From owner-freebsd-hackers@FreeBSD.ORG Mon Mar 17 07:36:08 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88996612; Mon, 17 Mar 2014 07:36:08 +0000 (UTC) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B35AFCD8; Mon, 17 Mar 2014 07:36:07 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id cc10so1713781wib.4 for ; Mon, 17 Mar 2014 00:36:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=3sckqBvG05EwtnTAvNCf8CLZ1Y/DN1XOfUeFyVTc47c=; b=gSQ3hCnxxTMjf3eg2U0WVLPapuaEiFIi0RZdM+wjcN3PrcT2eLjYpIfgUsBRwrFvXW HFrzdO7ChlqyCe5sT5ThLdamXFDrya5vPf8Dg5WNPzIpc+vcQaIBDVGBVXQ61SJz1VBl 7qmfbbwTXVj4GXZgcqEbj77IkmPaBNoWBUm46fYEWHFqAhmXIZQHpFxz9Pm6kZafxuqu r/6ahUNLi9f+d/rrZu1PuMAb/+1Nm+l/62v4OCnaaaMtgmA/w+uS35Zy0IFYJJ5VQmCe 5TcGwZkAFKP+M5Cgr7e67dqrKHjeC/NNWpdZOJHzILj34DLqNlZJcRzpKc8ach5skupX D4qA== X-Received: by 10.180.19.138 with SMTP id f10mr8233309wie.11.1395041766007; Mon, 17 Mar 2014 00:36:06 -0700 (PDT) Received: from [192.168.2.30] ([2.176.141.45]) by mx.google.com with ESMTPSA id g5sm35848322wjs.8.2014.03.17.00.36.03 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Mar 2014 00:36:05 -0700 (PDT) Message-ID: <5326A5E4.1000803@gmail.com> Date: Mon, 17 Mar 2014 12:06:04 +0430 From: Hooman Fazaeli User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Rui Paulo Subject: Re: mbuf question References: <53230214.7010501@gmail.com> <532405B7.2020007@gmail.com> <96659837-1FDC-421D-A339-87104A0075C7@FreeBSD.org> <5324D669.804@gmail.com> <5324DAC0.9020508@gmail.com> <1394925228.1149.558.camel@revolution.hippie.lan> <5325BC99.2060703@gmail.com> <20140316212106.GF32089@funkthat.com> <7FA2AB99-EE03-4E84-A67D-F3FCD734B66B@FreeBSD.org> In-Reply-To: <7FA2AB99-EE03-4E84-A67D-F3FCD734B66B@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Hackers , John-Mark Gurney , Ian Lepore X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 07:36:08 -0000 On 3/17/2014 6:09 AM, Rui Paulo wrote: > On 16 Mar 2014, at 14:21, John-Mark Gurney wrote: > >> Why do we need this info in another location? Isn't this already in >> the packet? How else did we get it then? Or are you dealing w/ the >> fact that the L2 information was stripped by an upper layer, and if >> that is the case, shouldn't you be getting the packet soon then? > It's mostly because the netpfil hooks are in layer 3. The layer 2 headers are stripped by layer 2 code before it passes the mbuf to layer 3. > > I don't know what the goals are, so it's hard to suggest alternatives... Do we want to filter IP packets based on L2 information or do we want to filter L2 packets like ARP? It's possible that the best alternative is to extend netpfil to layer 2 and then validate the mbuf there. > > -- > Rui Paulo > My goal is to add src/dst MAC address constraint to pf filter/nat/rdr/binat/anchor rules to be used in combination with other constraints (protocol, IP address, ...). When done, we can write rules like the following: table { 00.11.22.33.44.55 00.4d.54.f1.43.33 } table { 192.168.1.2 192.168.1.3} gateway1 = "00.23.45.99.d3.e4" # Restrict 10.20.30/24 subnet's web traffic to come from gateway1 block in quick on em1 proto tcp from mac ! $gateway1 10.20.30/24 to any port http # sort of IP/MAC binding block in on em0 from mac ! to any block in on em0 from mac ! to any -- Best regards. Hooman Fazaeli