1 |
On Fri, 2022-06-17 at 01:32 +0000, Laurence Perkins wrote: |
2 |
> I am designing a small system with a switch and an uplink. It needs |
3 |
> to be able to forward traffic from trusted, and only trusted, devices |
4 |
> connected to the switch out through the uplink. |
5 |
> |
6 |
> Since all potential trusted devices will have the same MAC OUI prefix |
7 |
> in this case, the immediately obvious course of action would be to |
8 |
> base the decision on that. |
9 |
> |
10 |
> Unfortunately, there doesn't seem to be a good way to do so. There |
11 |
> was |
12 |
> https://serverfault.com/questions/877576/shorewall-wildcard-filter- |
13 |
> by-source-mac-address from a few years ago, with the answer being |
14 |
> "You can't." |
15 |
> |
16 |
> While I didn't bother to test it, I'm guessing that adding about 16 |
17 |
> million MAC filtering rules to the firewall won't be good for |
18 |
> performance. I briefly thought I could use the string matching or |
19 |
> the U32 filters, but unfortunately it appears that they can't access |
20 |
> anything prior to the start of the IP section, so picking bytes out |
21 |
> of the ethernet header isn't possible. |
22 |
> |
23 |
> I did find |
24 |
> https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/ |
25 |
> But it's old, and has something of a glaring flaw with regard to |
26 |
> false wildcard matches. |
27 |
> |
28 |
> I can think of a few ways to do this, mostly involving somehow |
29 |
> monitoring incoming packets and noting the MAC addresses which have |
30 |
> the correct prefix, and then having a little daemon pick up those |
31 |
> addresses and add rules to let them through. |
32 |
> |
33 |
> Either that, or try to write a custom netfilter module. |
34 |
> |
35 |
> None of this seems particularly "fun" to sort out. Does anybody know |
36 |
> of any common solutions for doing packet matching based on just part |
37 |
> of a MAC address on Linux? Failing that, some advice about whether |
38 |
> the system daemon and packet inspection route or the netfilter module |
39 |
> route is more likely to be stable and maintainable would be |
40 |
> appreciated. |
41 |
> |
42 |
> Thanks, |
43 |
> LMP |
44 |
Hi, |
45 |
I would recommend to look into nftables and its set feature... |
46 |
It should perform better with one rule for multiple matches. |
47 |
I bet no one had tried it with 16M items, but it is the best, as far as |
48 |
I know. |
49 |
Cheers |
50 |
S |
51 |
|
52 |
|
53 |
https://wiki.nftables.org/wiki-nftables/index.php/Sets |
54 |
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test |