Layer 2 filtering for NPF ------------------------- Rev 0.1 Tasklist: 1. All rules in NPF are added to a ruleset. At this moment, it is assumed that there is only one ruleset and all rules are processed at layer 3. One approach is to support another ruleset for layer 2 (or rather, have capability to specify the "starting layer"). 2. One way to separate L2 and L3 rules could be by marking groups. In NPF, a group is just a rule (i.e. rules can be nested). 3. npfctl: update the parser such that the group would have an option for specifying a layer. See "group_opts" token in npf_parse.y file. Also, we may want to add support for "hwaddr " syntax or something. 4. npfctl_build_rule() code will need to distinguish groups/rules which were marked as layer 2, i.e. byte-code generation (npfctl_build_code() and the logic in it) needs to know that we are starting from Ethernet header and not IP header. Note: it needs to be passed to all nested rules, so basically take the option from the "current group". 5. For a start (i.e. less work to do), you can just add byte-code to parse Ethernet header and compare the MAC addresses. Just return "not supported" error for any other filter pattern. 6. libnpf: create a new ruleset for L2 and add all groups (and its nested rules) there. To keep it simpler, we can add npf_rule_setlayer() function and just handle this separation in libnpf rather than npfctl. 7. libnpf-kernel: currently, proplib dictionary has only one "ruleset" dict. This needs to be split into "ruleset-l3" and "ruleset-l2". Retrieve and construct a new ruleset in npfctl_reload(); it is simple, but disgusting proplib code. It is just re-using the existing code to handle another ruleset. 8. Kernel: add a new handler in npf_handler.c, e.g. npf_packet_l2handler() or something. Register it in npf_pfil_register() using Ethernet pfil hook. In the handler, call npf_ruleset_inspect() passing L2 ruleset. -- 2014-03-24