[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What do you think about PF filtering for encapsulated protocols (e.g pppoe) ?

On Fri, Oct 07, 2005 at 01:54:57AM +0100, mzozd wrote:
> The best way to do it seems to be an addon keyword at the scrub
> directive in the Traffic Normalization routines
> e.g scrub on $interface all strip_pppoe.
> The pppoe header striping will take place before any other actions and
> will pass on a striped ethernet frame to the subsequent functions.
And how does the stripped header get re-attached after pf is done with
the packet?
pf doesn't get a copy of a packet to make its decision, it gets passed
the packet itself. If it does any changes (like NAT), it changes the
real packet.
So just stripping the header at the beginning is not sufficient, as then
the bridge would pass on the stripped packet (effectively decapsulating
all packets).
If you re-attach a safed copy of the header, you'll have to make sure it
doesn't contain any data (like checksums) that may have been invalidated
by pf's changes.
Also, when pf reassembly, syn-proxy or route-to is used, packets don't
simply come back from pf, but pf may consume packets. I.e. the flow
isn't as simple as 'every packets enters pf and then leaves again,
simply remove the header prior and re-attach after'.