I was planning on cleaning up some hardcoded values so I could push it to some git service, but haven't gotten around to it. However, I'm not above a code dump. My IP is hard coded, but then again, I'm going to link you to my website hosted on that IP, so it is what it is. :)
http://ruka.org/~toast/steal/ (note the README which is going to tell you much of the same thing below in different words)
Here's the scoop. This is a FreeBSD program which opens up netgraph sockets against two physical ethernet interfaces and one virtual one. The physical interfaces are a) one connected to the ONT, b) one connected to the WAN port on the Residential GateWay. The virtual interface (ngeth0) is the one that you configure as your internet connection for FreeBSD (These interfaces are hardcoded in init_netgraph in steal_util.c; sorry!)
Everytime a packet comes in from the ONT, RGW, or FreeBSD, there's a decision for what to do with the packet. Mostly the RGW and FreeBSD packets go to the ONT, but through the libalias NAT engine for connection tracking. Packets inbound from the ONT are checked in the NAT tables to see where they should go... if there's no clear place to send it, then it goes to the FreeBSD. That's mostly in steal_util:loop. I haven't figured out how to setup the virtual interface in the program, so see the bottom of README for how i do that.
steal2.c is a little bit insane, it's basically setting up hot code loading. It's annoying to restart the daemon because the NAT tables are dropped, and I do a lot of Erlang work in my day job, so I really wanted to be able to hotload some things with this. So it uses dlopen and dlfunc to load steal_util.so and calls the init and loop functions. If init fails on a reload, it continues to use the old loop. There's some provision for updating the state data structure in a safe way.
Theoretically, this might work in Linux too, I think netgraph got ported there a couple of times, but I don't know if libalias did. Anyway, the main ideas could certainly be ported into whatever tool is available; namely: proxy 802.1x to the RGW, drop EAPOL logoff packets; oversend ARP packets, spoof mac address of the RGW, make pcaps of packets you don't know how to handle, etc. :)
Also of note: the ONT/RGW send packets with VLAN 0, FreeBSD strips this when reading packets via netgraph, and I haven't found a way to send packets with VLAN 0, which hasn't been a problem (yet?). If it becomes a problem, I suspect I'd need to switch to the packet apis that tcpdump uses (BPF), I think there may be a sending interface there too. And I'm also sadly moving out of AT&T fiber's reach this summer, so at that point, I won't be able to test anything else.
http://ruka.org/~toast/steal/ (note the README which is going to tell you much of the same thing below in different words)
Here's the scoop. This is a FreeBSD program which opens up netgraph sockets against two physical ethernet interfaces and one virtual one. The physical interfaces are a) one connected to the ONT, b) one connected to the WAN port on the Residential GateWay. The virtual interface (ngeth0) is the one that you configure as your internet connection for FreeBSD (These interfaces are hardcoded in init_netgraph in steal_util.c; sorry!)
Everytime a packet comes in from the ONT, RGW, or FreeBSD, there's a decision for what to do with the packet. Mostly the RGW and FreeBSD packets go to the ONT, but through the libalias NAT engine for connection tracking. Packets inbound from the ONT are checked in the NAT tables to see where they should go... if there's no clear place to send it, then it goes to the FreeBSD. That's mostly in steal_util:loop. I haven't figured out how to setup the virtual interface in the program, so see the bottom of README for how i do that.
steal2.c is a little bit insane, it's basically setting up hot code loading. It's annoying to restart the daemon because the NAT tables are dropped, and I do a lot of Erlang work in my day job, so I really wanted to be able to hotload some things with this. So it uses dlopen and dlfunc to load steal_util.so and calls the init and loop functions. If init fails on a reload, it continues to use the old loop. There's some provision for updating the state data structure in a safe way.
Theoretically, this might work in Linux too, I think netgraph got ported there a couple of times, but I don't know if libalias did. Anyway, the main ideas could certainly be ported into whatever tool is available; namely: proxy 802.1x to the RGW, drop EAPOL logoff packets; oversend ARP packets, spoof mac address of the RGW, make pcaps of packets you don't know how to handle, etc. :)
Also of note: the ONT/RGW send packets with VLAN 0, FreeBSD strips this when reading packets via netgraph, and I haven't found a way to send packets with VLAN 0, which hasn't been a problem (yet?). If it becomes a problem, I suspect I'd need to switch to the packet apis that tcpdump uses (BPF), I think there may be a sending interface there too. And I'm also sadly moving out of AT&T fiber's reach this summer, so at that point, I won't be able to test anything else.