1

I am working on an iptables rule to match a range of MAC addresses from within the PREROUTING table; my implementation uses the BPF matching option from iptables-extensions. Here is an example of an expression that should match drop a MAC address of aa:bb:cc:dd:ee:ff, matching all bytes.

((ether[6:4] & 0xffffffff) = (0xaabbccdd & 0xffffffff)) && ((ether[10:2] & 0xffff) = (0xeeff & 0xffff))

Based on the output of tcpdump -nn, this expression seems to be correct.

When sent through tcpdump -ddd or the nfbpf_compile utility, the resulting bytecode is used to create an iptables rule.

iptables -t raw -A PREROUTING -i br0 -m bpf --bytecode "BYTECODE OUTPUT" -j DROP

My issue is that when this rule is made in the PREROUTING table (which needs to be done), packets are only infrequently dropped; most packets make it through the filter. If the rule is made in the INPUT table, packets seem to be blocked successfully.

Why is this happening?

Improve this question

1 Answer 1

Reset to default
1

Turns out you can't use BPF matching for this, at least not from within iptables.

Using BPF matching for the ethernet header is only possible when using a link type of RAW such as on a TAP device. When using a physical device that only supports EN10MB, the Ethernet header is not included.

If you want to implement this functionality and you need to use iptables, you'll need to create a TAP (or similar) dummy interface that you can see the header info from.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.