xt_802.1X Enable IP / Use Idle-Time / Session limits to limit traffic [netfilter/wired] [COMMIT]
gregory at distrotech.co.za
Sun Apr 8 12:07:28 EDT 2012
Follow up on xtables SESSION driver [Linux]
I have posted some code on my SVN server of a framework that is open for
comment and near usable.
the /proc/net/8021x bits will display a list of active sessions written
to /dev/8021x the driver hooks into
udev/sysfs and dynamically creates the dev file that hostapd can write
sessions too and ultimately query sessions
recive accounting data.
the xtables target for now passes all traffic through it should be
blocking on no session or mismatched ip/mac pair
and record the traffic packet + size for use by userland.
for now the following will work
echo "XXXXXX" > /dev/8021x /* mac address use of abcdef is acceptable
this will be written with session time/idle time by hostapd
iptables -j SESSION -h
im hoping that someone can comment on the usefulness / suitability of
this WRT hostapd.
my target application is for a remote branch / road warrior
implementation where a small micro Atom
system is droped down as VPN/DHCP/GW/..... device and will limit /
monitor traffic use to authorized
devices using 802.1x with hostapd on both wired and wireless. obviously
this adds the session management
bits to wired and allows basic functionality offered by mid/high end
switches that will not be found in this application.
if im not mistaken hostapd wired DOES NOT currently have accounting
hooks and i plan to implement
such using information read from the /dev/8021x interface.
This message has been scanned for viruses and
dangerous content by Distrotech Solutions,
it is believed to be clean.
More information about the HostAP