PSARC/2008/249 - Packet Interception for the MAC layer

[James Carlson]

Erik Nordmark writes:
> Zhijun Fu wrote:
> > To do this, we need the L2 firewall to be processed earlier
> > than "layer2" IP firewall (and "layer2" IP NAT), for
> > both INPUT and OUTPUT, as otherwise we don't know whether
> > a "layer2" IP firewall/NAT rule should be processed or not
> > if we do E -> D -> C -> B -> A for output, as the rules
> > can be conditional which depend on the L2 firewall rules,
> > which haven't be processed at that time.
> 
> One way to think about this is that what you have as the rule with 
> l2-head isn't a traditional firewall rule, but that it instead is a 
> classification rule whose result is to tag/label the packet for further 
> processing.
> Other rules can then be written which use the tag/label.

Yes.  And I think there's probably a more flexible way to do this
using the existing "head" logic in IP filter, and just making the
internal logic smarter when dealing with packets that may have either
L2 or L3 origin.

> In that case clearly the classification has to happen before its use.
> 
> But I don't see l2-head and l2-group in the current case, thus to avoid 
> confusing the users couldn't we simplify the current description to be 
> symmetric?

I think the reason the submitter wants to do this is to retain the
option of doing the same "l2-head" thing as was originally proposed,
just at some later date.

As for the current proposal, I think symmetric is much easier to
understand.  It would be really strange to find that (for instance) an
L2 firewall rule precluding sending packets to a particular MAC
destination could be overridden by an L2 IP firewall or IP NAT rule
that rewrites the IP destination, but that the input side blocks the
traffic as expected.

-- 
James Carlson, Solaris Networking              <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677