[PATCHv2 05/12] vlan: add per-sta vif option
Michael Braun
michael-dev at fami-braun.de
Sun Dec 6 12:47:36 PST 2015
This allows the stations to be assigned to their own vif.
It does not need dynamic_vlan to be set.
Makes hostapd call ap_sta_set_vlan even if !vlan_desc.notempty,
so vlan_id can be assigned regardless.
Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
--
v2: move on top of tagged vlan support
---
hostapd/config_file.c | 2 ++
hostapd/hostapd.conf | 8 ++++++++
src/ap/ap_config.h | 1 +
src/ap/ieee802_11.c | 30 +++++++++++++++---------------
src/ap/sta_info.c | 29 +++++++++++++++++++++++++++--
src/ap/vlan_init.c | 25 +++++++++++++++++++------
6 files changed, 72 insertions(+), 23 deletions(-)
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 2887a16..0e842b8 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2765,6 +2765,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
#ifndef CONFIG_NO_VLAN
} else if (os_strcmp(buf, "dynamic_vlan") == 0) {
bss->ssid.dynamic_vlan = atoi(pos);
+ } else if (os_strcmp(buf, "per_sta_vif") == 0) {
+ bss->ssid.per_sta_vif = atoi(pos);
} else if (os_strcmp(buf, "vlan_file") == 0) {
if (hostapd_config_read_vlan_file(bss, pos)) {
wpa_printf(MSG_ERROR, "Line %d: failed to read VLAN file '%s'",
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 4f51140..65c223b 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -969,6 +969,14 @@ own_ip_addr=127.0.0.1
# 2 = required; reject authentication if RADIUS server does not include VLAN ID
#dynamic_vlan=0
+# Per-Station AP_VLAN interface mode
+# If enabled each station is assigned its own AP_VLAN interface.
+# This implies per-station group keying and ebtables filtering of inter-STA
+# traffic (when passed through the AP).
+# 0 = disabled (default)
+# 1 = enabled
+#per_sta_vif=0
+
# VLAN interface list for dynamic VLAN mode is read from a separate text file.
# This list is used to map VLAN ID from the RADIUS server to a network
# interface. Each station is bound to one interface in the same way as with
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index ec6a026..574e74a 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -104,6 +104,7 @@ struct hostapd_ssid {
#define DYNAMIC_VLAN_NAMING_WITH_DEVICE 1
#define DYNAMIC_VLAN_NAMING_END 2
int vlan_naming;
+ int per_sta_vif;
#ifdef CONFIG_FULL_DYNAMIC_VLAN
char *vlan_tagged_interface;
#endif /* CONFIG_FULL_DYNAMIC_VLAN */
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 1d30abb..f24eed8 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1097,23 +1097,23 @@ static void handle_auth(struct hostapd_data *hapd,
sta->last_seq_ctrl = seq_ctrl;
sta->last_subtype = WLAN_FC_STYPE_AUTH;
- if (vlan_id.notempty) {
- if (!hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) {
- hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
- HOSTAPD_LEVEL_INFO, "Invalid VLAN "
- "%d%s received from RADIUS server",
- vlan_id.untagged,
- vlan_id.tagged[0] ? "+" : "");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
+ if (vlan_id.notempty &&
+ !hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
- HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
+ HOSTAPD_LEVEL_INFO, "Invalid VLAN "
+ "%d%s received from RADIUS server",
+ vlan_id.untagged,
+ vlan_id.tagged[0] ? "+" : "");
+ resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto fail;
}
+ if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0) {
+ resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto fail;
+ }
+ if (sta->vlan_id)
+ hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
+ HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
hostapd_free_psk_list(sta->psk);
if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED) {
diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 342b6ab..51b41e1 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -820,11 +820,36 @@ int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta,
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
/* check if there is something to do */
- if (!os_memcmp(&vlan_desc, &sta->vlan_desc, sizeof(vlan_desc)))
+ if (hapd->conf->ssid.per_sta_vif && !sta->vlan_id) {
+ /* this sta is lacking its own vif */
+ } else if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED &&
+ !hapd->conf->ssid.per_sta_vif && sta->vlan_id) {
+ /* sta->vlan_id needs to be reset */
+ } else if (!os_memcmp(&vlan_desc, &sta->vlan_desc, sizeof(vlan_desc)))
return 0; /* nothing to change */
/* now the real vlan changed or the sta just needs its own vif */
- if (vlan_desc.notempty) {
+ if (hapd->conf->ssid.per_sta_vif) {
+ /* assign a new vif, always */
+ /* find a free vlan_id sufficiently big */
+ vlan_id = ap_sta_get_free_vlan_id(hapd);
+ /* get wildcard vlan */
+ vlan = hapd->conf->vlan;
+ while (vlan) {
+ if (vlan->vlan_id == VLAN_ID_WILDCARD)
+ break;
+ vlan = vlan->next;
+ }
+ if (!vlan) {
+ hostapd_logger(hapd, sta->addr,
+ HOSTAPD_MODULE_IEEE80211,
+ HOSTAPD_LEVEL_DEBUG, "per_sta_vif "
+ "missing wildcard ");
+ vlan_id = 0;
+ ret = -1;
+ goto done;
+ }
+ } else if (vlan_desc.notempty) {
vlan = hapd->conf->vlan;
while (vlan) {
if (!os_memcmp(&vlan->vlan_desc, &vlan_desc,
diff --git a/src/ap/vlan_init.c b/src/ap/vlan_init.c
index 85260d6..5307e9e 100644
--- a/src/ap/vlan_init.c
+++ b/src/ap/vlan_init.c
@@ -683,7 +683,7 @@ static void vlan_newlink(char *ifname, struct hostapd_data *hapd)
{
char br_name[IFNAMSIZ];
struct hostapd_vlan *vlan;
- int untagged, *tagged, i;
+ int untagged, *tagged, i, notempty;
wpa_printf(MSG_DEBUG, "VLAN: vlan_newlink(%s)", ifname);
@@ -695,10 +695,17 @@ static void vlan_newlink(char *ifname, struct hostapd_data *hapd)
vlan->configured = 1;
+ notempty = vlan->vlan_desc.notempty;
untagged = vlan->vlan_desc.untagged;
tagged = vlan->vlan_desc.tagged;
- if (untagged > 0 && untagged <= MAX_VLAN_ID) {
+ if (!notempty) {
+ /* non-VLAN sta */
+ if (hapd->conf->bridge[0]) {
+ if (!br_addif(hapd->conf->bridge, ifname))
+ vlan->clean |= DVLAN_CLEAN_WLAN_PORT;
+ }
+ } else if (untagged > 0 && untagged <= MAX_VLAN_ID) {
vlan_bridge_name(br_name, hapd, untagged);
vlan_get_bridge(br_name, hapd, untagged);
@@ -773,7 +780,7 @@ static void vlan_dellink(char *ifname, struct hostapd_data *hapd)
{
struct hostapd_vlan *first, *prev, *vlan = hapd->conf->vlan;
char br_name[IFNAMSIZ];
- int untagged, i, *tagged;
+ int untagged, i, *tagged, notempty;
wpa_printf(MSG_DEBUG, "VLAN: vlan_dellink(%s)", ifname);
@@ -789,6 +796,7 @@ static void vlan_dellink(char *ifname, struct hostapd_data *hapd)
if (!vlan->configured)
goto skip_counting;
+ notempty = vlan->vlan_desc.notempty;
untagged = vlan->vlan_desc.untagged;
tagged = vlan->vlan_desc.tagged;
@@ -805,7 +813,12 @@ static void vlan_dellink(char *ifname, struct hostapd_data *hapd)
vlan_put_bridge(br_name, hapd, tagged[i]);
}
- if (untagged > 0 && untagged <= MAX_VLAN_ID) {
+ if (!notempty) {
+ /* non-VLAN sta */
+ if (hapd->conf->bridge[0] &&
+ vlan->clean & DVLAN_CLEAN_WLAN_PORT)
+ br_delif(hapd->conf->bridge, ifname);
+ } else if (untagged > 0 && untagged <= MAX_VLAN_ID) {
vlan_bridge_name(br_name, hapd, untagged);
if (vlan->clean & DVLAN_CLEAN_WLAN_PORT)
@@ -1062,8 +1075,8 @@ int vlan_init(struct hostapd_data *hapd)
hapd->full_dynamic_vlan = full_dynamic_vlan_init(hapd);
#endif /* CONFIG_FULL_DYNAMIC_VLAN */
- if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED &&
- !hapd->conf->vlan) {
+ if ((hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED ||
+ hapd->conf->ssid.per_sta_vif) && !hapd->conf->vlan) {
/* dynamic vlans enabled but no (or empty) vlan_file given */
struct hostapd_vlan *vlan;
vlan = os_zalloc(sizeof(*vlan));
--
2.1.4
More information about the Hostap
mailing list