[B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[HeXiLeD]

This is probably a openwrt question but even so it might have some
impact on batman-adv.

I am planing to use mac filtering through iptables on openwrt with a
default policy of deny all, allowing only by white list the clients that
will be allowed t connect.


My question to the batman team is if by applying this idea and since
batman-adv uses MACs to manage the routing; if i will have to white list
the other router MACs on the router or routers that will be filtering
MACs with iptables or batman-adv is not affected by mac filtering.

Re: [B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[Marek Lindner]

On Tuesday, December 18, 2012 08:10:30 HeXiLeD wrote:
> This is probably a openwrt question but even so it might have some
> impact on batman-adv.
> 
> I am planing to use mac filtering through iptables on openwrt with a
> default policy of deny all, allowing only by white list the clients that
> will be allowed t connect.
> 
> 
> My question to the batman team is if by applying this idea and since
> batman-adv uses MACs to manage the routing; if i will have to white list
> the other router MACs on the router or routers that will be filtering
> MACs with iptables or batman-adv is not affected by mac filtering.

iptables works on layer3. Even though you have a mac address filter option it 
will only catch anything if the packet is moved up to layer3 which does not 
happen for batman-adv packets. So, iptables will never even see the packets 
used by batman-adv.

Cheers,
Marek

Re: [B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[Esteban Municio]

Could you use ebtables instead?

2012/12/17 Marek Lindner <lindner_marek@yahoo.de>:
> On Tuesday, December 18, 2012 08:10:30 HeXiLeD wrote:
>> This is probably a openwrt question but even so it might have some
>> impact on batman-adv.
>>
>> I am planing to use mac filtering through iptables on openwrt with a
>> default policy of deny all, allowing only by white list the clients that
>> will be allowed t connect.
>>
>>
>> My question to the batman team is if by applying this idea and since
>> batman-adv uses MACs to manage the routing; if i will have to white list
>> the other router MACs on the router or routers that will be filtering
>> MACs with iptables or batman-adv is not affected by mac filtering.
>
> iptables works on layer3. Even though you have a mac address filter option it
> will only catch anything if the packet is moved up to layer3 which does not
> happen for batman-adv packets. So, iptables will never even see the packets
> used by batman-adv.
>
> Cheers,
> Marek



-- 
Esteban

Re: [B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[Marek Lindner]

On Friday, December 28, 2012 06:59:40 Esteban Municio wrote:
> Could you use ebtables instead?

I was told you can use ebtables but I never used it.

Cheers,
Marek

Re: [B.A.T.M.A.N.] Batman-Adv & iptables mac filtering

[Antonio Quartulli]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

On Wed, Jan 02, 2013 at 02:45:27PM +0800, Marek Lindner wrote:
> On Friday, December 28, 2012 06:59:40 Esteban Municio wrote:
> > Could you use ebtables instead?
> 
> I was told you can use ebtables but I never used it.

But keep in mind that ebtables works with bridge interfaces only, therefore you
must first create a bridge, add bat0 to it and then use ebtables onto the bridge
interface.

Cheers,


-- 
Antonio Quartulli

..each of us alone is worth nothing..
Ernesto "Che" Guevara

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]