Re: [PATCH 1/2] cfg80211: add ap isolation support

Re: [PATCH 1/2] cfg80211: add ap isolation support

[John W. Linville]

On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
> This is used to configure APs to not bridge traffic between connected stations.
> 
> Signed-off-by: Felix Fietkau <nbd@openwrt.org>

Is this useful?

-- 
John W. Linville                Someday the world will need a hero, and you
linville@tuxdriver.com                  might be all we have.  Be ready.

[PATCH 1/2] cfg80211: add ap isolation support

[Felix Fietkau]

This is used to configure APs to not bridge traffic between connected stations.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
---
 include/linux/nl80211.h |    5 +++++
 include/net/cfg80211.h  |    2 ++
 net/wireless/nl80211.c  |    4 ++++
 3 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/include/linux/nl80211.h b/include/linux/nl80211.h
index 2ea3ede..f8750f9 100644
--- a/include/linux/nl80211.h
+++ b/include/linux/nl80211.h
@@ -709,6 +709,9 @@ enum nl80211_commands {
  *	NL80211_CMD_AUTHENTICATE, NL80211_CMD_DEAUTHENTICATE,
  *	NL80211_CMD_DISASSOCIATE.
  *
+ * @NL80211_ATTR_AP_ISOLATE: (AP mode) Do not forward traffic between stations
+ *	connected to this BSS.
+ *
  * @NL80211_ATTR_MAX: highest attribute number currently defined
  * @__NL80211_ATTR_AFTER_LAST: internal use
  */
@@ -864,6 +867,8 @@ enum nl80211_attrs {
 
 	NL80211_ATTR_LOCAL_STATE_CHANGE,
 
+	NL80211_ATTR_AP_ISOLATE,
+
 	/* add attributes here, update the policy in nl80211.c */
 
 	__NL80211_ATTR_AFTER_LAST,
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 5a4efe5..f6b29bf 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -511,6 +511,7 @@ struct mpath_info {
  * @basic_rates: basic rates in IEEE 802.11 format
  *	(or NULL for no change)
  * @basic_rates_len: number of basic rates
+ * @ap_isolate: do not forward packets between connected stations
  */
 struct bss_parameters {
 	int use_cts_prot;
@@ -518,6 +519,7 @@ struct bss_parameters {
 	int use_short_slot_time;
 	u8 *basic_rates;
 	u8 basic_rates_len;
+	int ap_isolate;
 };
 
 struct mesh_config {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 356a84a..01da83d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -152,6 +152,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
+	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
 };
 
 /* policy for the attributes */
@@ -2442,6 +2443,7 @@ static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
 	params.use_cts_prot = -1;
 	params.use_short_preamble = -1;
 	params.use_short_slot_time = -1;
+	params.ap_isolate = -1;
 
 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
 		params.use_cts_prot =
@@ -2458,6 +2460,8 @@ static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
 		params.basic_rates_len =
 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
 	}
+	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
+		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
 
 	rtnl_lock();
 
-- 
1.6.4.2

[PATCH 2/2] mac80211: implement ap isolation support

[Felix Fietkau]

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
---
 net/mac80211/cfg.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 845a6e6..b6fed60 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1115,6 +1115,13 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
 		changed |= BSS_CHANGED_BASIC_RATES;
 	}
 
+	if (params->ap_isolate >= 0) {
+		if (params->ap_isolate)
+			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;
+		else
+			sdata->flags &= ~IEEE80211_SDATA_DONT_BRIDGE_PACKETS;
+	}
+
 	ieee80211_bss_info_change_notify(sdata, changed);
 
 	return 0;
-- 
1.6.4.2

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Felix Fietkau]

On 2010-04-27 1:23 AM, John W. Linville wrote:
> On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
>> This is used to configure APs to not bridge traffic between connected stations.
>> 
>> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
> 
> Is this useful?
Yes, if you have an AP with lots of users that aren't expected to
communicate with each other (e.g. only for internet access), it can save
a lot of airtime by not forwarding every broadcast message emitted from
any station.
I'm sure there are a more situations where this can be useful.

- Felix

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Bruno Randolf]

On Tuesday 27 April 2010 08:23:33 you wrote:
> On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
> > This is used to configure APs to not bridge traffic between connected
> > stations.
> > 
> > Signed-off-by: Felix Fietkau <nbd@openwrt.org>
> 
> Is this useful?

oh, yes! especially when you set up hotspots for internet access only.

bruno

Re: [PATCH 1/2] cfg80211: add ap isolation support

[John W. Linville]

On Tue, Apr 27, 2010 at 01:30:02AM +0200, Felix Fietkau wrote:
> On 2010-04-27 1:23 AM, John W. Linville wrote:
> > On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
> >> This is used to configure APs to not bridge traffic between connected stations.
> >> 
> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
> > 
> > Is this useful?
> Yes, if you have an AP with lots of users that aren't expected to
> communicate with each other (e.g. only for internet access), it can save
> a lot of airtime by not forwarding every broadcast message emitted from
> any station.
> I'm sure there are a more situations where this can be useful.

Ah, OK -- I suppose that makes sense.

John
-- 
John W. Linville                Someday the world will need a hero, and you
linville@tuxdriver.com                  might be all we have.  Be ready.

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Luis R. Rodriguez]

On Mon, Apr 26, 2010 at 5:12 PM, John W. Linville
<linville@tuxdriver.com> wrote:
> On Tue, Apr 27, 2010 at 01:30:02AM +0200, Felix Fietkau wrote:
>> On 2010-04-27 1:23 AM, John W. Linville wrote:
>> > On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
>> >> This is used to configure APs to not bridge traffic between connected stations.
>> >>
>> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
>> >
>> > Is this useful?
>> Yes, if you have an AP with lots of users that aren't expected to
>> communicate with each other (e.g. only for internet access), it can save
>> a lot of airtime by not forwarding every broadcast message emitted from
>> any station.
>> I'm sure there are a more situations where this can be useful.
>
> Ah, OK -- I suppose that makes sense.

In fact technically IEEE-802.11 2007 section 11.7 states "STAs are not
allowed to transmit frames directly to other STAs in a BSS and should
always rely
on the AP for the delivery of the frames", with the exception being
using DLS direct links for QoS STAs.  This would prevent the STAs from
going into PS mode for as long duration of the stream.

If the AP does not support this it would just set the result code for
DLS requests to "Not allowed in the BSS". It does not seem the
standard has a way for an AP to teardown an existing DLS links though
(at no reason code for it), so I guess if we ever support DLS we won't
be able to enable this option if a direct links is already
established.

  Luis

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Luis R. Rodriguez]

On Mon, Apr 26, 2010 at 5:25 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> On Mon, Apr 26, 2010 at 5:12 PM, John W. Linville
> <linville@tuxdriver.com> wrote:
>> On Tue, Apr 27, 2010 at 01:30:02AM +0200, Felix Fietkau wrote:
>>> On 2010-04-27 1:23 AM, John W. Linville wrote:
>>> > On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
>>> >> This is used to configure APs to not bridge traffic between connected stations.
>>> >>
>>> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
>>> >
>>> > Is this useful?
>>> Yes, if you have an AP with lots of users that aren't expected to
>>> communicate with each other (e.g. only for internet access), it can save
>>> a lot of airtime by not forwarding every broadcast message emitted from
>>> any station.
>>> I'm sure there are a more situations where this can be useful.
>>
>> Ah, OK -- I suppose that makes sense.
>
> In fact technically IEEE-802.11 2007 section 11.7 states "STAs are not
> allowed to transmit frames directly to other STAs in a BSS and should
> always rely
> on the AP for the delivery of the frames", with the exception being
> using DLS direct links for QoS STAs.  This would prevent the STAs from
> going into PS mode for as long duration of the stream.
>
> If the AP does not support this it would just set the result code for
> DLS requests to "Not allowed in the BSS". It does not seem the
> standard has a way for an AP to teardown an existing DLS links though
> (at no reason code for it), so I guess if we ever support DLS we won't
> be able to enable this option if a direct links is already
> established.

Now that I think about it, why is this even required, why not just
enforce this all the time and have an option to disable DLS? Are there
ways to enable direct STA <--> STA communication on a BSS other than
DLS?

  Luis

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Felix Fietkau]

On 2010-04-27 3:34 AM, Luis R. Rodriguez wrote:
> On Mon, Apr 26, 2010 at 5:25 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>> On Mon, Apr 26, 2010 at 5:12 PM, John W. Linville
>> <linville@tuxdriver.com> wrote:
>>> On Tue, Apr 27, 2010 at 01:30:02AM +0200, Felix Fietkau wrote:
>>>> On 2010-04-27 1:23 AM, John W. Linville wrote:
>>>> > On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
>>>> >> This is used to configure APs to not bridge traffic between connected stations.
>>>> >>
>>>> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
>>>> >
>>>> > Is this useful?
>>>> Yes, if you have an AP with lots of users that aren't expected to
>>>> communicate with each other (e.g. only for internet access), it can save
>>>> a lot of airtime by not forwarding every broadcast message emitted from
>>>> any station.
>>>> I'm sure there are a more situations where this can be useful.
>>>
>>> Ah, OK -- I suppose that makes sense.
>>
>> In fact technically IEEE-802.11 2007 section 11.7 states "STAs are not
>> allowed to transmit frames directly to other STAs in a BSS and should
>> always rely
>> on the AP for the delivery of the frames", with the exception being
>> using DLS direct links for QoS STAs.  This would prevent the STAs from
>> going into PS mode for as long duration of the stream.
>>
>> If the AP does not support this it would just set the result code for
>> DLS requests to "Not allowed in the BSS". It does not seem the
>> standard has a way for an AP to teardown an existing DLS links though
>> (at no reason code for it), so I guess if we ever support DLS we won't
>> be able to enable this option if a direct links is already
>> established.
> 
> Now that I think about it, why is this even required, why not just
> enforce this all the time and have an option to disable DLS? Are there
> ways to enable direct STA <--> STA communication on a BSS other than
> DLS?
I think allowing/disallowing DLS should be separate from AP isolation.
In some cases, AP isolation might only be used to reduce the amount of
broadcast traffic, and DLS wouldn't be a problem then.

- Felix

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Luis R. Rodriguez]

On Mon, Apr 26, 2010 at 6:42 PM, Felix Fietkau <nbd@openwrt.org> wrote:
> On 2010-04-27 3:34 AM, Luis R. Rodriguez wrote:
>> On Mon, Apr 26, 2010 at 5:25 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
>>> On Mon, Apr 26, 2010 at 5:12 PM, John W. Linville
>>> <linville@tuxdriver.com> wrote:
>>>> On Tue, Apr 27, 2010 at 01:30:02AM +0200, Felix Fietkau wrote:
>>>>> On 2010-04-27 1:23 AM, John W. Linville wrote:
>>>>> > On Tue, Apr 27, 2010 at 01:23:35AM +0200, Felix Fietkau wrote:
>>>>> >> This is used to configure APs to not bridge traffic between connected stations.
>>>>> >>
>>>>> >> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
>>>>> >
>>>>> > Is this useful?
>>>>> Yes, if you have an AP with lots of users that aren't expected to
>>>>> communicate with each other (e.g. only for internet access), it can save
>>>>> a lot of airtime by not forwarding every broadcast message emitted from
>>>>> any station.
>>>>> I'm sure there are a more situations where this can be useful.
>>>>
>>>> Ah, OK -- I suppose that makes sense.
>>>
>>> In fact technically IEEE-802.11 2007 section 11.7 states "STAs are not
>>> allowed to transmit frames directly to other STAs in a BSS and should
>>> always rely
>>> on the AP for the delivery of the frames", with the exception being
>>> using DLS direct links for QoS STAs.  This would prevent the STAs from
>>> going into PS mode for as long duration of the stream.
>>>
>>> If the AP does not support this it would just set the result code for
>>> DLS requests to "Not allowed in the BSS". It does not seem the
>>> standard has a way for an AP to teardown an existing DLS links though
>>> (at no reason code for it), so I guess if we ever support DLS we won't
>>> be able to enable this option if a direct links is already
>>> established.
>>
>> Now that I think about it, why is this even required, why not just
>> enforce this all the time and have an option to disable DLS? Are there
>> ways to enable direct STA <--> STA communication on a BSS other than
>> DLS?
> I think allowing/disallowing DLS should be separate from AP isolation.
> In some cases, AP isolation might only be used to reduce the amount of
> broadcast traffic, and DLS wouldn't be a problem then.

So the other way for an AP to forward traffic from STAs on the BSS to
others is to transmit broadcast frames and the purpose of this patch
is to disable that? If so can the description of the command be a
little more descriptive about this? Perhaps annotating that other
communication would not be done unless DLS links are created ?

  Luis

Re: [PATCH 1/2] cfg80211: add ap isolation support

[Johannes Berg]

On Mon, 2010-04-26 at 18:53 -0700, Luis R. Rodriguez wrote:

> >>>>> Yes, if you have an AP with lots of users that aren't expected to
> >>>>> communicate with each other (e.g. only for internet access), it can save
> >>>>> a lot of airtime by not forwarding every broadcast message emitted from
> >>>>> any station.
> >>>>> I'm sure there are a more situations where this can be useful.


> So the other way for an AP to forward traffic from STAs on the BSS to
> others is to transmit broadcast frames and the purpose of this patch
> is to disable that? If so can the description of the command be a
> little more descriptive about this? Perhaps annotating that other
> communication would not be done unless DLS links are created ?

The broadcast thing is a red herring. This applies also to unicast
frames sent between stations.

Basically what this patch does is restrict the network segment to each
station. You can send and receive multicast frames to/from the wired
network, but you would typically attach an AP like this to its own
network segment. And you can send/receive unicast frames, but not to
other stations on the AP. Or think of it as restricting the broadcast
domain. Or, another more expensive way to implement this would be to put
each station into its own VLAN (which should actually be feasible in
practice too).

johannes