Wired Driver To use TUN/TAP interface only passing if authorised
gregory at distrotech.co.za
Tue Apr 17 06:04:39 EDT 2012
A while back i proposed a xtables extension to manage sessions WRT
enableing / disableing traffic to stations
that are 802.1x authorized this requires the authorization bits in the
in parallel to this effort i have been experimenting with TUN/TAP driver
and think there is a strong case to
use this in hostapd as the driver already creates a raw socket to listen
to PAE/DHCP bits [2 sockets]
the idea will be to use the existing code and if specified by a "tapdev"
config option and TUN/TAP is available
to create a tap device and pass the traffic from the rawsock if
applicable [authorised] to the tap device
the tap device supports VLAN's [possibly we could inject traffic onto
the vlans similar to wifi] and also supports
changes will involve using PF_PACKET / SOCK_RAW / ETH_P_ALL the
handle_read will need to take the
ether header into account and look at the ethertype to split out PAE
packets it can also take the iphdr
and udpheaders into account to handle DHCP no need for seperate UDP
a TAP device is opened and brought up and if the SRC MAC is authorized
[valid station] traffic read on the
RAW or TAP is passed between each other possibly checking session
timeouts and the like.
there is little complexity to using this method and will be possible to
look at using the ether header to add stations
and not snoop DHCP.
/* TODO: detecting new devices should eventually be changed from using DHCP
* snooping to trigger on any packet from a new layer 2 MAC address, e.g.,
* based on ebtables, etc. */
an example of how this is done is a small taploop daemon im using for
its purpose in life is to marshal traffic it takes over the interface
and clones into a tap device
traffic is passed in userland from the phy to virtual device the virtual
device inherits the mac
of the phy in the cloning process.
see phyopen topen and mainloop functions.
the "processpacket" function will be used to mangle and write back the
This message has been scanned for viruses and
dangerous content by Distrotech Solutions,
it is believed to be clean.
More information about the HostAP