. On Thu, Dec 15, 2011 at 11:09 PM, Andy Furniss <andyqos@xxxxxxxxx> wrote: > Marius Nicolae wrote: >> >> Hi, >> >> Im not sure if this is the right list but here we go. In our small ISP ... >> Before doing that: >> 1. Is there a better and easier way of matching pppoed frames and >> limit them in the way just described? >> 2. If not, do you know an open source project on which I might involve >> and contribute with such functionality? > > > I don't know pppoe so am not sure it will help in this case, but you can > match/drop/limit non ip with tc and a policer - though it's not going to be > as sophisticated as you describe doing with iptables. While contemplating the ebtables packet flow picture from here http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png I was first considering using ebtables for matching the frames but since the server has no bridge the packets they where not hitting any ebtables table. I was assuming the frames where traversing network stack without any interest from ebtables or then iptables. Probably ebtables sees the frame is coming from a interface which is not part of any bridge and iptables sees isn't an IP frame; I don't know. Also from that picture, since it's hit first, I was thinking to match or mark them within tc ingress phase but again I saw no way of filtering or sending them to userland for further investigations but simply policing such frames I think is a no go. > > If it's possible to identify a naughty frame just from the macs and or > contents of the frame alone, then dropping them should be quite easy. > > If you can't identify from the frame alone and need state from the pppoe > server or some statistics then it's going to be trickier. Yes, is possible to identify the frames alone from macs and ethernet protocol only, in a stateless manner, but it must be rejected only the "noisy" macs. As a very simplistic description the pppoed protocol is used to create and terminate pppoe sessions (frames with 0x8864 ethernet protocol) which encapsulates IP frames by signing and even encrypting them. Thus is very important to let the good and legitimate macs to send/receive such frames in order to create/terminate pppoe sessions. > > -- Best regards, Marius Nicolae -- Numai bine, Marius Nicolae -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
