wired authentication (kernel module)

Gunter Burchardt gbur
Wed Sep 22 22:49:17 PDT 2004


> I don't understand where you need to match output.
> 
> Now I understand that you also need to implement the counting part beside 
> the authentication. It is possible to count mac sources with iptables. You 
> don't need the ip address. Something like this works:
> iptables -A APINET -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
> There is only now difference between sent and reveived packets, if that's 
> what you meen with output.

If you receive packets from a station mac-source is set and you can
accept/account this packets. But with iptables it is impossible to
filter packets to a station, there is no mac-destination option! It
will never give such a option! iptables is layer 3. The mac will be set
in level 2. Thats behind iptables handling. Its impossible to add rules
for packets send to a station if you only hav mac addresses.

Well, its possible to allow all packets sent to stations and drop only
incomming station packets. But what about accounting? For packets from
a station it will work, but no chance to account packets send to the
station with iptables. A mapping from mac address to iptables would
work. But behind one mac address can be more than one ip address. Such
a handling would be very complex (and need extensions too).

regards
gunter




More information about the Hostap mailing list