Closed jpereira closed 2 years ago
With ebtables nflog, ebtables-dhcpsnoopingd is only receiving a copy of the dhcp request and has no opportunity to control or alter the dhcp request. So in order to implement this, ebtables would need to drop the packet and depend on dhcpsnoopingd to send out the altered packet instead. Which would be quite possible to implement.
So patches would be welcomed.
I think that need to be used the nfqueue to receive, alter the packet and say to be accepted. I will look to do that and back soon.
I just looked into nfqueue and that seems to be a really good option to use.
My point is: ebtables don't have support for nfqueue.... will be necessary to use the nfqueue over iptables and enable the kernel option net.bridge. bridge-nf-call-iptables.... Could be a feature to implement in the future when the nfqueue will be added.
Jorge Pereira
On Sat, Aug 8, 2015 at 4:10 AM, michael-dev notifications@github.com wrote:
I just looked into nfqueue and that seems to be a really good option to use.
— Reply to this email directly or view it on GitHub https://github.com/michael-dev/ebtables-dhcpsnooping/issues/3#issuecomment-128925780 .
For documentation: http://www.spinics.net/lists/netfilter/msg53500.html
Looks like some nfqueue work for bridge nftables has been done in the meantime: http://lists.openwall.net/netdev/2016/04/12/102
nfqueue support has not been implemented in this repo yet
Hi @michael-dev,
I would like to know if you know about the 'option 82'. And what do you think to add support to update/insert the informations in the dhcp request. I made something like that using the 'relay concept'[1], but the idea is to do like cisco/3com and another appliance in 'snooping' mode.
[1]https://github.com/Harvie/debian-isc-dhcp/commit/9dfabc00c707eb22850a8b8e5f89d97214a60de0