Re: [PATCH] arp_filter patch for 2.4.4 kernel.

Harald Welte (laforge@gnumonks.org)
Sun, 13 May 2001 19:39:56 -0300


On Sat, May 05, 2001 at 04:52:18PM -0700, David Miller wrote:

> > No idea, haven't tried to use netfilter. With this patch, though,
> > it's as easy as:
>
> I know, the problem is if some existing facility can be made
> to do it, I'd rather it be done that way.

of course.

> I'd be interested in seeing netfilter rules or a new netfilter
> kernel module which would do arpfilter as well.

the problem is, that netfilter hooks are currently only in the IPv4
and IPv6 packet paths. as ARP is not an IPv4 protocol, but another
protocol residing at layer 3, the arp code bypasses all netfilter hooks,
and is - as a result - not handled by any IP tables.

If you would want to do it using netfilter (the hooks only) and a hook-
attaching module, you need to add ARP netfilter hooks first.

If you want to filter arp packets, you need the netfilter hooks in the ARP
code, as well as a new 'arptables' module and a userspace tool allowing
modification of those arp tables.

So I see no clean solution for using netfilter in this case. It's one
of the scenario where netfilter/iptables layer-three-protocol boundness
hurts.

> David S. Miller

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org                http://www.gnumonks.org
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/