Hi,
Now I identified the origin of the issue but I need some help to fix.
For memo the condition to have this issue:
My sta is still connected to my AP. The sta use the 4addr (wds) system and the sta if device (wlan0) is bridged with my eth0 interface.
In this condition I'm not able to ping the sta from the AP.
The origin of the issue is in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023
if (sdata->vif.type == NL80211_IFTYPE_STATION &&
!!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
if (!sdata->u.mgd.use_4addr)
return -1;
else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){ ------> this test is the origin of my issue
check_port_control = true;
}
The ARP frame are sent in broadcast. The broadcast are sent without addr4 (the flag TODS and FROMDS are not set) and addr1 == ff:ff:ff:ff:ff:ff.
In this case check_port_control is set to true and several line below in the same function the packet is dropped.
I can add a test with is_broadcast_ether_addr in "else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){", but I'm not sure that is the best solution.
What are your comments?
Regards.
-----Message d'origine-----
De?: [email protected] <[email protected]> De la part de Cedric VONCKEN
Envoy??: mercredi 26 f?vrier 2020 11:29
??: [email protected]
Objet?: wds link and Radius authentication issue
Dear mailing list,
I'm facing an issue when my equipement are configured with WDS and radius authentication.
My both product (the AP and the sta) are using the same hostapd/wpa_supplicant and wifi driver version.
The wifi driver version is openwrt backport-5.4-rc8-1 package.
My AP is configured to accept the WDS sta. In the AP side the ifname wlan0.sta1 are created and added in the bridge.
My sta is configured to use the WDS addresses.
If the security policy is configured to WPA-PSK and in the client side the client if is added to the bridge, the communication work (I can ping my AP from my sta).
If the security policy is configured to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS) and the client if is in a bridge, the communication doesn't work.
I did a Wireshark capture on other WIFI interface, the packet seem sent by the AP and by the sta (I can see a broadcast frame sent, and the packet type is data. I think it is the arp request). But these frames are not received (I make a wireshar capture on the sta and AP if, no arp frame are received).
I don't know where I need to search to fix this issue. Could you give me some pointer/help to fix it.
Thanks for your help.
Please find in attachment 2 wireshark capture
The file broadcast_V5.4-rc8-1 contain a broadcast frame capture with the latest backport used in my system.
The file broadcast_V2015-07-21 contain a broadcast frame capture with an old backport (backport 2015-07-21).
With the old backport I be able to ping my sta from the AP.
If we compare the frame
- In the old backport the bit TODS and FROMDS are set to 1, In latest version only the bit FROMDS is set to 1.
- In old backport the addr1 is set to the mac address of my sta, in latest backport the addr1 is set to broadcast addr (ff:ff:ff:ff:ff:ff)
In old version the same test doesn't drop the broadcast frame, but I think the AP should send one broadcast per wds sta.
All comment will be appreciated.
-----Message d'origine-----
De?: Cedric VONCKEN <[email protected]>
Envoy??: jeudi 27 f?vrier 2020 17:21
??: Cedric VONCKEN <[email protected]>; [email protected]
Objet?: [mac80211]: wds link and Radius authentication issue
Hi,
Now I identified the origin of the issue but I need some help to fix.
For memo the condition to have this issue:
My sta is still connected to my AP. The sta use the 4addr (wds) system and the sta if device (wlan0) is bridged with my eth0 interface.
In this condition I'm not able to ping the sta from the AP.
The origin of the issue is in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023
if (sdata->vif.type == NL80211_IFTYPE_STATION &&
!!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
if (!sdata->u.mgd.use_4addr)
return -1;
else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){ ------> this test is the origin of my issue
check_port_control = true;
}
The ARP frame are sent in broadcast. The broadcast are sent without addr4 (the flag TODS and FROMDS are not set) and addr1 == ff:ff:ff:ff:ff:ff.
In this case check_port_control is set to true and several line below in the same function the packet is dropped.
I can add a test with is_broadcast_ether_addr in "else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){", but I'm not sure that is the best solution.
What are your comments?
Regards.
-----Message d'origine-----
De?: [email protected] <[email protected]> De la part de Cedric VONCKEN Envoy??: mercredi 26 f?vrier 2020 11:29 ??: [email protected] Objet?: wds link and Radius authentication issue
Dear mailing list,
I'm facing an issue when my equipement are configured with WDS and radius authentication.
My both product (the AP and the sta) are using the same hostapd/wpa_supplicant and wifi driver version.
The wifi driver version is openwrt backport-5.4-rc8-1 package.
My AP is configured to accept the WDS sta. In the AP side the ifname wlan0.sta1 are created and added in the bridge.
My sta is configured to use the WDS addresses.
If the security policy is configured to WPA-PSK and in the client side the client if is added to the bridge, the communication work (I can ping my AP from my sta).
If the security policy is configured to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS) and the client if is in a bridge, the communication doesn't work.
I did a Wireshark capture on other WIFI interface, the packet seem sent by the AP and by the sta (I can see a broadcast frame sent, and the packet type is data. I think it is the arp request). But these frames are not received (I make a wireshar capture on the sta and AP if, no arp frame are received).
I don't know where I need to search to fix this issue. Could you give me some pointer/help to fix it.
Thanks for your help.
Where can I found some information on how the wds system should work? I looked in 802.11-2012 standard and I didn't found any informations.
-----Message d'origine-----
De?: [email protected] <[email protected]> De la part de Cedric VONCKEN
Envoy??: jeudi 27 f?vrier 2020 18:24
??: [email protected]
Objet?: RE: [mac80211]: wds link and Radius authentication issue
Please find in attachment 2 wireshark capture
The file broadcast_V5.4-rc8-1 contain a broadcast frame capture with the latest backport used in my system.
The file broadcast_V2015-07-21 contain a broadcast frame capture with an old backport (backport 2015-07-21).
With the old backport I be able to ping my sta from the AP.
If we compare the frame
- In the old backport the bit TODS and FROMDS are set to 1, In latest version only the bit FROMDS is set to 1.
- In old backport the addr1 is set to the mac address of my sta, in latest backport the addr1 is set to broadcast addr (ff:ff:ff:ff:ff:ff)
In old version the same test doesn't drop the broadcast frame, but I think the AP should send one broadcast per wds sta.
All comment will be appreciated.
-----Message d'origine-----
De?: Cedric VONCKEN <[email protected]> Envoy??: jeudi 27 f?vrier 2020 17:21 ??: Cedric VONCKEN <[email protected]>; [email protected] Objet?: [mac80211]: wds link and Radius authentication issue
Hi,
Now I identified the origin of the issue but I need some help to fix.
For memo the condition to have this issue:
My sta is still connected to my AP. The sta use the 4addr (wds) system and the sta if device (wlan0) is bridged with my eth0 interface.
In this condition I'm not able to ping the sta from the AP.
The origin of the issue is in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023
if (sdata->vif.type == NL80211_IFTYPE_STATION &&
!!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
if (!sdata->u.mgd.use_4addr)
return -1;
else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){ ------> this test is the origin of my issue
check_port_control = true;
}
The ARP frame are sent in broadcast. The broadcast are sent without addr4 (the flag TODS and FROMDS are not set) and addr1 == ff:ff:ff:ff:ff:ff.
In this case check_port_control is set to true and several line below in the same function the packet is dropped.
I can add a test with is_broadcast_ether_addr in "else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){", but I'm not sure that is the best solution.
What are your comments?
Regards.
-----Message d'origine-----
De?: [email protected] <[email protected]> De la part de Cedric VONCKEN Envoy??: mercredi 26 f?vrier 2020 11:29 ??: [email protected] Objet?: wds link and Radius authentication issue
Dear mailing list,
I'm facing an issue when my equipement are configured with WDS and radius authentication.
My both product (the AP and the sta) are using the same hostapd/wpa_supplicant and wifi driver version.
The wifi driver version is openwrt backport-5.4-rc8-1 package.
My AP is configured to accept the WDS sta. In the AP side the ifname wlan0.sta1 are created and added in the bridge.
My sta is configured to use the WDS addresses.
If the security policy is configured to WPA-PSK and in the client side the client if is added to the bridge, the communication work (I can ping my AP from my sta).
If the security policy is configured to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS) and the client if is in a bridge, the communication doesn't work.
I did a Wireshark capture on other WIFI interface, the packet seem sent by the AP and by the sta (I can see a broadcast frame sent, and the packet type is data. I think it is the arp request). But these frames are not received (I make a wireshar capture on the sta and AP if, no arp frame are received).
I don't know where I need to search to fix this issue. Could you give me some pointer/help to fix it.
Thanks for your help.
wds is no specified standard.
Am 27.02.2020 um 18:37 schrieb Cedric VONCKEN:
> Where can I found some information on how the wds system should work? I looked in 802.11-2012 standard and I didn't found any informations.
>
> -----Message d'origine-----
> De : [email protected] <[email protected]> De la part de Cedric VONCKEN
> Envoyé : jeudi 27 février 2020 18:24
> À : [email protected]
> Objet : RE: [mac80211]: wds link and Radius authentication issue
>
> Please find in attachment 2 wireshark capture
>
> The file broadcast_V5.4-rc8-1 contain a broadcast frame capture with the latest backport used in my system.
> The file broadcast_V2015-07-21 contain a broadcast frame capture with an old backport (backport 2015-07-21).
>
> With the old backport I be able to ping my sta from the AP.
>
> If we compare the frame
> - In the old backport the bit TODS and FROMDS are set to 1, In latest version only the bit FROMDS is set to 1.
> - In old backport the addr1 is set to the mac address of my sta, in latest backport the addr1 is set to broadcast addr (ff:ff:ff:ff:ff:ff)
>
> In old version the same test doesn't drop the broadcast frame, but I think the AP should send one broadcast per wds sta.
>
> All comment will be appreciated.
>
> -----Message d'origine-----
> De : Cedric VONCKEN <[email protected]> Envoyé : jeudi 27 février 2020 17:21 À : Cedric VONCKEN <[email protected]>; [email protected] Objet : [mac80211]: wds link and Radius authentication issue
>
> Hi,
>
> Now I identified the origin of the issue but I need some help to fix.
>
> For memo the condition to have this issue:
> My sta is still connected to my AP. The sta use the 4addr (wds) system and the sta if device (wlan0) is bridged with my eth0 interface.
> In this condition I'm not able to ping the sta from the AP.
>
> The origin of the issue is in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023
> if (sdata->vif.type == NL80211_IFTYPE_STATION &&
> !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
> if (!sdata->u.mgd.use_4addr)
> return -1;
> else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){ ------> this test is the origin of my issue
> check_port_control = true;
> }
>
> The ARP frame are sent in broadcast. The broadcast are sent without addr4 (the flag TODS and FROMDS are not set) and addr1 == ff:ff:ff:ff:ff:ff.
> In this case check_port_control is set to true and several line below in the same function the packet is dropped.
>
> I can add a test with is_broadcast_ether_addr in "else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr)){", but I'm not sure that is the best solution.
>
> What are your comments?
>
> Regards.
> -----Message d'origine-----
> De : [email protected] <[email protected]> De la part de Cedric VONCKEN Envoyé : mercredi 26 février 2020 11:29 À : [email protected] Objet : wds link and Radius authentication issue
>
> Dear mailing list,
>
> I'm facing an issue when my equipement are configured with WDS and radius authentication.
>
> My both product (the AP and the sta) are using the same hostapd/wpa_supplicant and wifi driver version.
> The wifi driver version is openwrt backport-5.4-rc8-1 package.
>
> My AP is configured to accept the WDS sta. In the AP side the ifname wlan0.sta1 are created and added in the bridge.
> My sta is configured to use the WDS addresses.
>
> If the security policy is configured to WPA-PSK and in the client side the client if is added to the bridge, the communication work (I can ping my AP from my sta).
> If the security policy is configured to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS) and the client if is in a bridge, the communication doesn't work.
>
> I did a Wireshark capture on other WIFI interface, the packet seem sent by the AP and by the sta (I can see a broadcast frame sent, and the packet type is data. I think it is the arp request). But these frames are not received (I make a wireshar capture on the sta and AP if, no arp frame are received).
>
> I don't know where I need to search to fix this issue. Could you give me some pointer/help to fix it.
>
> Thanks for your help.
>
>
>
>
>
>
>
>
>
On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
>
> Where can I found some information on how the wds system should work? I looked in 802.11-2012 standard and I didn't found any informations.
>
I think Wikipedia says it best:
"WDS may be incompatible between different products (even occasionally
from the same vendor) since the IEEE 802.11-1999 standard does not
define how to construct any such implementations or how stations
interact to arrange for exchanging frames of this format. The IEEE
802.11-1999 standard merely defines the 4-address frame format that
makes it possible."
I wish you luck.
- Steve
On Thu, 2020-02-27 at 17:26 -0800, Steve deRosier wrote:
> On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
> > Where can I found some information on how the wds system should
> > work? I looked in 802.11-2012 standard and I didn't found any
> > informations.
> >
>
> I think Wikipedia says it best:
> "WDS may be incompatible between different products (even occasionally
> from the same vendor) since the IEEE 802.11-1999 standard does not
> define how to construct any such implementations or how stations
> interact to arrange for exchanging frames of this format. The IEEE
> 802.11-1999 standard merely defines the 4-address frame format that
> makes it possible."
I think really what Cedric is asking is how this is/should be done with
mac80211's 4-addr client/AP mode(s)?
Cedric, are you running mac80211 on both sides of the link, the AP and
the (4-addr) client?
johannes
Yes I'm running mac80211 on both side.
I progress in understanding to this issue. After checked, the issue is different with different mac80211 version. With the backport 5.4-rc8-1, the driver level seem worked correctly. The hostapd (in AP side) didn't include the sta in the bridge when the security policy is WPA-PSK or WPA-EAP. With none policy the sta is correctly included.
Now I'm searching in hostpad.
-----Message d'origine-----
De : Johannes Berg <[email protected]>
Envoyé : vendredi 28 février 2020 10:37
À : Steve deRosier <[email protected]>; Cedric VONCKEN <[email protected]>
Cc : [email protected]
Objet : Re: [mac80211]: wds link and Radius authentication issue
On Thu, 2020-02-27 at 17:26 -0800, Steve deRosier wrote:
> On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
> > Where can I found some information on how the wds system should
> > work? I looked in 802.11-2012 standard and I didn't found any
> > informations.
> >
>
> I think Wikipedia says it best:
> "WDS may be incompatible between different products (even occasionally
> from the same vendor) since the IEEE 802.11-1999 standard does not
> define how to construct any such implementations or how stations
> interact to arrange for exchanging frames of this format. The IEEE
> 802.11-1999 standard merely defines the 4-address frame format that
> makes it possible."
I think really what Cedric is asking is how this is/should be done with mac80211's 4-addr client/AP mode(s)?
Cedric, are you running mac80211 on both sides of the link, the AP and the (4-addr) client?
johannes
its likelly not hostapd. i do use wds sta and wds ap modes with latest
hostapd.
i have a different idea. hostapd is creating a ap vlan type interface
for each wds station associating and there was a issue i had with a
patch in mac80211 a while ago
since something was changed regarding vlan ap handling in mac80211
take a look on the following patches
the second one broke wds sta operation for me completelly. i never
checked the second one. my advise. revert them both and try it again and
report if its working then. i was originally complaining already on this
mailinglist about the breakage, but it seems that my comment was ignored
at the end
https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git/commit/?id=33d915d9e8ce811d8958915ccd18d71a66c7c495
https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git/commit/?id=db3bdcb9c3ffc628c5284d7ed03a704295ba1214
Am 02.03.2020 um 09:28 schrieb Cedric VONCKEN:
> Yes I'm running mac80211 on both side.
>
> I progress in understanding to this issue. After checked, the issue is different with different mac80211 version. With the backport 5.4-rc8-1, the driver level seem worked correctly. The hostapd (in AP side) didn't include the sta in the bridge when the security policy is WPA-PSK or WPA-EAP. With none policy the sta is correctly included.
>
> Now I'm searching in hostpad.
>
> -----Message d'origine-----
> De : Johannes Berg <[email protected]>
> Envoyé : vendredi 28 février 2020 10:37
> À : Steve deRosier <[email protected]>; Cedric VONCKEN <[email protected]>
> Cc : [email protected]
> Objet : Re: [mac80211]: wds link and Radius authentication issue
>
> On Thu, 2020-02-27 at 17:26 -0800, Steve deRosier wrote:
>> On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
>>> Where can I found some information on how the wds system should
>>> work? I looked in 802.11-2012 standard and I didn't found any
>>> informations.
>>>
>> I think Wikipedia says it best:
>> "WDS may be incompatible between different products (even occasionally
>> from the same vendor) since the IEEE 802.11-1999 standard does not
>> define how to construct any such implementations or how stations
>> interact to arrange for exchanging frames of this format. The IEEE
>> 802.11-1999 standard merely defines the 4-address frame format that
>> makes it possible."
> I think really what Cedric is asking is how this is/should be done with mac80211's 4-addr client/AP mode(s)?
>
> Cedric, are you running mac80211 on both sides of the link, the AP and the (4-addr) client?
>
> johannes
>
Sorry I did some mistake in my configuration.
The sta was not include in the bridge, because my configuration was wrong.
Now My configuration is correct.
I'm running mac80211 backport 5.4-rc8-1 on AP and sta (client)
I was set the WDS feature on sta (the AP accept the wds sta, and automatically put it in my bridge)
I bridged the sta with my ETH0
The security policy was set to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS)
With this settings, the authentication is successful but I can't ping the AP from sta, and I can't ping the sta from AP.
The origin of this issue is the broadcast frame format. These frames are sent in 3 addr mode, and the test in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023 drop these frame.
I attach a pcap file, you can see the authentication, WPA exchange. The frame #205, #208, #213 .. are a broadcast/multicast frame sent from my AP. These frame are in 3 addr format (TO DS and FROM DS are not set to 1).
In older version these frames are sent in 4addr format (but sent one time per station).
So now where should I make a fix:
- In transmit side, I should change the code to send the frame in 4addr format, but that can break another work (because I will send one frame per sta).
- In Rx side, I should accept the broadcast frame in 3addr if the transmitter address is my peer (the sta or the bssid).
I need your help to fix this issue.
Thanks
Cedric Voncken.
-----Message d'origine-----
De : [email protected] <[email protected]> De la part de Cedric VONCKEN
Envoyé : lundi 2 mars 2020 09:29
À : Johannes Berg <[email protected]>; Steve deRosier <[email protected]>
Cc : [email protected]
Objet : RE: [mac80211]: wds link and Radius authentication issue
Yes I'm running mac80211 on both side.
I progress in understanding to this issue. After checked, the issue is different with different mac80211 version. With the backport 5.4-rc8-1, the driver level seem worked correctly. The hostapd (in AP side) didn't include the sta in the bridge when the security policy is WPA-PSK or WPA-EAP. With none policy the sta is correctly included.
Now I'm searching in hostpad.
-----Message d'origine-----
De : Johannes Berg <[email protected]> Envoyé : vendredi 28 février 2020 10:37 À : Steve deRosier <[email protected]>; Cedric VONCKEN <[email protected]> Cc : [email protected] Objet : Re: [mac80211]: wds link and Radius authentication issue
On Thu, 2020-02-27 at 17:26 -0800, Steve deRosier wrote:
> On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
> > Where can I found some information on how the wds system should
> > work? I looked in 802.11-2012 standard and I didn't found any
> > informations.
> >
>
> I think Wikipedia says it best:
> "WDS may be incompatible between different products (even occasionally
> from the same vendor) since the IEEE 802.11-1999 standard does not
> define how to construct any such implementations or how stations
> interact to arrange for exchanging frames of this format. The IEEE
> 802.11-1999 standard merely defines the 4-address frame format that
> makes it possible."
I think really what Cedric is asking is how this is/should be done with mac80211's 4-addr client/AP mode(s)?
Cedric, are you running mac80211 on both sides of the link, the AP and the (4-addr) client?
johannes
I continue my investigation, and I think I found an interesting point.
My AP have 3 bssid, the wlan0 is set in WPA-EAP, the wlan0_1 is set in WPA-PSK and the latest wlan0_2 is without security. It is useful for my test, I only need to change the sta configuration.
I added some debug in net/mac80211/tx.c
When I use the BSSID set in WPA-PSK (this case works), the broadcast frames are sent through the netdev wlan0_1.sta1.
When I use the BSSID set in WPA-EAP (this case doesn't work) the broadcast frames are sent through the netdev wlan0 (use fast_xmit path). But the wlan0.sta1 netdev is created in the system, added to the bridge, and received the frame from the bridge. But in this case the function ieee80211_lookup_ra_sta return ENOLINK for wlan0.sta1 and the frame is dropped.
So I think the issue is in transmit side, I don't why, but with WPA-EAP the mac80211 state seem different and the WDS doesn't work.
Do you have any explanation or idea to locate the origin ?
Regards.
-----Message d'origine-----
De : Cedric VONCKEN <[email protected]>
Envoyé : lundi 2 mars 2020 17:08
À : Cedric VONCKEN <[email protected]>; Johannes Berg <[email protected]>; Steve deRosier <[email protected]>
Cc : [email protected]
Objet : [mac80211]: wds link and Radius authentication issue
Sorry I did some mistake in my configuration.
The sta was not include in the bridge, because my configuration was wrong.
Now My configuration is correct.
I'm running mac80211 backport 5.4-rc8-1 on AP and sta (client)
I was set the WDS feature on sta (the AP accept the wds sta, and automatically put it in my bridge)
I bridged the sta with my ETH0
The security policy was set to WPA-EAP (I tested PEAP-MSCHAPV2 and EAP-TLS)
With this settings, the authentication is successful but I can't ping the AP from sta, and I can't ping the sta from AP.
The origin of this issue is the broadcast frame format. These frames are sent in 3 addr mode, and the test in rx.c from driver/net/mac80211. In function __ieee80211_data_to_8023 drop these frame.
I attach a pcap file, you can see the authentication, WPA exchange. The frame #205, #208, #213 .. are a broadcast/multicast frame sent from my AP. These frame are in 3 addr format (TO DS and FROM DS are not set to 1).
In older version these frames are sent in 4addr format (but sent one time per station).
So now where should I make a fix:
- In transmit side, I should change the code to send the frame in 4addr format, but that can break another work (because I will send one frame per sta).
- In Rx side, I should accept the broadcast frame in 3addr if the transmitter address is my peer (the sta or the bssid).
I need your help to fix this issue.
Thanks
Cedric Voncken.
-----Message d'origine-----
De : [email protected] <[email protected]> De la part de Cedric VONCKEN Envoyé : lundi 2 mars 2020 09:29 À : Johannes Berg <[email protected]>; Steve deRosier <[email protected]> Cc : [email protected] Objet : RE: [mac80211]: wds link and Radius authentication issue Yes I'm running mac80211 on both side.
I progress in understanding to this issue. After checked, the issue is different with different mac80211 version. With the backport 5.4-rc8-1, the driver level seem worked correctly. The hostapd (in AP side) didn't include the sta in the bridge when the security policy is WPA-PSK or WPA-EAP. With none policy the sta is correctly included.
Now I'm searching in hostpad.
-----Message d'origine-----
De : Johannes Berg <[email protected]> Envoyé : vendredi 28 février 2020 10:37 À : Steve deRosier <[email protected]>; Cedric VONCKEN <[email protected]> Cc : [email protected] Objet : Re: [mac80211]: wds link and Radius authentication issue
On Thu, 2020-02-27 at 17:26 -0800, Steve deRosier wrote:
> On Thu, Feb 27, 2020 at 9:37 AM Cedric VONCKEN <[email protected]> wrote:
> > Where can I found some information on how the wds system should
> > work? I looked in 802.11-2012 standard and I didn't found any
> > informations.
> >
>
> I think Wikipedia says it best:
> "WDS may be incompatible between different products (even occasionally
> from the same vendor) since the IEEE 802.11-1999 standard does not
> define how to construct any such implementations or how stations
> interact to arrange for exchanging frames of this format. The IEEE
> 802.11-1999 standard merely defines the 4-address frame format that
> makes it possible."
I think really what Cedric is asking is how this is/should be done with mac80211's 4-addr client/AP mode(s)?
Cedric, are you running mac80211 on both sides of the link, the AP and the (4-addr) client?
johannes
On Mon, 2020-03-02 at 17:44 +0000, Cedric VONCKEN wrote:
> I continue my investigation, and I think I found an interesting point.
>
> My AP have 3 bssid, the wlan0 is set in WPA-EAP, the wlan0_1 is
> set in WPA-PSK and the latest wlan0_2 is without security. It is
> useful for my test, I only need to change the sta configuration.
>
> I added some debug in net/mac80211/tx.c
>
> When I use the BSSID set in WPA-PSK (this case works), the
> broadcast frames are sent through the netdev wlan0_1.sta1.
> When I use the BSSID set in WPA-EAP (this case doesn't work) the
> broadcast frames are sent through the netdev wlan0 (use fast_xmit
> path). But the wlan0.sta1 netdev is created in the system, added to
> the bridge, and received the frame from the bridge. But in this case
> the function ieee80211_lookup_ra_sta return ENOLINK for wlan0.sta1
> and the frame is dropped.
>
> So I think the issue is in transmit side, I don't why, but with
> WPA-EAP the mac80211 state seem different and the WDS doesn't work.
>
> Do you have any explanation or idea to locate the origin ?
Not really. The code there is just
switch (sdata->vif.type) {
case NL80211_IFTYPE_AP_VLAN:
sta = rcu_dereference(sdata->u.vlan.sta);
if (sta) {
*sta_out = sta;
return 0;
} else if (sdata->wdev.use_4addr) {
return -ENOLINK;
}
as far as I can tell, right?
So if you got into the -ENOLINK case, then it means that userspace
didn't add the right station to the 4-addr VLAN interface, which I guess
was "wlan0.sta1"? Not sure how that'd happen.
johannes
>
> My AP have 3 bssid, the wlan0 is set in WPA-EAP, the wlan0_1 is set
> in WPA-PSK and the latest wlan0_2 is without security. It is useful
> for my test, I only need to change the sta configuration.
>
> I added some debug in net/mac80211/tx.c
>
> When I use the BSSID set in WPA-PSK (this case works), the broadcast
> frames are sent through the netdev wlan0_1.sta1.
> When I use the BSSID set in WPA-EAP (this case doesn't work) the
> broadcast frames are sent through the netdev wlan0 (use fast_xmit
> path). But the wlan0.sta1 netdev is created in the system, added to
> the bridge, and received the frame from the bridge. But in this case
> the function ieee80211_lookup_ra_sta return ENOLINK for wlan0.sta1
> and the frame is dropped.
>
> So I think the issue is in transmit side, I don't why, but with
> WPA-EAP the mac80211 state seem different and the WDS doesn't work.
>
> Do you have any explanation or idea to locate the origin ?
Not really. The code there is just
switch (sdata->vif.type) {
case NL80211_IFTYPE_AP_VLAN:
sta = rcu_dereference(sdata->u.vlan.sta);
if (sta) {
*sta_out = sta;
return 0;
} else if (sdata->wdev.use_4addr) {
return -ENOLINK;
}
as far as I can tell, right?
> Yes
So if you got into the -ENOLINK case, then it means that userspace didn't add the right station to the 4-addr VLAN interface, which I guess was "wlan0.sta1"? Not sure how that'd happen.
> The wlan0.sta1 net dev was created by hostapd to manage the wds sta. This netdev type is AP VLAN. The function ieee80211_lookup_ra_sta return
>-ENOLINK because the pointer sdata->u.vlan.sta was not defined.
>In mac80211, where this rcu pointer is allocated? Which NL message the user space use ?
Hi Cedric,
Umm, that was hard to read. You should quote my writing, not your own :)
> > The wlan0.sta1 net dev was created by hostapd to manage the wds sta.
> > This netdev type is AP VLAN. The function ieee80211_lookup_ra_sta
> > return
> > -ENOLINK because the pointer sdata->u.vlan.sta was not defined.
Right.
> > In mac80211, where this rcu pointer is allocated? Which NL message the user space use ?
Look at ieee80211_change_station(), called from nl80211_set_station()
with
params.vlan = get_vlan(info, rdev);
johannes