[OpenWrt-Devel] hostapd and Linux bridges
Daniel Golle
daniel at makrotopia.org
Tue Jan 21 23:34:06 EST 2020
On Tue, Jan 21, 2020 at 11:34:22PM +0100, Mathias Kresin wrote:
> 21/01/2020 20:22, Daniel Golle:
> > On Tue, Jan 21, 2020 at 07:40:42PM +0100, Bjørn Mork wrote:
> > > Daniel Golle <daniel at makrotopia.org> writes:
> > >
> > > > On proprietary APs it looks like port isolation is enabled or disabled
> > > > globally in Linux' bridge code using sysctl or other methods, an
> > > > approach which is unlikely to get accepted into the Kernel, also given
> > > > that the netlink interface already exists and allows doing the same
> > > > thing in a more granular fashion.
> > >
> > > Huh?
> > >
> > > Won't this sysfs attribute set the same flag IFLA_BRPORT_ISOLATED sets?
> > >
> > >
> > > root at wrt1900ac-1:~# grep . /sys/class/net/br-lan/brif/*/isolated
> > > /sys/class/net/br-lan/brif/eth0.7/isolated:0
> > > /sys/class/net/br-lan/brif/wlan0/isolated:0
> > > /sys/class/net/br-lan/brif/wlan1/isolated:0
> >
> > Looks like that's the thing I may have missed ;)
> > Yet we do need a way to set this to '1' once hostapd adds the AP
> > interface to the bridge. I'm not sure whether setting this via
> > sysfs is actually more simple than using netlink given that some
> > general purpose netlink code is already part of hostap.
> > In the end, either approach would be fine with me and I would
> > implement whatever is more likely to be merged into hostap.git.
>
> netifd is able to set bridge client isolation via sysfs since commit
> c06f84238952211b35c2940a82fcce3fcc3221c1.
>
> /etc/config/wireless as expected:
>
> config wifi-iface
> option device 'radio1'
> option ifname 'wlan_guest_leg'
> option network 'guest'
> option isolate '1'
>
> config wifi-iface
> option device 'radio0'
> option ifname 'wlan_guest'
> option network 'guest'
> option isolate '1
>
> The isolation option in /etc/config/network does the trick:
>
> config interface 'guest'
> option type 'bridge'
> option proto 'static'
>
> config device 'wlan_guest'
> option isolate '1'
>
> config device 'wlan_guest_leg'
> option isolate '1'
>
>
> Of course, bridge client isolation isn't limited to wireless interface.
Nice one, this is exactly what I was looking for.
Maybe we should document this somewhere...
>
> I'm not yet sure, whether you are looking for something like that or an
> automatic bridge client isolation as soon as wireless client isolation is
> enabled.
>
> Albeit something automatic would be nice, there might be a use case were you
> want to have wireless client isolation but no bridge client isolation.
I believe it should be the default in case wireless client isolation
is enabled. Users may then still use the above syntax in
/etc/config/network to explicitely disable it.
Thanks a lot for the hint!
Cheers
Daniel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list