Linux Ethernet Bridging - Apr 2007 - [Bridge] ebtables target to disable an interface

> From: Cameron Simpson [mailto:cs@zip.com.au] 
>
> You could log the event, and monitor the log with a
> 	tail -f logfile | ...
> to turn it off. No extension needed.
Thanks for the suggestion, but it's not the best fit for the system I'm
working in.  (Carrying the reasoning further, I could have the kernel log
*everything* it does and...)

Is there a problem with bringing down the interface from inside?

I would like to set up an ACL for an ethernet port using ebtables rules, and
if a security violation occurs, to physically disable the port (i.e.
whatever "ifconfig down" does).  I did not see such a feature in the
ebtables man page.  Does this exist anywhere, or do I have to create a new
extension for it?

-- 
Dan Eble <dane@aiinet.com>  _____  .
                           |  _  |/|
Applied Innovation Inc.    | |_| | |            "All Protocols MUST be
odd"
http://www.aiinet.com/     |__/|_|_|              -- RFC 1661 (PPP)

Thanks for the advice.  Still, I would like to avoid using the log to
communicate between the driver and a process.  What do you think of using a
netlink socket to send a message from the bridge driver?  (Once it works, it
could be used for spanning tree control too, as DaveM suggested a while back
for an alternative to ioctl).

The only problem is I'm not very familiar with netlink sockets.  From what I
have heard here, though, it sounds like I have a better chance to make a
netlink socket work properly than to shut down the port from inside the
kernel without causing a panic, deadlock, or memory leak.
> -----Original Message-----
> From: Bart De Schuymer [mailto:bdschuym@pandora.be] 
> Sent: Saturday, August 09, 2003 8:08 AM
> To: Eble, Dan; bridge@osdl.org
> Subject: Re: [Bridge] Re: ebtables target to disable an interface
> 
> 
> On Friday 08 August 2003 15:23, Eble, Dan wrote:
> > Thanks for the suggestion, but it's not the best fit for 
> the system I'm
> > working in.  (Carrying the reasoning further, I could have 
> the kernel log
> > *everything* it does and...)
> >
> > Is there a problem with bringing down the interface from inside?
> 
> I don't know the details by heart, but the code to bring a 
> bridge port down 
> probably expects being called from user context, not from 
> within softirq. 
> That code can probably sleep, which is not allowed inside softirq.
> Problems with removing ports that are the in-port or out-port 
> of currently 
> processed frames will show up too.
> 
> cheers,
> Bart
>

On 16:44 07 Aug 2003, Eble, Dan <DanE@aiinet.com> wrote:
| I would like to set up an ACL for an ethernet port using ebtables rules, and
| if a security violation occurs, to physically disable the port (i.e.
| whatever "ifconfig down" does).  I did not see such a feature in the
| ebtables man page.  Does this exist anywhere, or do I have to create a new
| extension for it?

You could log the event, and monitor the log with a
	tail -f logfile | ...
to turn it off. No extension needed.
-- 
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

Loud Pipes make noise.
Skill and experience save lives.
        - Ed Morandi, edm@cbnewsj.att.com, DoD#0733

> You could log the event, and monitor the log with a
> 	tail -f logfile | ...
> to turn it off. No extension needed.
> -- 
> Cameron Simpson <cs@zip.com.au> DoD#743
> http://www.cskk.ezoshosting.com/cs/
I just discovered the iptables ULOG target, which sends packets to user
space through a netlink socket.  I may try to convert it into an ebtables
watcher, but I will experiment with iptables ULOG first, to see how easy it
is to use.

-- 
Dan Eble <dane@aiinet.com>  _____  .
                           |  _  |/|
Applied Innovation Inc.    | |_| | |            "All Protocols MUST be
odd"
http://www.aiinet.com/     |__/|_|_|              -- RFC 1661 (PPP)