[OpenWrt-Devel] hostapd and Linux bridges

Daniel Golle daniel at makrotopia.org
Tue Jan 21 13:19:33 EST 2020


I was trying to use client isolation on a dual-band router running
OpenWrt and run into a rather trivial problem:
Despite hostapd supporting client isolation (ap_isolate=1), on devices
with multiple radios (dual-band or tri-band) this alone won't have the
desired effect as AP interfaces typically are put into the same Linux
bridge (ie. bridge=foo is set to the same value for all APs accross
different bands). Hence, clients of one AP interface would still be
able to communicate with clients of another AP interface within the
same bridge.
Linux' bridge code does support port isolation which would complement
wireless client isolation, however, in it's current implementation
hostapd only uses the SIOCBRADDIF ioctl to put the interface into the
selected bridge and lacks support to enable bridge port isolation for
that interface.
To resolve this, I suggest to add netlink code to allow to set port
isolation using the IFLA_BRPORT_ISOLATED attribute to hostapd.

Doing this with external tools (iproute2 'bridge') is not feasable as
they are typically unavailable on small embedded devices (think: 8MB
of flash total, adding iproute2 'bridge' tool with all it's
dependencies would add hundreds of kB) and also would need to be
triggered somehow which in the end would be just as complicated as
issueing that netlink call inside hostapd.
On proprietary APs it looks like port isolation is enabled or disabled
globally in Linux' bridge code using sysctl or other methods, an
approach which is unlikely to get accepted into the Kernel, also given
that the netlink interface already exists and allows doing the same
thing in a more granular fashion.

Please let me know if you agree with my analysis of the current
situation -- maybe I've missed something obvious -- and if adding the
netlink code to also set IFLA_BRPORT_ISOLATED in case ap_isolate=1
sounds agreeable to you.

Thank you!

Best regards


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list