From owner-freebsd-net@FreeBSD.ORG  Wed May 13 19:25:59 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 90C06106564A
	for <net@freebsd.org>; Wed, 13 May 2009 19:25:59 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: from pele.citylink.co.nz (pele.citylink.co.nz [202.8.44.226])
	by mx1.freebsd.org (Postfix) with ESMTP id 51B158FC13
	for <net@freebsd.org>; Wed, 13 May 2009 19:25:59 +0000 (UTC)
	(envelope-from thompsa@FreeBSD.org)
Received: from localhost (localhost [127.0.0.1])
	by pele.citylink.co.nz (Postfix) with ESMTP id AF479FF47;
	Thu, 14 May 2009 07:07:14 +1200 (NZST)
X-Virus-Scanned: Debian amavisd-new at citylink.co.nz
Received: from pele.citylink.co.nz ([127.0.0.1])
	by localhost (pele.citylink.co.nz [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Fe4W4I3aegfP; Thu, 14 May 2009 07:07:10 +1200 (NZST)
Received: from citylink.fud.org.nz (unknown [202.8.44.45])
	by pele.citylink.co.nz (Postfix) with ESMTP;
	Thu, 14 May 2009 07:07:10 +1200 (NZST)
Received: by citylink.fud.org.nz (Postfix, from userid 1001)
	id 04D3411434; Thu, 14 May 2009 07:07:09 +1200 (NZST)
Date: Wed, 13 May 2009 12:07:09 -0700
From: Andrew Thompson <thompsa@FreeBSD.org>
To: Brett Glass <brett@lariat.net>
Message-ID: <20090513190709.GA2871@citylink.fud.org.nz>
References: <200905131648.KAA15455@lariat.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200905131648.KAA15455@lariat.net>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: net@freebsd.org
Subject: Re: MAC locking and filtering in FreeBSD
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2009 19:25:59 -0000

On Wed, May 13, 2009 at 10:48:02AM -0600, Brett Glass wrote:
> I need to find a way to do "MAC address locking" in FreeBSD -- that is, to 
> ensure that only a machine with a particular MAC address can use a 
> particular IP address. Unfortunately, it appears that rules in FreeBSD's 
> IPFW are "stuck" on one layer: rules that look at Layer 2 information in a 
> packet can't look at Layer 3, and vice versa. Is there a way to work around 
> this to do MAC address locking and/or other functions that involve looking 
> at Layer 2 and Layer 3 simultaneously?

This has been implemented as part of Gleb Kurtsov's 2008 SoC project.
http://wiki.freebsd.org/GlebKurtsov/Improving_layer2_filtering

It has not been committed yet but I beleieve is ready to go in, you can
find the code on the svn branch
http://svn.freebsd.org/viewvc/base/projects/l2filter/


Andrew