Hello list,
quite some time ago I sent a first version of this patchset together with other changes. At that time we decided to split the features up and to postpone the Extended Isolation for later sending. Now here it is!
This feature is an extension of the already existing "AP isolation" which aims to generalise the latter.
The idea is based on considering a particular subset of non-mesh clients as "ISOLATED" and then apply the same policy that batman-adv already applies for WiFi clients.
To decide which client belongs to this subset batman-adv uses the skb->mark field which value can be altered by several components in the kernel (e.g. netfilter). When an skb hits the soft-interface (e.g. bat0) the skb->mark is compared to a preconfigured value and the source client is classified as "ISOLATED" only in case of match.
The pre-configured mark (and its mask) is a user choice and can be set through a new sysfs interface that is added within this patchset.
"ISOLATED" clients won't be able to talk to each other (batman-adv will drop any packet originated by an isolated client and directed to another isolated client) like it now happens for WiFi ones (when AP isolation is on).
Moreover broadcast packets sent by ISOLATED clients are marked on the receiving node with the same mark that the user configured through the sysfs. In this way netfilter (or any other program) can make decisions about these packets on the receiver side (e.g. a rule could be "broadcast packets created by ISOLATED clients cannot be forwarded over any port of the bridge X")
A draft of the documentation (with an example of how to use tc to mark/filter packets) is available here[1] and will be improved as soon as the feature is released.
Cheers,
[1] http://www.open-mesh.org/projects/batman-adv/wiki/Extended-isolation
p.s. I don't know if this can make a difference, but this patchset is based on master + all my other patches pending on the mailing list.
Antonio Quartulli (5): batman-adv: add isolation_mark sysfs attribute batman-adv: mark a local client as isolated when needed batman-adv: print the new BATADV_TT_CLIENT_ISOLA flag batman-adv: extend the ap_isolation mechanism batman-adv: set the isolation mark in the skb if needed
main.h | 2 ++ multicast.c | 3 ++- packet.h | 1 + soft-interface.c | 23 ++++++++++++++---- sysfs.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++ translation-table.c | 57 ++++++++++++++++++++++++++++++++++++++++---- translation-table.h | 4 +++- types.h | 2 ++ 8 files changed, 148 insertions(+), 12 deletions(-)