[RFC] layer-2 netfilter/conntrack (was: Re: NAT-PT - how to do it ?)

Brad Chapman kakadu_croc@yahoo.com
Sat, 19 Jan 2002 11:54:29 -0800 (PST) 

Mr. Johnston,

--- Sam Johnston <samj@samj.net> wrote:
> I'd certainly like to see layer-2 hooks introduced so I can do IP 
> billing w/out a login client (to authenticate and set up the layer 3 rules).

	Agreed. Having layer-2 hooks to work directly on the IPv4/IPv6 layer would
be very nice, and beneficial too for other things.

> 
> Sam

Brad

> 
> Brad Chapman wrote:
> 
> >Mr. Harald,
> >
> >--- Harald Welte <laforge@gnumonks.org> wrote:
> >
> >>On Fri, Jan 18, 2002 at 01:18:52AM +0100, Andreas Jellinghaus wrote:
> >>
> >>>>There's only one problem: Netfilter doesn't support re-injecting packets at
> >>>>a hook.  You can easily steal the packet at one hook, but not reinject it
> >>>>into the other.
> >>>>
> >>>but can you change a packet ? can you change it this much:
> >>>replace the ipv4 header with an ipv6 header, maybe even more ?
> >>>
> >>No, as netfilter hooks are layer-3-protocol specific. You can only change the
> >>ipv4 header and everything upwards (layer 3 and above).  
> >>
> >
> >	Hmmm..... During 2.5.x do you think it would be a good idea to add layer-2
> >hook functionality to netfilter so that things like this become easier? 
> >
> >	You said a long time ago that you wanted to do a layer-3 split of the
> >conntrack code, with core stuff going in net/core (or elsewhere) and
> >protocol-specific stuff going in net/ipv4 (or net/ipv6 or net/whatever). Having
> >layer-2 hooks would simplify the packet eyeballing for something like that. Plus,
> >it may have benefits for iptables2 itself, once the Netlink stuff goes in......
> >
> >	Before you say that it hasn't been done ;), it has - see netfilter-arp-246.patch
> in
> >netfilter/patches. What I'm proposing is something like
> >this, but for all layer-2 stuff (Ethernet, ATM, PPP, SLIP, etc etc etc etc.....).
> >
> >	Do you think it's worth a study, sir?
> >
> >>>andreas
> >>>
> >>-- 
> >>Live long and prosper
> >>- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
> >>
> >
> >Brad
> >
> >=====
> >Brad Chapman
> >
> >Permanent e-mail: kakadu_croc@yahoo.com
> >Current e-mail: kakadu@adelphia.net
> >Alternate e-mail: kakadu@netscape.net
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Send FREE video emails in Yahoo! Mail!
> >http://promo.yahoo.com/videomail/
> >
> 
> 
> 
> 


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com
Current e-mail: kakadu@adelphia.net
Alternate e-mail: kakadu@netscape.net

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/