The FreeBSD Project

About
Features
Applications
Administration
News
Events
Press
Artwork
Donations
Legal Notices
Privacy Policy

Ethernet support for pf

Links:
pf-link in-progress tree URL: https://github.com/kprovost/freebsd-src/tree/netgate/pf-link

Work is ongoing to add basic support for Ethernet filtering to pf.

This will allow layer 2 addresses to be used to tag packets for subsequent filtering or shaping in the existing pf code. The layer 2 code is strictly stateless.

The intended use case for this is to improve pf’s capabilities in captive portal setups (i.e. allow/deny internet access based on client MAC addresses).

TODO:

(optional) anchor support
move nvlist interface code into libpfctl
audit nvlist code for bugs (several bugs were found in the recent nvlist alternatives to existing ioctl calls)
(optional) VLAN ID filtering
(optional) MAC address table support

While this work is incomplete, feedback on architecture and functionality is welcomed.

Sponsor: Rubicon Communications, LLC ("Netgate")

Last modified on: September 19, 2021 by Brad Davis