Wired Driver To use TUN/TAP interface only passing if authorised

Gregory Nietsky gregory at distrotech.co.za
Tue Apr 17 06:04:39 EDT 2012


A while back i proposed a xtables extension to manage sessions WRT 
enableing / disableing traffic to stations
that are 802.1x authorized this requires the authorization bits in the 
kernel.

in parallel to this effort i have been experimenting with TUN/TAP driver 
and think there is a strong case to
use this in hostapd as the driver already creates a raw socket to listen 
to PAE/DHCP bits [2 sockets]

the idea will be to use the existing code and if specified by a "tapdev" 
config option and TUN/TAP is available
to create a tap device and pass the traffic from the rawsock if 
applicable [authorised] to the tap device
the tap device supports VLAN's [possibly we could inject traffic onto 
the vlans similar to wifi] and also supports
bridging.

changes will involve using PF_PACKET / SOCK_RAW / ETH_P_ALL the 
handle_read will need to take the
ether header into account and look at the ethertype to split out PAE 
packets it can also take the iphdr
and udpheaders into account to handle DHCP no need for seperate UDP 
[DHCP] socket.

a TAP device is opened and brought up and if the SRC MAC is authorized 
[valid station] traffic read on the
RAW or TAP is passed between each other possibly checking session 
timeouts and the like.

there is little complexity to using this method and will be possible to 
look at using the ether header to add stations
and not snoop DHCP.

/* TODO: detecting new devices should eventually be changed from using DHCP
  * snooping to trigger on any packet from a new layer 2 MAC address, e.g.,
  * based on ebtables, etc. */

an example of how this is done is a small taploop daemon im using for 
this concept

https://pbx.distrotech.co.za:666/svn/netfilter_session/taploop.c

its purpose in life is to  marshal traffic it takes over the interface 
and clones into a tap device
traffic is passed in userland from the phy to virtual device the virtual 
device inherits the mac
of the phy in the cloning process.

see phyopen topen and mainloop functions.

the "processpacket" function will be used to mangle and write back the 
packet.

--
This message has been scanned for viruses and
dangerous content by Distrotech Solutions, 
it is believed to be clean.

http://www.distrotech.co.za



More information about the HostAP mailing list