iptables -m mac, --mac-dst support.
bof at bof.de
Sun Dec 25 07:41:45 CET 2005
> I was wondering if there is somewhere around a patch to support MAC
> based not on source but on destination. ? Cause I'd like to check if
> dst ID and dst MAC are x.x.x.x and zx:as:qw:zx:as:qw
> If yes maybe you could share it, and if no.. any ideas if it's going to
> show up or maybe not at all?
Standard answer: for outgoing packets, matching on destination MAC,
means waiting for an ARP request to resolve, first. But iptables is
already done with the packet before it will even be queued to the
output device, and before ARP processing is done.
Thus, at the moment when iptables filter rules (and also all other
tables) run, you simply cannot rely on a destination MAC being known.
Most of the time (after the initial ARP), it will, but what does it
help you to have an unreliable match criterion?
Also note that it is trivial for an end system to manipulate
its MAC addresses. Thus, MAC filtering on a router, without
the help of per-port-at-L2 MAC fixing on all neighbouring
(managed) ethernet switches, does not give you real security
More information about the netfilter-devel