[PATCH 00/13] Tagged VLAN and per_sta_vif support
Jouni Malinen
j at w1.fi
Sun Dec 6 01:54:31 PST 2015
On Sun, Nov 01, 2015 at 05:10:01PM +0100, Michael Braun wrote:
> This series introduces to hostapd:
> * tagged VLAN support (RADIUS EGRESS_VLAN)
> * per station AP_VLAN interface option
> * RADIUS EGRESS_VLAN attribute support also for untagged VLANs
Thanks. Could you please rebase this on top of the current master
branch? There were some changes in src/ap/ieee802_11_auth.c a week or so
before you sent this set and it conflicts with the first patch.
Please also add the copyright/license header to any new source code file
that gets added.
> Why per station AP_VLAN interface option?
> It brings
> * per station group key for security
> * enables reuse of bridge IGMP/MLD snooping when doing multicast to unicast
> conversion in kernel for all traffic.
> non-upstream patch for mac80211: [1]
Could you please clarify what happens if that non-upstream patch is not
there? Would it be possible to first submit only the hostapd changes
that do not depend on any non-upstream patch?
> radius: add tagged vlan parsing
> radius: add EGRESS_VLANID to radius name attribute dumper
It would make sense to merge these into a single patch. The second one
looks like something was forgotten from the first one..
PS.
It would be nice to get this set on the mailing list so that others who
might be interested in reviewing it would get a chance to do so. I'm
including the full cover letter of the set below for reference:
This series introduces to hostapd:
* tagged VLAN support (RADIUS EGRESS_VLAN)
* per station AP_VLAN interface option
* RADIUS EGRESS_VLAN attribute support also for untagged VLANs
Why per station AP_VLAN interface option?
It brings
* per station group key for security
* enables reuse of bridge IGMP/MLD snooping when doing multicast to unicast
conversion in kernel for all traffic.
non-upstream patch for mac80211: [1]
* finer inter station traffic filtering using ebtables
(traffic forwarded by an AP between stations connected locally)
Actually, this change is really small when on top of tagged vlan support.
How does this approach differ from the previous ones?
* struct hostapd_vlan gets defined to be per AP_VLAN, as it is already.
* int vlan_id points to a valid struct hostapd_vlan, as it is already.
* Uplink configuration becomes a fixed size struct vlan_description that is
independent from int vlan_id. This means no extra reference counting is
needed, but there is a compile-limit for the maximum number of tagged vlans
that can be applied to a single station.
So multiple struct hostapd_vlan within a single BSS can share an uplink
configuration (before they this could only happen within different BSS).
* Uplink configuration is
1. read from RADIUS or file
2. copied to struct sta_info (when int vlan_id is set),
3. copied to struct hostapd_vlan
4. and then applied.
So all other places can stick with int vlan_id.
* When neither tagged vlan nor per station AP_VLAN interface is used,
int vlan_id will continue to be equal the untagged vlan id requested.
Stations with tagged vlans or per station AP_VLAN will have vlan_id > 4096.
This change also enables easy addition of other uplink configuration options as
they only need a config parser (for example in RADIUS), a member in struct
vlan_description and code that applies this settings to the AP_VLAN interface.
Example: add per station tagged_interface settings configured from RADIUS.
Regards,
M. Braun
[1] http://git.fem.tu-ilmenau.de/?p=fem-wlan.git;a=blob;f=package/kernel/mac80211/patches/984-multicast-as-unicast.patch;h=98690557779ca6127281e878528cbdf2c8d5194d;hb=refs/heads/femwlan_stage2.kernel3.18.11
Michael Braun (13):
Separate station grouping and uplink configuration
add per-sta vif option
radius: add tagged vlan parsing
vlan: factor out per-vid code in newlink/dellink
vlan: actually add tagged vlans to vif
test: verify test_ap_vlan_iface_cleanup_multibss with per_sta_vif
test: test sta assigned to vif under per_sta_vif
test: test untagged vlan id with EGRESS_VLANID radius attribute
radius: add EGRESS_VLANID to radius name attribute dumper
wpa_supplicant: parse ifname argument from DATA_TEST_CONFIG
test: verify tagged-only connectivity
test: verify connectivity with untagged/tagged mixed configuration
test: verify correct vlan after rsn pre-authentication
hostapd/config_file.c | 8 +-
hostapd/ctrl_iface.c | 10 +-
hostapd/hostapd.conf | 3 +
src/ap/ap_config.c | 19 +-
src/ap/ap_config.h | 10 +-
src/ap/ieee802_11.c | 30 +--
src/ap/ieee802_11_auth.c | 28 ++-
src/ap/ieee802_11_auth.h | 3 +-
src/ap/ieee802_1x.c | 58 +++--
src/ap/pmksa_cache_auth.c | 7 +-
src/ap/pmksa_cache_auth.h | 2 +-
src/ap/sta_info.c | 161 +++++++++++---
src/ap/sta_info.h | 8 +-
src/ap/vlan.h | 12 ++
src/ap/vlan_init.c | 308 +++++++++++++++++----------
src/ap/vlan_init.h | 11 +-
src/radius/radius.c | 55 ++++-
src/radius/radius.h | 4 +-
tests/hwsim/auth_serv/eap_user.conf | 12 ++
tests/hwsim/multi-bss-iface-per_sta_vif.conf | 43 ++++
tests/hwsim/test_ap_vlan.py | 91 +++++++-
tests/hwsim/test_pmksa_cache.py | 7 +
wpa_supplicant/ctrl_iface.c | 10 +-
wpa_supplicant/tests/link_test.c | 3 +-
24 files changed, 688 insertions(+), 215 deletions(-)
create mode 100644 src/ap/vlan.h
create mode 100644 tests/hwsim/multi-bss-iface-per_sta_vif.conf
--
2.1.4
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list