On Fri, 2022-06-17 at 01:32 +0000, Laurence Perkins wrote: > I am designing a small system with a switch and an uplink. It needs > to be able to forward traffic from trusted, and only trusted, devices > connected to the switch out through the uplink. > > Since all potential trusted devices will have the same MAC OUI prefix > in this case, the immediately obvious course of action would be to > base the decision on that. > > Unfortunately, there doesn't seem to be a good way to do so. There > was > https://serverfault.com/questions/877576/shorewall-wildcard-filter- > by-source-mac-address from a few years ago, with the answer being > "You can't." > > While I didn't bother to test it, I'm guessing that adding about 16 > million MAC filtering rules to the firewall won't be good for > performance. I briefly thought I could use the string matching or > the U32 filters, but unfortunately it appears that they can't access > anything prior to the start of the IP section, so picking bytes out > of the ethernet header isn't possible. > > I did find > https://martin.uy/blog/wildcard-support-for-mac-addresses-in-netfilter-linux-kernel-and-iptables/ > But it's old, and has something of a glaring flaw with regard to > false wildcard matches. > > I can think of a few ways to do this, mostly involving somehow > monitoring incoming packets and noting the MAC addresses which have > the correct prefix, and then having a little daemon pick up those > addresses and add rules to let them through. > > Either that, or try to write a custom netfilter module. > > None of this seems particularly "fun" to sort out. Does anybody know > of any common solutions for doing packet matching based on just part > of a MAC address on Linux? Failing that, some advice about whether > the system daemon and packet inspection route or the netfilter module > route is more likely to be stable and maintainable would be > appreciated. > > Thanks, > LMP Hi, I would recommend to look into nftables and its set feature... It should perform better with one rule for multiple matches. I bet no one had tried it with 16M items, but it is the best, as far as I know. Cheers S
https://wiki.nftables.org/wiki-nftables/index.php/Sets https://developers.redhat.com/blog/2017/04/11/benchmarking-nftables#the_first_test
