Op 22 jan. 2020, om 10:43 heeft Daniel Golle <dan...@makrotopia.org> het
volgende geschreven:
>
> On Wed, Jan 22, 2020 at 06:34:06AM +0200, Daniel Golle wrote:
>> On Tue, Jan 21, 2020 at 11:34:22PM +0100, Mathias Kresin wrote:
>>> 21/01/2020 20:22, Daniel Golle:
>>>> On Tue, Jan 21, 2020 at 07:40:42PM +0100, Bjørn Mork wrote:
>>>>> Daniel Golle <dan...@makrotopia.org> writes:
>>>>>
>>>>>> On proprietary APs it looks like port isolation is enabled or disabled
>>>>>> globally in Linux' bridge code using sysctl or other methods, an
>>>>>> approach which is unlikely to get accepted into the Kernel, also given
>>>>>> that the netlink interface already exists and allows doing the same
>>>>>> thing in a more granular fashion.
>>>>>
>>>>> Huh?
>>>>>
>>>>> Won't this sysfs attribute set the same flag IFLA_BRPORT_ISOLATED sets?
>>>>>
>>>>>
>>>>> root@wrt1900ac-1:~# grep . /sys/class/net/br-lan/brif/*/isolated
>>>>> /sys/class/net/br-lan/brif/eth0.7/isolated:0
>>>>> /sys/class/net/br-lan/brif/wlan0/isolated:0
>>>>> /sys/class/net/br-lan/brif/wlan1/isolated:0
>>>>
>>>> Looks like that's the thing I may have missed ;)
>>>> Yet we do need a way to set this to '1' once hostapd adds the AP
>>>> interface to the bridge. I'm not sure whether setting this via
>>>> sysfs is actually more simple than using netlink given that some
>>>> general purpose netlink code is already part of hostap.
>>>> In the end, either approach would be fine with me and I would
>>>> implement whatever is more likely to be merged into hostap.git.
>>>
>>> netifd is able to set bridge client isolation via sysfs since commit
>>> c06f84238952211b35c2940a82fcce3fcc3221c1.
>>>
>>> /etc/config/wireless as expected:
>>>
>>> config wifi-iface
>>> option device 'radio1'
>>> option ifname 'wlan_guest_leg'
>>> option network 'guest'
>>> option isolate '1'
>>>
>>> config wifi-iface
>>> option device 'radio0'
>>> option ifname 'wlan_guest'
>>> option network 'guest'
>>> option isolate '1
>>>
>>> The isolation option in /etc/config/network does the trick:
>>>
>>> config interface 'guest'
>>> option type 'bridge'
>>> option proto 'static'
>>>
>>> config device 'wlan_guest'
>>> option isolate '1'
>>>
>>> config device 'wlan_guest_leg'
>>> option isolate '1'
>>>
>>>
>>> Of course, bridge client isolation isn't limited to wireless interface.
>
> What about wlan0.sta1 and such created by AP-WDS? Is there a way to catch
> all or set a bridge-wide default?
You mean enabling isolation at the bridge that all sub interfaces are bound to ?
So something like to isolate all bound interfaces:
config interface 'guest'
option type 'bridge'
option isolate '1'
option ifname 'eth1.127'
option proto 'static'
option ipaddr '192.168.127.1'
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
