Using tables for MAC addresses in ipfw2

Max Laier max at love2party.net
Fri Dec 17 16:31:45 PST 2004 

On Saturday 18 December 2004 00:26, Jon Simola wrote:
> I do a lot of filtering based on MAC addresses for our DSL network,
> and the table support in IPFW is close to what I'm looking for. I've
> taken a quick glimpse through the code (I'm familiar with the ipfw
> code pre ipfw2) and I don't see any major hangups to implementing a
> similar table support for MAC addresses.
>
> What the situation is is that we are a DSL reseller for the regional
> telco. All of our customers have their connections bridged over the
> ATM network and appear on a fast ethernet port on a Cisco 5505. That
> is the only place we gain access (The ATM and Cisco are telco owned).
> I have my FreeBSD 5.2.1 router plugged into that port and working
> fine, but at any time I have 50 or so rules specifically blocking MAC
> addresses of customers who haven't paid or have viral activity.
>
> Does adding MAC tables sound like a logical course of action? Can
> anyone suggest a different idea, possibly better overall?

It might be a good idea to change the existing tables to store a generic 
struct sockaddr instead of a sturct sockaddr_in. This way it will be possible 
to store IPv6- and maybe even MAC-addresses into the tables. It should be a 
good idea to add some descriptive data to the table head to define what kind 
of addresses are in the table. Other than that, it seems doable.

If it is a good idea to have (radix tree) tables for MAC filtering remains to 
be seen. As you might have many MAC addresses from the same vendor (=with the 
same prefix) the tree will not balance and you might end up with the same or 
even more overhead. It is certainly *not* a good idea to reimplement the 
table code for MAC, IPv6 and whatnot.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20041218/e346d3fc/attachment.bin

More information about the freebsd-ipfw mailing list