[B.A.T.M.A.N.] [PATCHv3 0/5] Introducing the Extended-Isolation

[B.A.T.M.A.N.] [PATCHv3 0/5] Introducing the Extended-Isolation

[Antonio Quartulli]

Hello list,

this is the third version of this patchset.
Kudos to Marek for his feedback :-)


Changes from v2:
- add sysfs documentation for the new isolation_mark attribute
- revert order of show and store functions for isolation_mark (sysfs.c)
- fix a couple of typ0s in sysfs.c kerneldoc
- add missing kerneldoc for mark argument in tt_local_add()
- improve the way 'mask' is initialised in store_isolation_mark()

Changes from v1 are:
- Introduction of patch 5/6: it adds an helper function to avoid code
  duplication - function is called batadv_vlan_ap_isola_get() and it is used to
  get the current AP isolation status on a given vlan
- patch 1/6 has been changed to allow the user to enter a mark value without
  specifying any bitmask - 0xFFFFFFFF will be used as default
- patch 6/6 has been changed so that broadcasts packets are marked on the
  receiver node only if AP isolation is enabled. In this way, if AP isolation
  is not ON packets are not altered at all neither on the sender nor on the
  receiver.
- the patchset has been rebased on top of current master (dependency from the
  patch altering the table headers has been removed)

Description:
=========================

This feature is an extension of the already existing "AP isolation" which aims
to generalise the latter.

The idea is based on considering a particular subset of non-mesh clients as
"ISOLATED" and then apply the same policy that batman-adv already applies for
WiFi clients.

To decide which client belongs to this subset batman-adv uses the skb->mark
field which value can be altered by several components in the kernel (e.g.
netfilter). When an skb hits the soft-interface (e.g. bat0) the skb->mark
is compared to a preconfigured value and the source client is classified as
"ISOLATED" only in case of match.

The pre-configured mark (and its mask) is a user choice and can be set through
a new sysfs interface that is added within this patchset.

"ISOLATED" clients won't be able to talk to each other (batman-adv will drop
any packet originated by an isolated client and directed to another isolated
client) like it now happens for WiFi ones (when AP isolation is on).

Moreover broadcast packets sent by ISOLATED clients are marked on the
receiving node with the same mark that the user configured through the sysfs.
In this way netfilter (or any other program) can make decisions about
these packets on the receiver side (e.g. a rule could be "broadcast packets
created by ISOLATED clients cannot be forwarded over any port of the bridge X")


A draft of the documentation (with an example of how to use tc to mark/filter
packets) is available here[1] and will be improved as soon as the feature is
released.


Cheers,

[1] http://www.open-mesh.org/projects/batman-adv/wiki/Extended-isolation


*** BLURB HERE ***

Antonio Quartulli (6):
  batman-adv: add isolation_mark sysfs attribute
  batman-adv: mark a local client as isolated when needed
  batman-adv: print the new BATADV_TT_CLIENT_ISOLA flag
  batman-adv: extend the ap_isolation mechanism
  batman-adv: create helper function to get AP isolation status
  batman-adv: set the isolation mark in the skb if needed

 main.c               | 26 +++++++++++++++++++
 main.h               |  3 +++
 packet.h             |  1 +
 soft-interface.c     | 27 ++++++++++++++++----
 sysfs-class-net-mesh |  8 ++++++
 sysfs.c              | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++
 translation-table.c  | 72 +++++++++++++++++++++++++++++++++++++++-------------
 translation-table.h  |  4 ++-
 types.h              |  2 ++
 9 files changed, 191 insertions(+), 23 deletions(-)

-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 1/6] batman-adv: add isolation_mark sysfs attribute

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

This attribute can be used to set and read the value and the
mask of the skb mark which will be used to classify the
source non-mesh client as ISOLATED. In this way a client can
be advertised as such and the mark can potentially be
restored at the receiving node before delivering the skb.

This can be helpful for creating network wide netfilter
policies.

This sysfs file expects a string of the shape "$mark/$mask".
Where $mark has to be a 32-bit number in any base, while
$mask must be a 32bit mask expressed in hex base. Only bits
in $mark covered by the bitmask are really stored.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 soft-interface.c     |  2 ++
 sysfs-class-net-mesh |  8 ++++++
 sysfs.c              | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 types.h              |  2 ++
 4 files changed, 83 insertions(+)

diff --git a/soft-interface.c b/soft-interface.c
index a3797c5..c945cea 100644
--- a/soft-interface.c
+++ b/soft-interface.c
@@ -692,6 +692,8 @@ static int batadv_softif_init_late(struct net_device *dev)
 #endif
 	bat_priv->tt.last_changeset = NULL;
 	bat_priv->tt.last_changeset_len = 0;
+	bat_priv->isolation_mark = 0;
+	bat_priv->isolation_mark_mask = 0;
 
 	/* randomize initial seqno to avoid collision */
 	get_random_bytes(&random_seqno, sizeof(random_seqno));
diff --git a/sysfs-class-net-mesh b/sysfs-class-net-mesh
index 0baa657..4793d3d 100644
--- a/sysfs-class-net-mesh
+++ b/sysfs-class-net-mesh
@@ -68,6 +68,14 @@ Description:
                 Defines the penalty which will be applied to an
                 originator message's tq-field on every hop.
 
+What:		/sys/class/net/<mesh_iface>/mesh/isolation_mark
+Date:		Nov 2013
+Contact:	Antonio Quartulli <antonio@meshcoding.com>
+Description:
+		Defines the isolation mark (and its bitmask) which
+		is used to classify clients as "isolated" by the
+		Extended Isolation feature.
+
 What:           /sys/class/net/<mesh_iface>/mesh/network_coding
 Date:           Nov 2012
 Contact:        Martin Hundeboll <martin@hundeboll.net>
diff --git a/sysfs.c b/sysfs.c
index 98f8568..3347ffc 100644
--- a/sysfs.c
+++ b/sysfs.c
@@ -447,6 +447,74 @@ static ssize_t batadv_store_gw_bwidth(struct kobject *kobj,
 	return batadv_gw_bandwidth_set(net_dev, buff, count);
 }
 
+/**
+ * batadv_show_isolation_mark - print the current isolation mark/mask
+ * @kobj: kobject representing the private mesh sysfs directory
+ * @attr: the batman-adv attribute the user is interacting with
+ * @buff: the buffer that will contain the data to send back to the user
+ *
+ * Returns the number of bytes written into 'buff' on success or a negative
+ * error code in case of failure
+ */
+static ssize_t batadv_show_isolation_mark(struct kobject *kobj,
+					  struct attribute *attr, char *buff)
+{
+	struct batadv_priv *bat_priv = batadv_kobj_to_batpriv(kobj);
+
+	return sprintf(buff, "%#.8x/%#.8x\n", bat_priv->isolation_mark,
+		       bat_priv->isolation_mark_mask);
+}
+
+/**
+ * batadv_store_isolation_mark - parse and store the isolation mark/mask entered by
+ *  the user
+ * @kobj: kobject representing the private mesh sysfs directory
+ * @attr: the batman-adv attribute the user is interacting with
+ * @buff: the buffer containing the user data
+ * @count: number of bytes in the buffer
+ *
+ * Returns 'count' on success or a negative error code in case of failure
+ */
+static ssize_t batadv_store_isolation_mark(struct kobject *kobj,
+					   struct attribute *attr, char *buff,
+					   size_t count)
+{
+	struct net_device *net_dev = batadv_kobj_to_netdev(kobj);
+	struct batadv_priv *bat_priv = netdev_priv(net_dev);
+	uint32_t mark, mask;
+	char *mask_ptr;
+
+	/* parse the mask if it has been specified, otherwise assume the mask is
+	 * the biggest possible
+	 */
+	mask = 0xFFFFFFFF;
+	mask_ptr = strchr(buff, '/');
+	if (mask_ptr) {
+		*mask_ptr = '\0';
+		mask_ptr++;
+
+		/* the mask must be entered in hex base as it is going to be a
+		 * bitmask and not a prefix length
+		 */
+		if (kstrtou32(mask_ptr, 16, &mask) < 0)
+			return -EINVAL;
+	}
+
+	/* the mark can be entered in any base */
+	if (kstrtou32(buff, 0, &mark) < 0)
+		return -EINVAL;
+
+	bat_priv->isolation_mark_mask = mask;
+	/* erase bits not covered by the mask */
+	bat_priv->isolation_mark = mark & bat_priv->isolation_mark_mask;
+
+	batadv_info(net_dev,
+		    "New skb mark for extended isolation: %#.8x/%#.8x\n",
+		    bat_priv->isolation_mark, bat_priv->isolation_mark_mask);
+
+	return count;
+}
+
 BATADV_ATTR_SIF_BOOL(aggregated_ogms, S_IRUGO | S_IWUSR, NULL);
 BATADV_ATTR_SIF_BOOL(bonding, S_IRUGO | S_IWUSR, NULL);
 #ifdef CONFIG_BATMAN_ADV_BLA
@@ -475,6 +543,8 @@ BATADV_ATTR_SIF_UINT(log_level, S_IRUGO | S_IWUSR, 0, BATADV_DBG_ALL, NULL);
 BATADV_ATTR_SIF_BOOL(network_coding, S_IRUGO | S_IWUSR,
 		     batadv_nc_status_update);
 #endif
+static BATADV_ATTR(isolation_mark, S_IRUGO | S_IWUSR,
+		   batadv_show_isolation_mark, batadv_store_isolation_mark);
 
 static struct batadv_attribute *batadv_mesh_attrs[] = {
 	&batadv_attr_aggregated_ogms,
@@ -498,6 +568,7 @@ static struct batadv_attribute *batadv_mesh_attrs[] = {
 #ifdef CONFIG_BATMAN_ADV_NC
 	&batadv_attr_network_coding,
 #endif
+	&batadv_attr_isolation_mark,
 	NULL,
 };
 
diff --git a/types.h b/types.h
index 656ae65..0a69287 100644
--- a/types.h
+++ b/types.h
@@ -694,6 +694,8 @@ struct batadv_priv {
 #ifdef CONFIG_BATMAN_ADV_DEBUG
 	atomic_t log_level;
 #endif
+	uint32_t isolation_mark;
+	uint32_t isolation_mark_mask;
 	atomic_t bcast_seqno;
 	atomic_t bcast_queue_left;
 	atomic_t batman_queue_left;
-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 2/6] batman-adv: mark a local client as isolated when needed

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

A client sending packets which mark matches the value
configured via sysfs has to be identified as isolated using
the TT_CLIENT_ISOLA flag.

The match is mask based, meaning that only bits set in the
mask are compared with those in the mark value.

If the configured mask is equal to 0 no operation is
performed.

Such flag is then advertised within the classic client
announcement mechanism.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 main.h              |  2 ++
 packet.h            |  1 +
 soft-interface.c    |  7 ++++---
 translation-table.c | 16 +++++++++++++++-
 translation-table.h |  2 +-
 5 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/main.h b/main.h
index e6f868f..6ee984c 100644
--- a/main.h
+++ b/main.h
@@ -67,6 +67,8 @@
 
 #define BATADV_NULL_IFINDEX 0 /* dummy ifindex used to avoid iface checks */
 
+#define BATADV_NO_MARK 0
+
 #define BATADV_NUM_WORDS BITS_TO_LONGS(BATADV_TQ_LOCAL_WINDOW_SIZE)
 
 #define BATADV_LOG_BUF_LEN 8192	  /* has to be a power of 2 */
diff --git a/packet.h b/packet.h
index cbebac6..5f402c9 100644
--- a/packet.h
+++ b/packet.h
@@ -112,6 +112,7 @@ enum batadv_tt_client_flags {
 	BATADV_TT_CLIENT_DEL     = BIT(0),
 	BATADV_TT_CLIENT_ROAM    = BIT(1),
 	BATADV_TT_CLIENT_WIFI    = BIT(4),
+	BATADV_TT_CLIENT_ISOLA	 = BIT(5),
 	BATADV_TT_CLIENT_NOPURGE = BIT(8),
 	BATADV_TT_CLIENT_NEW     = BIT(9),
 	BATADV_TT_CLIENT_PENDING = BIT(10),
diff --git a/soft-interface.c b/soft-interface.c
index c945cea..2d629ee 100644
--- a/soft-interface.c
+++ b/soft-interface.c
@@ -116,7 +116,7 @@ static int batadv_interface_set_mac_addr(struct net_device *dev, void *p)
 		batadv_tt_local_remove(bat_priv, old_addr, BATADV_NO_FLAGS,
 				       "mac address changed", false);
 		batadv_tt_local_add(dev, addr->sa_data, BATADV_NO_FLAGS,
-				    BATADV_NULL_IFINDEX);
+				    BATADV_NULL_IFINDEX, BATADV_NO_MARK);
 	}
 
 	return 0;
@@ -196,7 +196,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
 	/* Register the client MAC in the transtable */
 	if (!is_multicast_ether_addr(ethhdr->h_source)) {
 		client_added = batadv_tt_local_add(soft_iface, ethhdr->h_source,
-						   vid, skb->skb_iif);
+						   vid, skb->skb_iif,
+						   skb->mark);
 		if (!client_added)
 			goto dropped;
 	}
@@ -480,7 +481,7 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
 	 */
 	batadv_tt_local_add(bat_priv->soft_iface,
 			    bat_priv->soft_iface->dev_addr, vid,
-			    BATADV_NULL_IFINDEX);
+			    BATADV_NULL_IFINDEX, BATADV_NO_MARK);
 
 	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
 	hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
diff --git a/translation-table.c b/translation-table.c
index 979d9b9..6788b5d 100644
--- a/translation-table.c
+++ b/translation-table.c
@@ -470,11 +470,13 @@ static void batadv_tt_global_free(struct batadv_priv *bat_priv,
  * @vid: VLAN identifier
  * @ifindex: index of the interface where the client is connected to (useful to
  *  identify wireless clients)
+ * @mark: the value contained in the skb->mark field of the received packet (if
+ *  any)
  *
  * Returns true if the client was successfully added, false otherwise.
  */
 bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
-			 unsigned short vid, int ifindex)
+			 unsigned short vid, int ifindex, uint32_t mark)
 {
 	struct batadv_priv *bat_priv = netdev_priv(soft_iface);
 	struct batadv_tt_local_entry *tt_local;
@@ -485,6 +487,7 @@ bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
 	int hash_added, table_size, packet_size_max;
 	bool ret = false, roamed_back = false;
 	uint8_t remote_flags;
+	uint32_t match_mark;
 
 	if (ifindex != BATADV_NULL_IFINDEX)
 		in_dev = dev_get_by_index(&init_net, ifindex);
@@ -609,6 +612,17 @@ check_roaming:
 	else
 		tt_local->common.flags &= ~BATADV_TT_CLIENT_WIFI;
 
+	/* check the mark in the skb: if it's equal to the configured
+	 * isolation_mark, it means the packet is coming from an isolated
+	 * non-mesh client
+	 */
+	match_mark = (mark & bat_priv->isolation_mark_mask);
+	if (bat_priv->isolation_mark_mask &&
+	    match_mark == bat_priv->isolation_mark)
+		tt_local->common.flags |= BATADV_TT_CLIENT_ISOLA;
+	else
+		tt_local->common.flags &= ~BATADV_TT_CLIENT_ISOLA;
+
 	/* if any "dynamic" flag has been modified, resend an ADD event for this
 	 * entry so that all the nodes can get the new flags
 	 */
diff --git a/translation-table.h b/translation-table.h
index 270773e..202c289 100644
--- a/translation-table.h
+++ b/translation-table.h
@@ -17,7 +17,7 @@
 
 int batadv_tt_init(struct batadv_priv *bat_priv);
 bool batadv_tt_local_add(struct net_device *soft_iface, const uint8_t *addr,
-			 unsigned short vid, int ifindex);
+			 unsigned short vid, int ifindex, uint32_t mark);
 uint16_t batadv_tt_local_remove(struct batadv_priv *bat_priv,
 				const uint8_t *addr, unsigned short vid,
 				const char *message, bool roaming);
-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 3/6] batman-adv: print the new BATADV_TT_CLIENT_ISOLA flag

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

Print the new BATADV_TT_CLIENT_ISOLA flag properly in the
Local and Global Translation Table output.

The character 'I' is used in the flags column to indicate
that the entry is marked as isolated.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 translation-table.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/translation-table.c b/translation-table.c
index 6788b5d..09b1112 100644
--- a/translation-table.c
+++ b/translation-table.c
@@ -883,7 +883,7 @@ int batadv_tt_local_seq_print_text(struct seq_file *seq, void *offset)
 	seq_printf(seq,
 		   "Locally retrieved addresses (from %s) announced via TT (TTVN: %u):\n",
 		   net_dev->name, (uint8_t)atomic_read(&bat_priv->tt.vn));
-	seq_printf(seq, "       %-13s  %s %-7s %-9s (%-10s)\n", "Client", "VID",
+	seq_printf(seq, "       %-13s  %s %-8s %-9s (%-10s)\n", "Client", "VID",
 		   "Flags", "Last seen", "CRC");
 
 	for (i = 0; i < hash->size; i++) {
@@ -911,7 +911,7 @@ int batadv_tt_local_seq_print_text(struct seq_file *seq, void *offset)
 			}
 
 			seq_printf(seq,
-				   " * %pM %4i [%c%c%c%c%c] %3u.%03u   (%#.8x)\n",
+				   " * %pM %4i [%c%c%c%c%c%c] %3u.%03u   (%#.8x)\n",
 				   tt_common_entry->addr,
 				   BATADV_PRINT_VID(tt_common_entry->vid),
 				   (tt_common_entry->flags &
@@ -923,6 +923,8 @@ int batadv_tt_local_seq_print_text(struct seq_file *seq, void *offset)
 				    BATADV_TT_CLIENT_PENDING ? 'X' : '.'),
 				   (tt_common_entry->flags &
 				    BATADV_TT_CLIENT_WIFI ? 'W' : '.'),
+				   (tt_common_entry->flags &
+				    BATADV_TT_CLIENT_ISOLA ? 'I' : '.'),
 				   no_purge ? 0 : last_seen_secs,
 				   no_purge ? 0 : last_seen_msecs,
 				   vlan->tt.crc);
@@ -1455,13 +1457,14 @@ batadv_tt_global_print_entry(struct batadv_priv *bat_priv,
 
 		last_ttvn = atomic_read(&best_entry->orig_node->last_ttvn);
 		seq_printf(seq,
-			   " %c %pM %4i   (%3u) via %pM     (%3u)   (%#.8x) [%c%c%c]\n",
+			   " %c %pM %4i   (%3u) via %pM     (%3u)   (%#.8x) [%c%c%c%c]\n",
 			   '*', tt_global_entry->common.addr,
 			   BATADV_PRINT_VID(tt_global_entry->common.vid),
 			   best_entry->ttvn, best_entry->orig_node->orig,
 			   last_ttvn, vlan->tt.crc,
 			   (flags & BATADV_TT_CLIENT_ROAM ? 'R' : '.'),
 			   (flags & BATADV_TT_CLIENT_WIFI ? 'W' : '.'),
+			   (flags & BATADV_TT_CLIENT_ISOLA ? 'I' : '.'),
 			   (flags & BATADV_TT_CLIENT_TEMP ? 'T' : '.'));
 
 		batadv_orig_node_vlan_free_ref(vlan);
@@ -1486,13 +1489,14 @@ print_list:
 
 		last_ttvn = atomic_read(&orig_entry->orig_node->last_ttvn);
 		seq_printf(seq,
-			   " %c %pM %4d   (%3u) via %pM     (%3u)   (%#.8x) [%c%c%c]\n",
+			   " %c %pM %4d   (%3u) via %pM     (%3u)   (%#.8x) [%c%c%c%c]\n",
 			   '+', tt_global_entry->common.addr,
 			   BATADV_PRINT_VID(tt_global_entry->common.vid),
 			   orig_entry->ttvn, orig_entry->orig_node->orig,
 			   last_ttvn, vlan->tt.crc,
 			   (flags & BATADV_TT_CLIENT_ROAM ? 'R' : '.'),
 			   (flags & BATADV_TT_CLIENT_WIFI ? 'W' : '.'),
+			   (flags & BATADV_TT_CLIENT_ISOLA ? 'I' : '.'),
 			   (flags & BATADV_TT_CLIENT_TEMP ? 'T' : '.'));
 
 		batadv_orig_node_vlan_free_ref(vlan);
-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 4/6] batman-adv: extend the ap_isolation mechanism

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

Change the AP isolation mechanism to not only "isolate" WIFI
clients but also all those marked with the more generic
"isolation flag" (BATADV_TT_CLIENT_ISOLA).

The result is that when AP isolation is on any unicast
packet originated by an "isolated" client and directed to
another "isolated" client is dropped at the source node.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 translation-table.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/translation-table.c b/translation-table.c
index 09b1112..9c8d55f 100644
--- a/translation-table.c
+++ b/translation-table.c
@@ -1865,6 +1865,11 @@ _batadv_is_ap_isolated(struct batadv_tt_local_entry *tt_local_entry,
 	    tt_global_entry->common.flags & BATADV_TT_CLIENT_WIFI)
 		ret = true;
 
+	/* check if the two clients are marked as isolated */
+	if (tt_local_entry->common.flags & BATADV_TT_CLIENT_ISOLA &&
+	    tt_global_entry->common.flags & BATADV_TT_CLIENT_ISOLA)
+		ret = true;
+
 	return ret;
 }
 
-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 5/6] batman-adv: create helper function to get AP isolation status

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

The AP isolation status may be evaluated in different spots.
Create an helper function to avoid code duplication.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 main.c              | 26 ++++++++++++++++++++++++++
 main.h              |  1 +
 translation-table.c | 13 +------------
 3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/main.c b/main.c
index d51bc5f..a7da5ea 100644
--- a/main.c
+++ b/main.c
@@ -1168,6 +1168,32 @@ unsigned short batadv_get_vid(struct sk_buff *skb, size_t header_len)
 	return vid;
 }
 
+/**
+ * batadv_vlan_ap_isola_get - return the AP isolation status for the given vlan
+ * @bat_priv: the bat priv with all the soft interface information
+ * @vid: the VLAN identifier for which the AP isolation attributed as to be
+ *  looked up
+ *
+ * Returns true if AP isolation is on for the VLAN idenfied by vid, false
+ * otherwise
+ */
+bool batadv_vlan_ap_isola_get(struct batadv_priv *bat_priv, unsigned short vid)
+{
+	bool ap_isolation_enabled = false;
+	struct batadv_softif_vlan *vlan;
+
+	/* if the AP isolation is requested on a VLAN, then check for its
+	 * setting in the proper VLAN private data structure
+	 */
+	vlan = batadv_softif_vlan_get(bat_priv, vid);
+	if (vlan) {
+		ap_isolation_enabled = atomic_read(&vlan->ap_isolation);
+		batadv_softif_vlan_free_ref(vlan);
+	}
+
+	return ap_isolation_enabled;
+}
+
 static int batadv_param_set_ra(const char *val, const struct kernel_param *kp)
 {
 	struct batadv_algo_ops *bat_algo_ops;
diff --git a/main.h b/main.h
index 6ee984c..e456762 100644
--- a/main.h
+++ b/main.h
@@ -367,5 +367,6 @@ void batadv_tvlv_unicast_send(struct batadv_priv *bat_priv, uint8_t *src,
 			      uint8_t *dst, uint8_t type, uint8_t version,
 			      void *tvlv_value, uint16_t tvlv_value_len);
 unsigned short batadv_get_vid(struct sk_buff *skb, size_t header_len);
+bool batadv_vlan_ap_isola_get(struct batadv_priv *bat_priv, unsigned short vid);
 
 #endif /* _NET_BATMAN_ADV_MAIN_H_ */
diff --git a/translation-table.c b/translation-table.c
index 9c8d55f..42c7664 100644
--- a/translation-table.c
+++ b/translation-table.c
@@ -1896,19 +1896,8 @@ struct batadv_orig_node *batadv_transtable_search(struct batadv_priv *bat_priv,
 	struct batadv_tt_global_entry *tt_global_entry = NULL;
 	struct batadv_orig_node *orig_node = NULL;
 	struct batadv_tt_orig_list_entry *best_entry;
-	bool ap_isolation_enabled = false;
-	struct batadv_softif_vlan *vlan;
-
-	/* if the AP isolation is requested on a VLAN, then check for its
-	 * setting in the proper VLAN private data structure
-	 */
-	vlan = batadv_softif_vlan_get(bat_priv, vid);
-	if (vlan) {
-		ap_isolation_enabled = atomic_read(&vlan->ap_isolation);
-		batadv_softif_vlan_free_ref(vlan);
-	}
 
-	if (src && ap_isolation_enabled) {
+	if (src && batadv_vlan_ap_isola_get(bat_priv, vid)) {
 		tt_local_entry = batadv_tt_local_hash_find(bat_priv, src, vid);
 		if (!tt_local_entry ||
 		    (tt_local_entry->common.flags & BATADV_TT_CLIENT_PENDING))
-- 
1.8.4.3

[B.A.T.M.A.N.] [PATCHv3 6/6] batman-adv: set the isolation mark in the skb if needed

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

If a broadcast packet is coming from a client marked as
isolated, then mark the skb using the isolation mark so
that netfilter (or any other application) can recognise
them.

The mark is written in the skb based on the mask value:
only bits set in the mask are substitued by those in the
mark value

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
---
 soft-interface.c    | 18 ++++++++++++++++--
 translation-table.c | 26 ++++++++++++++++++++++++++
 translation-table.h |  2 ++
 3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/soft-interface.c b/soft-interface.c
index 2d629ee..97441d8 100644
--- a/soft-interface.c
+++ b/soft-interface.c
@@ -390,9 +390,23 @@ void batadv_interface_rx(struct net_device *soft_iface,
 		batadv_tt_add_temporary_global_entry(bat_priv, orig_node,
 						     ethhdr->h_source, vid);
 
-	if (batadv_is_ap_isolated(bat_priv, ethhdr->h_source, ethhdr->h_dest,
-				  vid))
+	if (is_multicast_ether_addr(ethhdr->h_dest)) {
+		/* set the mark on broadcast packets if AP isolation is ON and
+		 * the packet is coming from an "isolated" client
+		 */
+		if (batadv_vlan_ap_isola_get(bat_priv, vid) &&
+		    batadv_tt_global_is_isolated(bat_priv, ethhdr->h_source,
+						 vid)) {
+			/* save bits in skb->mark not covered by the mask and
+			 * apply the mark on the rest
+			 */
+			skb->mark &= ~bat_priv->isolation_mark_mask;
+			skb->mark |= bat_priv->isolation_mark;
+		}
+	} else if (batadv_is_ap_isolated(bat_priv, ethhdr->h_source,
+					 ethhdr->h_dest, vid)) {
 		goto dropped;
+	}
 
 	netif_rx(skb);
 	goto out;
diff --git a/translation-table.c b/translation-table.c
index 42c7664..f9a1fb4 100644
--- a/translation-table.c
+++ b/translation-table.c
@@ -3572,3 +3572,29 @@ int batadv_tt_init(struct batadv_priv *bat_priv)
 
 	return 1;
 }
+
+/**
+ * batadv_tt_global_is_isolated - check if a client is marked as isolated
+ * @bat_priv: the bat priv with all the soft interface information
+ * @addr: the mac address of the client
+ * @vid: the identifier of the VLAN where this client is connected
+ *
+ * Return true if the client is marked with the TT_CLIENT_ISOLA flag, flase
+ * otherwise
+ */
+bool batadv_tt_global_is_isolated(struct batadv_priv *bat_priv,
+				  const uint8_t *addr, unsigned short vid)
+{
+	struct batadv_tt_global_entry *tt;
+	bool ret;
+
+	tt = batadv_tt_global_hash_find(bat_priv, addr, vid);
+	if (!tt)
+		return false;
+
+	ret = tt->common.flags & BATADV_TT_CLIENT_ISOLA;
+
+	batadv_tt_global_entry_free_ref(tt);
+
+	return ret;
+}
diff --git a/translation-table.h b/translation-table.h
index 202c289..3ab8a7b 100644
--- a/translation-table.h
+++ b/translation-table.h
@@ -45,5 +45,7 @@ bool batadv_tt_add_temporary_global_entry(struct batadv_priv *bat_priv,
 					  struct batadv_orig_node *orig_node,
 					  const unsigned char *addr,
 					  unsigned short vid);
+bool batadv_tt_global_is_isolated(struct batadv_priv *bat_priv,
+				  const uint8_t *addr, unsigned short vid);
 
 #endif /* _NET_BATMAN_ADV_TRANSLATION_TABLE_H_ */
-- 
1.8.4.3

Re: [B.A.T.M.A.N.] [PATCHv3 1/6] batman-adv: add isolation_mark sysfs attribute

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]

On Saturday 16 November 2013 12:03:47 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> This attribute can be used to set and read the value and the
> mask of the skb mark which will be used to classify the
> source non-mesh client as ISOLATED. In this way a client can
> be advertised as such and the mark can potentially be
> restored at the receiving node before delivering the skb.
> 
> This can be helpful for creating network wide netfilter
> policies.
> 
> This sysfs file expects a string of the shape "$mark/$mask".
> Where $mark has to be a 32-bit number in any base, while
> $mask must be a 32bit mask expressed in hex base. Only bits
> in $mark covered by the bitmask are really stored.
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  soft-interface.c     |  2 ++
>  sysfs-class-net-mesh |  8 ++++++
>  sysfs.c              | 71
> ++++++++++++++++++++++++++++++++++++++++++++++++++++
> types.h              |  2 ++
>  4 files changed, 83 insertions(+)

Applied in revision e29249b.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [B.A.T.M.A.N.] [PATCHv3 2/6] batman-adv: mark a local client as isolated when needed

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 872 bytes --]

On Saturday 16 November 2013 12:03:48 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> A client sending packets which mark matches the value
> configured via sysfs has to be identified as isolated using
> the TT_CLIENT_ISOLA flag.
> 
> The match is mask based, meaning that only bits set in the
> mask are compared with those in the mark value.
> 
> If the configured mask is equal to 0 no operation is
> performed.
> 
> Such flag is then advertised within the classic client
> announcement mechanism.
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  main.h              |  2 ++
>  packet.h            |  1 +
>  soft-interface.c    |  7 ++++---
>  translation-table.c | 16 +++++++++++++++-
>  translation-table.h |  2 +-
>  5 files changed, 23 insertions(+), 5 deletions(-)

Applied in revision a8c0e75.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [B.A.T.M.A.N.] [PATCHv3 3/6] batman-adv: print the new BATADV_TT_CLIENT_ISOLA flag

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 529 bytes --]

On Saturday 16 November 2013 12:03:49 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> Print the new BATADV_TT_CLIENT_ISOLA flag properly in the
> Local and Global Translation Table output.
> 
> The character 'I' is used in the flags column to indicate
> that the entry is marked as isolated.
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  translation-table.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)

Applied in revision febf510.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [B.A.T.M.A.N.] [PATCHv3 4/6] batman-adv: extend the ap_isolation mechanism

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 642 bytes --]

On Saturday 16 November 2013 12:03:50 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> Change the AP isolation mechanism to not only "isolate" WIFI
> clients but also all those marked with the more generic
> "isolation flag" (BATADV_TT_CLIENT_ISOLA).
> 
> The result is that when AP isolation is on any unicast
> packet originated by an "isolated" client and directed to
> another "isolated" client is dropped at the source node.
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  translation-table.c | 5 +++++
>  1 file changed, 5 insertions(+)

Applied in revision ae95c4e.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [B.A.T.M.A.N.] [PATCHv3 5/6] batman-adv: create helper function to get AP isolation status

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 528 bytes --]

On Saturday 16 November 2013 12:03:51 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> The AP isolation status may be evaluated in different spots.
> Create an helper function to avoid code duplication.
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  main.c              | 26 ++++++++++++++++++++++++++
>  main.h              |  1 +
>  translation-table.c | 13 +------------
>  3 files changed, 28 insertions(+), 12 deletions(-)

Applied in revision ceb002c.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [B.A.T.M.A.N.] [PATCHv3 6/6] batman-adv: set the isolation mark in the skb if needed

[Marek Lindner]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On Saturday 16 November 2013 12:03:52 Antonio Quartulli wrote:
> From: Antonio Quartulli <antonio@open-mesh.com>
> 
> If a broadcast packet is coming from a client marked as
> isolated, then mark the skb using the isolation mark so
> that netfilter (or any other application) can recognise
> them.
> 
> The mark is written in the skb based on the mask value:
> only bits set in the mask are substitued by those in the
> mark value
> 
> Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> ---
>  soft-interface.c    | 18 ++++++++++++++++--
>  translation-table.c | 26 ++++++++++++++++++++++++++
>  translation-table.h |  2 ++
>  3 files changed, 44 insertions(+), 2 deletions(-)

Applied in revision 6fa38a2.

Thanks,
Marek

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]