Re: [OpenWrt-Devel] hostapd and Linux bridges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

21/01/2020 20:22, Daniel Golle:

On Tue, Jan 21, 2020 at 07:40:42PM +0100, Bjørn Mork wrote:

Daniel Golle <daniel@xxxxxxxxxxxxxx> writes:


On proprietary APs it looks like port isolation is enabled or disabled
globally in Linux' bridge code using sysctl or other methods, an
approach which is unlikely to get accepted into the Kernel, also given
that the netlink interface already exists and allows doing the same
thing in a more granular fashion.


Huh?

Won't this sysfs attribute set the same flag IFLA_BRPORT_ISOLATED sets?


root@wrt1900ac-1:~# grep . /sys/class/net/br-lan/brif/*/isolated
/sys/class/net/br-lan/brif/eth0.7/isolated:0
/sys/class/net/br-lan/brif/wlan0/isolated:0
/sys/class/net/br-lan/brif/wlan1/isolated:0


Looks like that's the thing I may have missed ;)
Yet we do need a way to set this to '1' once hostapd adds the AP
interface to the bridge. I'm not sure whether setting this via
sysfs is actually more simple than using netlink given that some
general purpose netlink code is already part of hostap.
In the end, either approach would be fine with me and I would
implement whatever is more likely to be merged into hostap.git.
netifd is able to set bridge client isolation via sysfs since commit c06f84238952211b35c2940a82fcce3fcc3221c1. 

/etc/config/wireless as expected:

config wifi-iface
	option device 'radio1'
	option ifname 'wlan_guest_leg'
	option network 'guest'
	option isolate '1'

config wifi-iface
	option device 'radio0'
	option ifname 'wlan_guest'
	option network 'guest'
	option isolate '1

The isolation option in /etc/config/network does the trick:

config interface 'guest'
	option type 'bridge'
	option proto 'static'

config device 'wlan_guest'
	option isolate '1'

config device 'wlan_guest_leg'
	option isolate '1'


Of course, bridge client isolation isn't limited to wireless interface.
I'm not yet sure, whether you are looking for something like that or an automatic bridge client isolation as soon as wireless client isolation is enabled.
Albeit something automatic would be nice, there might be a use case were you want to have wireless client isolation but no bridge client isolation. 

Mathias

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux