[OpenWrt-Devel] hostapd and Linux bridges

Daniel Golle daniel at makrotopia.org
Wed Jan 22 04:43:35 EST 2020


On Wed, Jan 22, 2020 at 06:34:06AM +0200, Daniel Golle wrote:
> On Tue, Jan 21, 2020 at 11:34:22PM +0100, Mathias Kresin wrote:
> > 21/01/2020 20:22, Daniel Golle:
> > > On Tue, Jan 21, 2020 at 07:40:42PM +0100, Bjørn Mork wrote:
> > > > Daniel Golle <daniel at makrotopia.org> writes:
> > > > 
> > > > > On proprietary APs it looks like port isolation is enabled or disabled
> > > > > globally in Linux' bridge code using sysctl or other methods, an
> > > > > approach which is unlikely to get accepted into the Kernel, also given
> > > > > that the netlink interface already exists and allows doing the same
> > > > > thing in a more granular fashion.
> > > > 
> > > > Huh?
> > > > 
> > > > Won't this sysfs attribute set the same flag IFLA_BRPORT_ISOLATED sets?
> > > > 
> > > > 
> > > > root at wrt1900ac-1:~# grep . /sys/class/net/br-lan/brif/*/isolated
> > > > /sys/class/net/br-lan/brif/eth0.7/isolated:0
> > > > /sys/class/net/br-lan/brif/wlan0/isolated:0
> > > > /sys/class/net/br-lan/brif/wlan1/isolated:0
> > > 
> > > Looks like that's the thing I may have missed ;)
> > > Yet we do need a way to set this to '1' once hostapd adds the AP
> > > interface to the bridge. I'm not sure whether setting this via
> > > sysfs is actually more simple than using netlink given that some
> > > general purpose netlink code is already part of hostap.
> > > In the end, either approach would be fine with me and I would
> > > implement whatever is more likely to be merged into hostap.git.
> > 
> > netifd is able to set bridge client isolation via sysfs since commit
> > c06f84238952211b35c2940a82fcce3fcc3221c1.
> > 
> > /etc/config/wireless as expected:
> > 
> > config wifi-iface
> > 	option device 'radio1'
> > 	option ifname 'wlan_guest_leg'
> > 	option network 'guest'
> > 	option isolate '1'
> > 
> > config wifi-iface
> > 	option device 'radio0'
> > 	option ifname 'wlan_guest'
> > 	option network 'guest'
> > 	option isolate '1
> > 
> > The isolation option in /etc/config/network does the trick:
> > 
> > config interface 'guest'
> > 	option type 'bridge'
> > 	option proto 'static'
> > 
> > config device 'wlan_guest'
> > 	option isolate '1'
> > 
> > config device 'wlan_guest_leg'
> > 	option isolate '1'
> > 
> > 
> > Of course, bridge client isolation isn't limited to wireless interface.

What about wlan0.sta1 and such created by AP-WDS? Is there a way to catch
all or set a bridge-wide default?

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list