{SPAM} xt_802.1X Enable IP / Use Idle-Time / Session limits to limit traffic [netfilter/wired]

Wed Apr 4 00:40:38 PDT 2012

Hi all

been looking for a way to incorporate a way of implementing a action on 
a packet of a authenticated/unauthenticated connection
WRT 802.1x wired to ring fence / drop / log / .... a packet and further 
to use session timing / data limits obtained from radius.

there various approaches to this looking through the mailing lists 
adding this to hostapd does not seem to be popular and is far from
ideal from a OS portability view. having a userland daemon/kernel driver 
that hostapd writes data too via a socket/dev/file will work on any
system and will probablly be accepted into the hostapd code as it hooks 
into authenticate/deauthenticate sections with little effort.

with the above in mind i have started work on a embryonic kernel module 
for linux xt_8021X its a netfilter target that has the following goals

- a jhash of the MAC/IP for matching a device idletimeout / sessiontime 
/ sessionlimit / inputoctets / inputbytes / outputoctets / outputbytes
   limitino / limitinb / limitoo / limitob / limitto / limittb this 
struct will allow actions to take place on these triggers and using 
other nf matches
   can limit the data / time limits to apply to only certain traffic ie 
forward trafic or postrouting natted traffic .... this could be used for 
accounting
   updates to radius to use these counters not the internal counters in 
hostapd to allow some traffic to be accounted and some not to be

- /dev/net/8021x dev file that hostap will write read from to inject a 
authenticated station read the traffic count remove a hash this will 
need to be
  done in a well defined way perhaps as a "driver" API that can be 
reused by other OS's for other methods ie sockets/files using notify or 
similar

  - /proc/xt_8021X to view the matching packets counts and authorised 
devices this can be used by userland apps for other purposes and is not
   related to hostap in any way and is for sysadmin usage.

PROPOSED usage

iptables -j 8021X --action [record|reject]|record [--idle] [--target 
<TABLE>]

action applies devices
- record update the counts but take no action of authorized devices 
--idle will only record the packet as seen without updating packet 
counters [default]
- reject will DROP or jump to target table if it is not authorised and 
or session has been violated all other packets will be recorded as per 
idle flag

this is a proposal and request for feedback all input is welcome and 
encouraged.

i may also add a xt_8021x match module that will allow checking if it is 
authorised or not ie taking no session information into account "-m 
8021x [!] --8021x"

Regards Greg

--
This message has been scanned for viruses and
dangerous content by Distrotech Solutions, 
it is believed to be clean.

http://www.distrotech.co.za