[Ebtables-devel] --arpreply-mac AUTO and Mac Masquerading

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Stumbled across this superold thread about --arpreply-mac AUTO
http://article.gmane.org/gmane.linux.network.bridge.ebtables.devel/193/match=auto
I can't seem to find any patch or code anywhere, I guess this feature
never was written, or???

Anyway, I have this interesting theory about how you can do some
masquerading with mac. Because it is so easy to spoof packets on a network
I want to somehow always know exactly from what customer the packets are
being generated from.

A-D are IPs, A is the gateway and B-D are customers on own interfaces.
The customers B-D also get their own macs binded to them, lets say
0:0:0:0:0:B 0:0:0:0:0:C and 0:0:0:0:0:D

                         |---- B
A --(backbone)--| Bridge |---- C
                         |---- D

When the bridge recieves and arp request it does as explained with the
suggested --arpreply-mac AUTO. It checks the bridge fdb for an ip that
matches the arp destination payload.
If a record is found on other side of the bridge it will send an arpreply
back and drop the packet, and if a record not was found it will continue
to forward the packet as usual.
The target of the arp request will then recieve the packet and answer back
as usual with a reply. The reply arrives at the bridge, here we can choose
to redirect the reply to the bridge itself (who will install in fdb) and
then drop the packet(the source ip will send out more arp requests and the
bridge can now answer from the fdb). Or we can copy the packet to the
bridge and the source ip that sent out the request.
This should result in that the source "knows" the targets preconfigured
mac, for an example 0:0:0:0:0:B.
The bridge will know both the source and targets real mac.
The target will know the real mac of the source.

Since we want IP traffic to also be mac masqueraded we need 2 more things
on the bridge. First we need to setup the bridge to send out arpreplies
for the preconfigures macs. And second, we need to snat all the traffic
from the customers with their preconfigured mac. This i solved by marking
the packets in iptables mangle prerouting and the matching in ebtables
postrouting.

So in conclusion, the only thing that needs to be done for this whole
thing to work. That's to make the --arpreply-mac AUTO check in the bridge
fdb for an entry. Read about some timer issues in the old thread. But is
that really necessary. Doesn't the bridge fdb take care of all that?

I appreciate thoughts and ideas about all this :)

/Oscar N