Op 12/04/2012 0:34, Wilco Baan Hofman schreef:> Hi,
>
> I'm looking to implement hooks to ebtables in the mac80211 wireless
> stack.
>
> I'm trying to find the best approach for doing this.. basically what I
> want to be able to have is clients being able to communicate, but not
> ARP spoofing the gateway or setting up a rogue DHCP.
>
> As it's currently implemented, there's some sort of internal bridge
> functionality within the wireless stack in net/mac80211/rx.c at around
> ieee802_deliver_skb(), where every ethernet packet essentially gets
> routed among wireless clients.
>
> If I understand ebtables correctly, an forward event is triggered for
> every packet to every interface, right? So essentially, this should do
> the same, except that for every wireless client would be a forward from
> the wireless interface to the wireless interface.
>
> What would be the best way to implement this and in what way would it be
> acceptable upstream?
You can add a new ebtables table, requiring minimal changes to the
userland tool. You can start by adding a table called something like
"filter-wireless" with a built-in chain on NF_BR_FORWARD. See
net/bridge/netfilter/ebtable_broute.c: it contains the code that adds
the broute table with a built-in chain on NF_BR_BROUTING. This approach
has minimal impact since it doesn't use netfilter hooks (no call to
nf_register_hooks) and uses a built-in chain that ebtables understands.
If you want to use the netfilter infrastructure, you'll probably need a
new protocol family. See net/bridge/netfilter/ebtable_filter.c in that case.
cheers,
Bart
--
Bart De Schuymer
www.artinalgorithms.be