| 1 |
On Fri, 2022-06-17 at 01:32 +0000, Laurence Perkins wrote: |
| 2 |
> I am designing a small system with a switch and an uplink. It needs |
| 3 |
> to be able to forward traffic from trusted, and only trusted, devices |
| 4 |
> connected to the switch out through the uplink. |
| 5 |
> |
| 6 |
> Since all potential trusted devices will have the same MAC OUI prefix |
| 7 |
> in this case, the immediately obvious course of action would be to |
| 8 |
> base the decision on that. |
| 9 |
> |
| 10 |
> Unfortunately, there doesn't seem to be a good way to do so. There |
| 11 |
> was |
| 12 |
> https://serverfault.com/questions/877576/shorewall-wildcard-filter- |
| 13 |
> by-source-mac-address from a few years ago, with the answer being |
| 14 |
> "You can't." |
| 15 |
> |
| 16 |
> While I didn't bother to test it, I'm guessing that adding about 16 |
| 17 |
> million MAC filtering rules to the firewall won't be good for |
| 18 |
> performance. I briefly thought I could use the string matching or |
| 19 |
> the U32 filters, but unfortunately it appears that they can't access |
| 20 |
> anything prior to the start of the IP section, so picking bytes out |
| 21 |
> of the ethernet header isn't possible. |
| 22 |
> |
| 23 |
> I did find |
| 24 |
> https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/ |
| 25 |
> But it's old, and has something of a glaring flaw with regard to |
| 26 |
> false wildcard matches. |
| 27 |
> |
| 28 |
> I can think of a few ways to do this, mostly involving somehow |
| 29 |
> monitoring incoming packets and noting the MAC addresses which have |
| 30 |
> the correct prefix, and then having a little daemon pick up those |
| 31 |
> addresses and add rules to let them through. |
| 32 |
> |
| 33 |
> Either that, or try to write a custom netfilter module. |
| 34 |
> |
| 35 |
> None of this seems particularly "fun" to sort out. Does anybody know |
| 36 |
> of any common solutions for doing packet matching based on just part |
| 37 |
> of a MAC address on Linux? Failing that, some advice about whether |
| 38 |
> the system daemon and packet inspection route or the netfilter module |
| 39 |
> route is more likely to be stable and maintainable would be |
| 40 |
> appreciated. |
| 41 |
> |
| 42 |
> Thanks, |
| 43 |
> LMP |
| 44 |
Hi, |
| 45 |
I would recommend to look into nftables and its set feature... |
| 46 |
It should perform better with one rule for multiple matches. |
| 47 |
I bet no one had tried it with 16M items, but it is the best, as far as |
| 48 |
I know. |
| 49 |
Cheers |
| 50 |
S |
| 51 |
|
| 52 |
|
| 53 |
https://wiki.nftables.org/wiki-nftables/index.php/Sets |
| 54 |
https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test |
Archives