Layer2 filtering in pf

July 30, 2008 by · 4 Comments 

Instead of trying to describe all the changes regarding layer2 filtering in pf I’d better provide some examples.

Ethernet address can be specified for host or interface name:
pass in on bridge0 from 10.0.0.1 ether 00:11:11:11:11:11 to 10.0.0.2 ether 00:22:22:22:22:22
pass in on bridge0 from ($int_if:network) ether 00:11:11:11:11:11 to any

Ethernet addresses are supported in table entries:
table <test> persist {10.0.0.1 ether 00:11:11:11:11:11, 10.0.0.2 ether 00:22:22:22:22:22}
pass on bridge0 from <test> to <test> keep state (ether)

Ethernet stateful filtering is handled specially. Per rule flag is added to conditionally enable ethernet stateful filtering (disabled by default):
pass log on bridge0 from <test> to <test> keep state (ether)

With keep state (ether) enabled pf uses real source and destination ethernet addresses from the first packet to create the state and uses these addresses afterwards to match the state.

About gleb

Comments

4 Responses to “Layer2 filtering in pf”
  1. nets says:

    Suggestions:

    Why not add a bit mask to ethernet addresses so that one may match, say, multicast addresses. Example:
    pass in on bridge0 from 10.0.0.1 ether 00:11:11:11:11:11/FF:FF:FF:FF:FF:FF
    or
    pass in on bridge0 from 10.0.0.1 ether 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF
    (to any multicast address and broadcast too!)

    How about adding ability to match ARP query/respons fields too?
    It would be neat to be able to filter out any ARP requests/responses for invalid/wrongly configured networks like.
    pass in on bridge0 proto arp arp-opcode 0×0001 arp-src-ip 10.0.0.0/8 arp-dst-ip 10.0.0.0/8
    drop proto arp

    Otherwise, cool stuff!

  2. gleb says:

    multicast address is supported. I didn’t add masks for ethernet addresses intentionally mainly because there is no real use of it and no other os supports it. Once again you can specify ‘mulicast’ ethernet address which is equivalent to 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF

    ARP filtering is supported by ipfw. I’ve added this feature just before Summer of Code deadline, and didn’t blog about it. It’s not supported by pf because pf can’t perform layer2 filtering. Filtering ARP at layer3 is possible but not so trivial.

    I can work on addaing ARP filtering to pf after code will be commited into the tree.

Trackbacks

Check out what others are saying about this post...
  1. sonson says:

    hi…

    usefull…