Project Description
FreeBSD lacks sophisticated layer2 and mixed layer2-layer3 filtering. ipfw performs mixed layer2-layer3 packet filtering using its own hooks in ether_demux/ether_output_frame and if_bridge. pf can't filter by layer2 addresses. I propose to improve both ipfw and pf to filter by layer2 addresses.
Recent patches can be found in github repository
Perforce repository: http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/projects/soc2008/gk%5fl2filter/...
Milestones
general
Implement pfil hooks for filtering ethernet packets
Add mtag containing source and destination layer2 addresses to every mbuf
Add per interface flags: l2filter, l2tag
ipfw
Update ipfw layer2 not to touch ip headers, but to use mentioned mtags to do MAC-IP filtering
Add src-ether and dst-ether ipfw options
Support mac addresses in ipfw lookup tables
Stateful filtering by mac addresses
Implement ARP filtering options
Update documentation
pf
Add stateful filtering against mac addresses. Make it part of present layer3 stateful filtering.
Extend pf's tables facility to contain layer2 address apart with layer3 address.
Support in userspace (pf.conf, pfctl).
Update documentation