[OpenWrt-Devel] hostapd and Linux bridges

Paul Oranje por at oranjevos.nl
Thu Jan 23 06:08:28 EST 2020 

Op 22 jan. 2020, om 10:43 heeft Daniel Golle <daniel at makrotopia.org> het volgende geschreven:
> 
> On Wed, Jan 22, 2020 at 06:34:06AM +0200, Daniel Golle wrote:
>> On Tue, Jan 21, 2020 at 11:34:22PM +0100, Mathias Kresin wrote:
>>> 21/01/2020 20:22, Daniel Golle:
>>>> On Tue, Jan 21, 2020 at 07:40:42PM +0100, Bjørn Mork wrote:
>>>>> Daniel Golle <daniel at makrotopia.org> writes:
>>>>> 
>>>>>> On proprietary APs it looks like port isolation is enabled or disabled
>>>>>> globally in Linux' bridge code using sysctl or other methods, an
>>>>>> approach which is unlikely to get accepted into the Kernel, also given
>>>>>> that the netlink interface already exists and allows doing the same
>>>>>> thing in a more granular fashion.
>>>>> 
>>>>> Huh?
>>>>> 
>>>>> Won't this sysfs attribute set the same flag IFLA_BRPORT_ISOLATED sets?
>>>>> 
>>>>> 
>>>>> root at wrt1900ac-1:~# grep . /sys/class/net/br-lan/brif/*/isolated
>>>>> /sys/class/net/br-lan/brif/eth0.7/isolated:0
>>>>> /sys/class/net/br-lan/brif/wlan0/isolated:0
>>>>> /sys/class/net/br-lan/brif/wlan1/isolated:0
>>>> 
>>>> Looks like that's the thing I may have missed ;)
>>>> Yet we do need a way to set this to '1' once hostapd adds the AP
>>>> interface to the bridge. I'm not sure whether setting this via
>>>> sysfs is actually more simple than using netlink given that some
>>>> general purpose netlink code is already part of hostap.
>>>> In the end, either approach would be fine with me and I would
>>>> implement whatever is more likely to be merged into hostap.git.
>>> 
>>> netifd is able to set bridge client isolation via sysfs since commit
>>> c06f84238952211b35c2940a82fcce3fcc3221c1.
>>> 
>>> /etc/config/wireless as expected:
>>> 
>>> config wifi-iface
>>> 	option device 'radio1'
>>> 	option ifname 'wlan_guest_leg'
>>> 	option network 'guest'
>>> 	option isolate '1'
>>> 
>>> config wifi-iface
>>> 	option device 'radio0'
>>> 	option ifname 'wlan_guest'
>>> 	option network 'guest'
>>> 	option isolate '1
>>> 
>>> The isolation option in /etc/config/network does the trick:
>>> 
>>> config interface 'guest'
>>> 	option type 'bridge'
>>> 	option proto 'static'
>>> 
>>> config device 'wlan_guest'
>>> 	option isolate '1'
>>> 
>>> config device 'wlan_guest_leg'
>>> 	option isolate '1'
>>> 
>>> 
>>> Of course, bridge client isolation isn't limited to wireless interface.
> 
> What about wlan0.sta1 and such created by AP-WDS? Is there a way to catch
> all or set a bridge-wide default?
You mean enabling isolation at the bridge that all sub interfaces are bound to ?
So something like to isolate all bound interfaces:

config interface 'guest'
        option type 'bridge'
        option isolate '1'
        option ifname 'eth1.127'
        option proto 'static'
        option ipaddr '192.168.127.1'



_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list