New DLT needed for PPP active/passiv filtering

[Karsten Keil <kkeil () suse de>]

Hi,

between libpcap version 0.7 and 0.8 the DLT_PPP was cleaned up to not longer
support the faked IN/OUT flag which was needed to compile filter rules
for the PPP activ/passiv filtering.
The cleanup is OK, since the nativ PPP frame do not have any IN/OUT flag,
so for traffic analysers it is confusing to have a faked first byte.

But for activ/passiv filtering, which is needed to determine for dial on
demand which pakets are allowed to create a new connection or which pakets
hold the current connection open, it is a strong demand to differ between
own (OUT) and incoming traffic (which may contain unwanted pakets, like
port scans or pakets from old lost connections (dynamic IPs maybe
reassingned).

So I was told some months ago to use cooked mode with DLT_LINUX_SLL, which
used a faked 16 byte ethernet header instead of the 4 byte PPP header.
I implement a solution based on this, but it has big disadventages:

- it creates binary incompatible filters, it need new core routines for
  activ/passiv filter (which replace the 4 byte header with a 16 byte
  header) 
- waste of resources, the paket handler must extend the headspace from 4 to
  16 byte only for executing the filter

Because the incompatibility this solutions was rejected by the PPP
maintainers and I think they are right.

A solution may be to create a new DLT_PPP_INOUT (better names welcome),
which take the first PPP byte, which is not needed for filtering as IN/OUT
Flag (same behavior as libpcap 0.7 DLT_PPP had).
This solution is backward compatible and need no changes in the PPP core
routines. Old ppp binary (libpcap 0.7 based) will still work.
The main DLT_PPP for traffic analyser stuff will remain clean and not
got confused this extra stuff.

So I need a DLT number assigned for this new DLT_PPP_INOUT.

-- 
Karsten Keil
ISDN development
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.