[RFC] layer-2 netfilter/conntrack (was: Re: NAT-PT - how to do it ?)
Chinda KEODOUANGSY
ckkeo@noos.fr
Tue, 22 Jan 2002 01:22:21 +0100
I don't thing that layer-2 is a good choice for FOWARD features.
But Layer-2 is very performance to do (Statefull äcket Inspection) SPI against
DoS attacks.
Regarding NAT-PT issues, there is NAT Traversal draft which explains the way for
IPSec, L2TP and PPTP to by pass NATs.
KEO
"Reynolds, Alfred" wrote:
> I have been playing around with intercepting layer-2 packets for a project I
> am working on. It is possible to generically capture layer-2 packets on
> transmit and receive. Mapping of rules onto these packets is another
> question (DROP makes sense, so does DENY, but FORWARD?). I would still see a
> utility in adding these hooks :)
>
> If people want to talk about it, feel free to grab me a LCA2002
> (linux.conf.au 2002, http://linux.conf.au/) :)
>
> > -----Original Message-----
> > From: Harald Welte [mailto:laforge@gnumonks.org]
> > Sent: Sunday, January 20, 2002 11:41 PM
> > To: Brad Chapman
> > Cc: Sam Johnston; netfilter-devel@lists.samba.org
> > Subject: Re: [RFC] layer-2 netfilter/conntrack (was: Re:
> > NAT-PT - how to
> > do it ?)
> >
> >
> > On Sat, Jan 19, 2002 at 11:54:29AM -0800, Brad Chapman wrote:
> > > Mr. Johnston,
> > >
> > > --- Sam Johnston <samj@samj.net> wrote:
> > > > I'd certainly like to see layer-2 hooks introduced so I can do IP
> > > > billing w/out a login client (to authenticate and set up
> > the layer 3 rules).
> > >
> > > Agreed. Having layer-2 hooks to work directly on the
> > IPv4/IPv6 layer
> > > would be very nice, and beneficial too for other things.
> >
> > Nope. The assumption that we have the same set of hooks is
> > only valid within
> > IPv4 and IPv6 - but it's not true with other protocols. So
> > having a layer2
> > FORWARD hook does just not match for every protocol.
> >
> > > Brad
> >
> > --
> > Live long and prosper
> > - Harald Welte / laforge@gnumonks.org
> > http://www.gnumonks.org/
> > ==============================================================
> > ==============
> > GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o?
> > K- w--- O- M-
> > V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
> >