Hi Andy, On Fri, Dec 16, 2011 at 9:46 PM, Andy Furniss <andyqos@xxxxxxxxx> wrote: > Marius Nicolae wrote: > >>> If you can't identify from the frame alone and need state from the pppoe >>> server or some statistics then it's going to be trickier. >> >> Yes, is possible to identify the frames alone from macs and ethernet >> protocol only, in a stateless manner, but it must be rejected only the >> "noisy" macs. As a very simplistic description the pppoed protocol is >> used to create and terminate pppoe sessions (frames with 0x8864 >> ethernet protocol) which encapsulates IP frames by signing and even >> encrypting them. Thus is very important to let the good and legitimate >> macs to send/receive such frames in order to create/terminate pppoe >> sessions. > > > The only tc thing I can think of would be to keep a list of bad macs - maybe > from a script parsing pppoe server logs or something and then periodically > replace a tc filter that matches and drops those macs + protocol 0x8864. Good idea. Another thing I can think of based on what you've said would be to perform ingress policing and to assure a very small amount of bandwidth for such frames. Everything which would exceed that amount would be dropped. Simply put, the idea is to drop the frames based on their generated traffic and not based on their number (packets/second). Currently I'm learning the Linux kernel network stack internals and see if there is a more robust solution. I think netfilter is a no go. It refers to IP packets (I guess its name mislead me) and it is placed to high on the network stack. It appears it's needed a kernel module right after device driver which register for a specific ethernet protocol (with dev_add_pack() ) and receives the frames it registered for. I've just found a good article as a starting point just for that http://www.phrack.org/archives/55/p55_0x0c_Building Into The Linux Network Layer_by_lifeline & kossak.txt . pppoe kernel module also register for receiving such frames. Another idea would be to see if is possible to investigate packets from there. -- Best regards, Marius Nicolae -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
