[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

What do you think about PF filtering for encapsulated protocols (e.gpppoe) ?



Dear all,
we were thinking of patching PF to filter on encapsulated traffic (pppoe
in particular). Applications for this functionality include, but not
limited to: transparent (statefull/stateless) QoS bridges for ADSL pppoe
and transparent bridge-firewalls for ADSL pppoe.
Let's do a theoretical approach on this proposal. Any
comments/thoughts/suggestions are welcomed.
The best way to do it seems to be an addon keyword at the scrub
directive in the Traffic Normalization routines
e.g scrub on $interface all strip_pppoe.
The pppoe header striping will take place before any other actions and
will pass on a striped ethernet frame to the subsequent functions. The
benefit for a bridged connection is obvious. pass/block rules could be
applied on the bridged interfaces. However, a certain amount of traffic
for pppoe (and other encapsulated protocols) that is used for it's own
handshake and control purposes (e.g pppoe discovery
frames[PADO/PADI/PADR/PADS/PADT]) will have to be discarded from further
evaluation.
An extra bonus, as far it concerns pppoe, would be to add another
keyword to detect any anomalies in the PPPOE session (e.g injected
session_ids) but this is not a main issue.
Are there any particular drawbacks(not including a slightly "add-on"
overhead) for implementing such a feature? Is by any way, disorienting
the aims of PF ? Is there another, more efficient way to do it?
thank you for your time,
MzOzD