PATCH: wired eapol receive/send

Andy wireless at windsorcarclub.co.uk
Thu Sep 2 04:27:42 EDT 2004


> > Is there any particular reason for parsing DHCP packets?
> But iptables is layer 3 in ISO/OSI.

Why not use either the mac address filtering module for IP tables (man
iptables, search for mac-source), or better still, use ebtables
(http://ebtables.sourceforge.net) which provides layer 2 filtering
functionality (but needs kernel patches for kernel 2.4, but is in kernel
2.6)?  Maybe a .1x module for ebtables is the way to go?

Andy
wireless at windsorcarclub.co.uk
ENDOFMSG
----- Original Message ----- 
From: "Gunter Burchardt" <gbur at informatik.uni-rostock.de>
To: "Jouni Malinen" <jkmaline at cc.hut.fi>
Cc: <hostap at shmoo.com>
Sent: Thursday, September 02, 2004 7:55 AM
Subject: Re: PATCH: wired eapol receive/send


> > > First patch to bring wired authentication with hostapd alive. This
> > > patch enables hostapd to send and recieve eapol frames via ethernet.
> > > Furthermore sta detection is implemented via dhcp for station which
> > > didn't send eapol-start (like winxp supplicant).
> >
> > Thanks! I haven't yet merged this in, but couple of quick
> > comments/questions first..
>
>
> > Is there any particular reason for parsing DHCP packets? One option
> > would be to open packet socket on the same interface with Linux Socket
> > filter to capture the packets and then take the layer 2 address from
> > them. Then again, this may not end up being much simpler. Eventually, I
> > would assume this could be replaced with something like iptables
> > firewall queueing packets from unknown MAC addresses for user space
> > processing and all devices would be noticed whenever they send the first
> > packet, no matter whether it is DHCP or something else, i.e., static IP
> > and non-IPv4 hosts would also be processed.
>
> Sounds good. I will check it. But iptables has no real api. In
> documentation iptables_restore is recommended as api. I've written a
> function that starts iptables_restore, puts the iptables rules to its
> stdin and parses stdout to check if it was successfull. I'm realy
> unhappy about this. But at the moment i see no other way.
>
> I would like to use iptables for port authorization. Adding some rules
> for authorized stations that patckets from this station where acceptet.
> But iptables is layer 3 in ISO/OSI. Only ip address is known. Ok you
> can match to incomming mac address. But there is no way to controll
> packets sent to the station without knowlege of the ip address of this
> station.
>
> Another way is that only one station can connect to a port (device).
> Together with vlan-devices and a vlan enabled switch it would be a
> secure way.
>
> Is accounting using iptables ok? I will not count all packets in user
> space (to slow) and i will not hack into device drivers.
>
> > > In ieee802_11.c auth_get_sta() is implemented. I think this function
> > > should move to hostapd.c . There are no 802.11 thinks in this
function.
> > > At the moment i declared this function to extern.
> >
> > I would agree on moving the function, although I would probably move it
> > to sta_info.c, not hostapd.c. In addition, the function should be
> > renamed to something like ap_sta_add().
>
> Should i do it or you?
>
> regards
> gunter
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap




More information about the HostAP mailing list