xt_802.1X Enable IP / Use Idle-Time / Session limits to limit traffic [netfilter/wired] [COMMIT]

Gregory Nietsky gregory at distrotech.co.za
Sun Apr 8 12:07:28 EDT 2012


Hi all

Follow up on xtables SESSION driver [Linux]

I have posted some code on my SVN server of a framework that is open for 
comment and near usable.

the /proc/net/8021x bits will display a list of active sessions written 
to /dev/8021x the driver hooks into
udev/sysfs and dynamically creates the dev file that hostapd can write 
sessions too and ultimately query sessions
recive accounting data.

the xtables target for now passes all traffic through it should be 
blocking on no session or mismatched ip/mac pair
and record the traffic packet + size for use by userland.

for now the following will work
echo "XXXXXX" > /dev/8021x /* mac address use of abcdef is acceptable 
this will be written with session time/idle time by hostapd
cat /proc/net/8021x
iptables -j SESSION -h

im hoping that someone can comment on the usefulness / suitability of 
this WRT hostapd.

my target application is for a remote branch / road warrior 
implementation where a small micro Atom
system is droped down as VPN/DHCP/GW/..... device and will limit / 
monitor traffic use to authorized
devices using 802.1x with hostapd on both wired and wireless. obviously 
this adds the session management
bits to wired and allows basic functionality offered by mid/high end 
switches that will not be found in this application.

if im not mistaken hostapd wired DOES NOT currently have accounting 
hooks and i plan to implement
such using information read from the /dev/8021x interface.

http://pbx.distrotech.co.za/svn/netfilter_session/
http://pbx.distrotech.co.za/viewsvn/netfilter_session/

Greg

--
This message has been scanned for viruses and
dangerous content by Distrotech Solutions, 
it is believed to be clean.

http://www.distrotech.co.za



More information about the HostAP mailing list