2 * Copyright (c) 2001 Atsushi Onoe
3 * Copyright (c) 2002-2009 Sam Leffler, Errno Consulting
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
31 #include "opt_inet6.h"
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/kernel.h>
37 #include <sys/malloc.h>
39 #include <sys/endian.h>
41 #include <sys/socket.h>
44 #include <net/ethernet.h>
46 #include <net/if_var.h>
47 #include <net/if_llc.h>
48 #include <net/if_media.h>
49 #include <net/if_vlan_var.h>
51 #include <net80211/ieee80211_var.h>
52 #include <net80211/ieee80211_regdomain.h>
53 #ifdef IEEE80211_SUPPORT_SUPERG
54 #include <net80211/ieee80211_superg.h>
56 #ifdef IEEE80211_SUPPORT_TDMA
57 #include <net80211/ieee80211_tdma.h>
59 #include <net80211/ieee80211_wds.h>
60 #include <net80211/ieee80211_mesh.h>
61 #include <net80211/ieee80211_vht.h>
63 #if defined(INET) || defined(INET6)
64 #include <netinet/in.h>
68 #include <netinet/if_ether.h>
69 #include <netinet/in_systm.h>
70 #include <netinet/ip.h>
73 #include <netinet/ip6.h>
76 #include <security/mac/mac_framework.h>
78 #define ETHER_HEADER_COPY(dst, src) \
79 memcpy(dst, src, sizeof(struct ether_header))
81 static int ieee80211_fragment(struct ieee80211vap *, struct mbuf *,
82 u_int hdrsize, u_int ciphdrsize, u_int mtu);
83 static void ieee80211_tx_mgt_cb(struct ieee80211_node *, void *, int);
85 #ifdef IEEE80211_DEBUG
87 * Decide if an outbound management frame should be
88 * printed when debugging is enabled. This filters some
89 * of the less interesting frames that come frequently
93 doprint(struct ieee80211vap *vap, int subtype)
96 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
97 return (vap->iv_opmode == IEEE80211_M_IBSS);
104 * Transmit a frame to the given destination on the given VAP.
106 * It's up to the caller to figure out the details of who this
107 * is going to and resolving the node.
109 * This routine takes care of queuing it for power save,
110 * A-MPDU state stuff, fast-frames state stuff, encapsulation
111 * if required, then passing it up to the driver layer.
113 * This routine (for now) consumes the mbuf and frees the node
114 * reference; it ideally will return a TX status which reflects
115 * whether the mbuf was consumed or not, so the caller can
116 * free the mbuf (if appropriate) and the node reference (again,
120 ieee80211_vap_pkt_send_dest(struct ieee80211vap *vap, struct mbuf *m,
121 struct ieee80211_node *ni)
123 struct ieee80211com *ic = vap->iv_ic;
124 struct ifnet *ifp = vap->iv_ifp;
127 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
128 (m->m_flags & M_PWR_SAV) == 0) {
130 * Station in power save mode; pass the frame
131 * to the 802.11 layer and continue. We'll get
132 * the frame back when the time is right.
133 * XXX lose WDS vap linkage?
135 if (ieee80211_pwrsave(ni, m) != 0)
136 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
137 ieee80211_free_node(ni);
140 * We queued it fine, so tell the upper layer
141 * that we consumed it.
145 /* calculate priority so drivers can find the tx queue */
146 if (ieee80211_classify(ni, m)) {
147 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT,
148 ni->ni_macaddr, NULL,
149 "%s", "classification failure");
150 vap->iv_stats.is_tx_classify++;
151 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
153 ieee80211_free_node(ni);
155 /* XXX better status? */
159 * Stash the node pointer. Note that we do this after
160 * any call to ieee80211_dwds_mcast because that code
161 * uses any existing value for rcvif to identify the
162 * interface it (might have been) received on.
164 m->m_pkthdr.rcvif = (void *)ni;
165 mcast = (m->m_flags & (M_MCAST | M_BCAST)) ? 1: 0;
167 BPF_MTAP(ifp, m); /* 802.3 tx */
170 * Check if A-MPDU tx aggregation is setup or if we
171 * should try to enable it. The sta must be associated
172 * with HT and A-MPDU enabled for use. When the policy
173 * routine decides we should enable A-MPDU we issue an
174 * ADDBA request and wait for a reply. The frame being
175 * encapsulated will go out w/o using A-MPDU, or possibly
176 * it might be collected by the driver and held/retransmit.
177 * The default ic_ampdu_enable routine handles staggering
178 * ADDBA requests in case the receiver NAK's us or we are
179 * otherwise unable to establish a BA stream.
181 * Don't treat group-addressed frames as candidates for aggregation;
182 * net80211 doesn't support 802.11aa-2012 and so group addressed
183 * frames will always have sequence numbers allocated from the NON_QOS
186 if ((ni->ni_flags & IEEE80211_NODE_AMPDU_TX) &&
187 (vap->iv_flags_ht & IEEE80211_FHT_AMPDU_TX)) {
188 if ((m->m_flags & M_EAPOL) == 0 && (! mcast)) {
189 int tid = WME_AC_TO_TID(M_WME_GETAC(m));
190 struct ieee80211_tx_ampdu *tap = &ni->ni_tx_ampdu[tid];
192 ieee80211_txampdu_count_packet(tap);
193 if (IEEE80211_AMPDU_RUNNING(tap)) {
195 * Operational, mark frame for aggregation.
197 * XXX do tx aggregation here
199 m->m_flags |= M_AMPDU_MPDU;
200 } else if (!IEEE80211_AMPDU_REQUESTED(tap) &&
201 ic->ic_ampdu_enable(ni, tap)) {
203 * Not negotiated yet, request service.
205 ieee80211_ampdu_request(ni, tap);
206 /* XXX hold frame for reply? */
211 #ifdef IEEE80211_SUPPORT_SUPERG
213 * Check for AMSDU/FF; queue for aggregation
215 * Note: we don't bother trying to do fast frames or
216 * A-MSDU encapsulation for 802.3 drivers. Now, we
217 * likely could do it for FF (because it's a magic
218 * atheros tunnel LLC type) but I don't think we're going
219 * to really need to. For A-MSDU we'd have to set the
220 * A-MSDU QoS bit in the wifi header, so we just plain
223 * Strictly speaking, we could actually /do/ A-MSDU / FF
224 * with A-MPDU together which for certain circumstances
225 * is beneficial (eg A-MSDU of TCK ACKs.) However,
226 * I'll ignore that for now so existing behaviour is maintained.
227 * Later on it would be good to make "amsdu + ampdu" configurable.
229 else if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) {
230 if ((! mcast) && ieee80211_amsdu_tx_ok(ni)) {
231 m = ieee80211_amsdu_check(ni, m);
233 /* NB: any ni ref held on stageq */
234 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG,
235 "%s: amsdu_check queued frame\n",
239 } else if ((! mcast) && IEEE80211_ATH_CAP(vap, ni,
240 IEEE80211_NODE_FF)) {
241 m = ieee80211_ff_check(ni, m);
243 /* NB: any ni ref held on stageq */
244 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG,
245 "%s: ff_check queued frame\n",
251 #endif /* IEEE80211_SUPPORT_SUPERG */
254 * Grab the TX lock - serialise the TX process from this
255 * point (where TX state is being checked/modified)
256 * through to driver queue.
258 IEEE80211_TX_LOCK(ic);
261 * XXX make the encap and transmit code a separate function
262 * so things like the FF (and later A-MSDU) path can just call
263 * it for flushed frames.
265 if (__predict_true((vap->iv_caps & IEEE80211_C_8023ENCAP) == 0)) {
267 * Encapsulate the packet in prep for transmission.
269 m = ieee80211_encap(vap, ni, m);
271 /* NB: stat+msg handled in ieee80211_encap */
272 IEEE80211_TX_UNLOCK(ic);
273 ieee80211_free_node(ni);
274 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
278 (void) ieee80211_parent_xmitpkt(ic, m);
281 * Unlock at this point - no need to hold it across
282 * ieee80211_free_node() (ie, the comlock)
284 IEEE80211_TX_UNLOCK(ic);
285 ic->ic_lastdata = ticks;
293 * Send the given mbuf through the given vap.
295 * This consumes the mbuf regardless of whether the transmit
296 * was successful or not.
298 * This does none of the initial checks that ieee80211_start()
299 * does (eg CAC timeout, interface wakeup) - the caller must
303 ieee80211_start_pkt(struct ieee80211vap *vap, struct mbuf *m)
305 #define IS_DWDS(vap) \
306 (vap->iv_opmode == IEEE80211_M_WDS && \
307 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) == 0)
308 struct ieee80211com *ic = vap->iv_ic;
309 struct ifnet *ifp = vap->iv_ifp;
310 struct ieee80211_node *ni;
311 struct ether_header *eh;
314 * Cancel any background scan.
316 if (ic->ic_flags & IEEE80211_F_SCAN)
317 ieee80211_cancel_anyscan(vap);
319 * Find the node for the destination so we can do
320 * things like power save and fast frames aggregation.
322 * NB: past this point various code assumes the first
323 * mbuf has the 802.3 header present (and contiguous).
326 if (m->m_len < sizeof(struct ether_header) &&
327 (m = m_pullup(m, sizeof(struct ether_header))) == NULL) {
328 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
329 "discard frame, %s\n", "m_pullup failed");
330 vap->iv_stats.is_tx_nobuf++; /* XXX */
331 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
334 eh = mtod(m, struct ether_header *);
335 if (ETHER_IS_MULTICAST(eh->ether_dhost)) {
338 * Only unicast frames from the above go out
339 * DWDS vaps; multicast frames are handled by
340 * dispatching the frame as it comes through
341 * the AP vap (see below).
343 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_WDS,
344 eh->ether_dhost, "mcast", "%s", "on DWDS");
345 vap->iv_stats.is_dwds_mcast++;
347 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
348 /* XXX better status? */
351 if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
353 * Spam DWDS vap's w/ multicast traffic.
355 /* XXX only if dwds in use? */
356 ieee80211_dwds_mcast(vap, m);
359 #ifdef IEEE80211_SUPPORT_MESH
360 if (vap->iv_opmode != IEEE80211_M_MBSS) {
362 ni = ieee80211_find_txnode(vap, eh->ether_dhost);
364 /* NB: ieee80211_find_txnode does stat+msg */
365 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
367 /* XXX better status? */
370 if (ni->ni_associd == 0 &&
371 (ni->ni_flags & IEEE80211_NODE_ASSOCID)) {
372 IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_OUTPUT,
373 eh->ether_dhost, NULL,
374 "sta not associated (type 0x%04x)",
375 htons(eh->ether_type));
376 vap->iv_stats.is_tx_notassoc++;
377 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
379 ieee80211_free_node(ni);
380 /* XXX better status? */
383 #ifdef IEEE80211_SUPPORT_MESH
385 if (!IEEE80211_ADDR_EQ(eh->ether_shost, vap->iv_myaddr)) {
387 * Proxy station only if configured.
389 if (!ieee80211_mesh_isproxyena(vap)) {
390 IEEE80211_DISCARD_MAC(vap,
391 IEEE80211_MSG_OUTPUT |
393 eh->ether_dhost, NULL,
394 "%s", "proxy not enabled");
395 vap->iv_stats.is_mesh_notproxy++;
396 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
398 /* XXX better status? */
401 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
402 "forward frame from DS SA(%6D), DA(%6D)\n",
403 eh->ether_shost, ":",
404 eh->ether_dhost, ":");
405 ieee80211_mesh_proxy_check(vap, eh->ether_shost);
407 ni = ieee80211_mesh_discover(vap, eh->ether_dhost, m);
410 * NB: ieee80211_mesh_discover holds/disposes
411 * frame (e.g. queueing on path discovery).
413 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
414 /* XXX better status? */
421 * We've resolved the sender, so attempt to transmit it.
424 if (vap->iv_state == IEEE80211_S_SLEEP) {
426 * In power save; queue frame and then wakeup device
429 ic->ic_lastdata = ticks;
430 if (ieee80211_pwrsave(ni, m) != 0)
431 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
432 ieee80211_free_node(ni);
433 ieee80211_new_state(vap, IEEE80211_S_RUN, 0);
437 if (ieee80211_vap_pkt_send_dest(vap, m, ni) != 0)
444 * Start method for vap's. All packets from the stack come
445 * through here. We handle common processing of the packets
446 * before dispatching them to the underlying device.
448 * if_transmit() requires that the mbuf be consumed by this call
449 * regardless of the return condition.
452 ieee80211_vap_transmit(struct ifnet *ifp, struct mbuf *m)
454 struct ieee80211vap *vap = ifp->if_softc;
455 struct ieee80211com *ic = vap->iv_ic;
458 * No data frames go out unless we're running.
459 * Note in particular this covers CAC and CSA
460 * states (though maybe we should check muting
463 if (vap->iv_state != IEEE80211_S_RUN &&
464 vap->iv_state != IEEE80211_S_SLEEP) {
466 /* re-check under the com lock to avoid races */
467 if (vap->iv_state != IEEE80211_S_RUN &&
468 vap->iv_state != IEEE80211_S_SLEEP) {
469 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
470 "%s: ignore queue, in %s state\n",
471 __func__, ieee80211_state_name[vap->iv_state]);
472 vap->iv_stats.is_tx_badstate++;
473 IEEE80211_UNLOCK(ic);
474 ifp->if_drv_flags |= IFF_DRV_OACTIVE;
476 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
479 IEEE80211_UNLOCK(ic);
483 * Sanitize mbuf flags for net80211 use. We cannot
484 * clear M_PWR_SAV or M_MORE_DATA because these may
485 * be set for frames that are re-submitted from the
488 * NB: This must be done before ieee80211_classify as
489 * it marks EAPOL in frames with M_EAPOL.
491 m->m_flags &= ~(M_80211_TX - M_PWR_SAV - M_MORE_DATA);
494 * Bump to the packet transmission path.
495 * The mbuf will be consumed here.
497 return (ieee80211_start_pkt(vap, m));
501 ieee80211_vap_qflush(struct ifnet *ifp)
508 * 802.11 raw output routine.
510 * XXX TODO: this (and other send routines) should correctly
511 * XXX keep the pwr mgmt bit set if it decides to call into the
512 * XXX driver to send a frame whilst the state is SLEEP.
514 * Otherwise the peer may decide that we're awake and flood us
515 * with traffic we are still too asleep to receive!
518 ieee80211_raw_output(struct ieee80211vap *vap, struct ieee80211_node *ni,
519 struct mbuf *m, const struct ieee80211_bpf_params *params)
521 struct ieee80211com *ic = vap->iv_ic;
525 * Set node - the caller has taken a reference, so ensure
526 * that the mbuf has the same node value that
527 * it would if it were going via the normal path.
529 m->m_pkthdr.rcvif = (void *)ni;
532 * Attempt to add bpf transmit parameters.
534 * For now it's ok to fail; the raw_xmit api still takes
537 * Later on when ic_raw_xmit() has params removed,
538 * they'll have to be added - so fail the transmit if
542 (void) ieee80211_add_xmit_params(m, params);
544 error = ic->ic_raw_xmit(ni, m, params);
546 if_inc_counter(vap->iv_ifp, IFCOUNTER_OERRORS, 1);
547 ieee80211_free_node(ni);
553 * 802.11 output routine. This is (currently) used only to
554 * connect bpf write calls to the 802.11 layer for injecting
558 ieee80211_output(struct ifnet *ifp, struct mbuf *m,
559 const struct sockaddr *dst, struct route *ro)
561 #define senderr(e) do { error = (e); goto bad;} while (0)
562 struct ieee80211_node *ni = NULL;
563 struct ieee80211vap *vap;
564 struct ieee80211_frame *wh;
565 struct ieee80211com *ic = NULL;
569 if (ifp->if_drv_flags & IFF_DRV_OACTIVE) {
571 * Short-circuit requests if the vap is marked OACTIVE
572 * as this can happen because a packet came down through
573 * ieee80211_start before the vap entered RUN state in
574 * which case it's ok to just drop the frame. This
575 * should not be necessary but callers of if_output don't
583 * Hand to the 802.3 code if not tagged as
584 * a raw 802.11 frame.
586 if (dst->sa_family != AF_IEEE80211)
587 return vap->iv_output(ifp, m, dst, ro);
589 error = mac_ifnet_check_transmit(ifp, m);
593 if (ifp->if_flags & IFF_MONITOR)
595 if (!IFNET_IS_UP_RUNNING(ifp))
597 if (vap->iv_state == IEEE80211_S_CAC) {
598 IEEE80211_DPRINTF(vap,
599 IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
600 "block %s frame in CAC state\n", "raw data");
601 vap->iv_stats.is_tx_badstate++;
602 senderr(EIO); /* XXX */
603 } else if (vap->iv_state == IEEE80211_S_SCAN)
605 /* XXX bypass bridge, pfil, carp, etc. */
607 if (m->m_pkthdr.len < sizeof(struct ieee80211_frame_ack))
608 senderr(EIO); /* XXX */
609 wh = mtod(m, struct ieee80211_frame *);
610 if ((wh->i_fc[0] & IEEE80211_FC0_VERSION_MASK) !=
611 IEEE80211_FC0_VERSION_0)
612 senderr(EIO); /* XXX */
613 if (m->m_pkthdr.len < ieee80211_anyhdrsize(wh))
614 senderr(EIO); /* XXX */
616 /* locate destination node */
617 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) {
618 case IEEE80211_FC1_DIR_NODS:
619 case IEEE80211_FC1_DIR_FROMDS:
620 ni = ieee80211_find_txnode(vap, wh->i_addr1);
622 case IEEE80211_FC1_DIR_TODS:
623 case IEEE80211_FC1_DIR_DSTODS:
624 ni = ieee80211_find_txnode(vap, wh->i_addr3);
627 senderr(EIO); /* XXX */
631 * Permit packets w/ bpf params through regardless
632 * (see below about sa_len).
634 if (dst->sa_len == 0)
635 senderr(EHOSTUNREACH);
636 ni = ieee80211_ref_node(vap->iv_bss);
640 * Sanitize mbuf for net80211 flags leaked from above.
642 * NB: This must be done before ieee80211_classify as
643 * it marks EAPOL in frames with M_EAPOL.
645 m->m_flags &= ~M_80211_TX;
647 /* calculate priority so drivers can find the tx queue */
648 /* XXX assumes an 802.3 frame */
649 if (ieee80211_classify(ni, m))
650 senderr(EIO); /* XXX */
652 IEEE80211_NODE_STAT(ni, tx_data);
653 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
654 IEEE80211_NODE_STAT(ni, tx_mcast);
655 m->m_flags |= M_MCAST;
657 IEEE80211_NODE_STAT(ni, tx_ucast);
658 /* NB: ieee80211_encap does not include 802.11 header */
659 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, m->m_pkthdr.len);
661 IEEE80211_TX_LOCK(ic);
664 * NB: DLT_IEEE802_11_RADIO identifies the parameters are
665 * present by setting the sa_len field of the sockaddr (yes,
667 * NB: we assume sa_data is suitably aligned to cast.
669 ret = ieee80211_raw_output(vap, ni, m,
670 (const struct ieee80211_bpf_params *)(dst->sa_len ?
671 dst->sa_data : NULL));
672 IEEE80211_TX_UNLOCK(ic);
678 ieee80211_free_node(ni);
679 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
685 * Set the direction field and address fields of an outgoing
686 * frame. Note this should be called early on in constructing
687 * a frame as it sets i_fc[1]; other bits can then be or'd in.
690 ieee80211_send_setup(
691 struct ieee80211_node *ni,
694 const uint8_t sa[IEEE80211_ADDR_LEN],
695 const uint8_t da[IEEE80211_ADDR_LEN],
696 const uint8_t bssid[IEEE80211_ADDR_LEN])
698 #define WH4(wh) ((struct ieee80211_frame_addr4 *)wh)
699 struct ieee80211vap *vap = ni->ni_vap;
700 struct ieee80211_tx_ampdu *tap;
701 struct ieee80211_frame *wh = mtod(m, struct ieee80211_frame *);
704 IEEE80211_TX_LOCK_ASSERT(ni->ni_ic);
706 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | type;
707 if ((type & IEEE80211_FC0_TYPE_MASK) == IEEE80211_FC0_TYPE_DATA) {
708 switch (vap->iv_opmode) {
709 case IEEE80211_M_STA:
710 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
711 IEEE80211_ADDR_COPY(wh->i_addr1, bssid);
712 IEEE80211_ADDR_COPY(wh->i_addr2, sa);
713 IEEE80211_ADDR_COPY(wh->i_addr3, da);
715 case IEEE80211_M_IBSS:
716 case IEEE80211_M_AHDEMO:
717 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
718 IEEE80211_ADDR_COPY(wh->i_addr1, da);
719 IEEE80211_ADDR_COPY(wh->i_addr2, sa);
720 IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
722 case IEEE80211_M_HOSTAP:
723 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
724 IEEE80211_ADDR_COPY(wh->i_addr1, da);
725 IEEE80211_ADDR_COPY(wh->i_addr2, bssid);
726 IEEE80211_ADDR_COPY(wh->i_addr3, sa);
728 case IEEE80211_M_WDS:
729 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
730 IEEE80211_ADDR_COPY(wh->i_addr1, da);
731 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
732 IEEE80211_ADDR_COPY(wh->i_addr3, da);
733 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa);
735 case IEEE80211_M_MBSS:
736 #ifdef IEEE80211_SUPPORT_MESH
737 if (IEEE80211_IS_MULTICAST(da)) {
738 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
740 IEEE80211_ADDR_COPY(wh->i_addr1, da);
741 IEEE80211_ADDR_COPY(wh->i_addr2,
744 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
745 IEEE80211_ADDR_COPY(wh->i_addr1, da);
746 IEEE80211_ADDR_COPY(wh->i_addr2,
748 IEEE80211_ADDR_COPY(wh->i_addr3, da);
749 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, sa);
753 case IEEE80211_M_MONITOR: /* NB: to quiet compiler */
757 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
758 IEEE80211_ADDR_COPY(wh->i_addr1, da);
759 IEEE80211_ADDR_COPY(wh->i_addr2, sa);
760 #ifdef IEEE80211_SUPPORT_MESH
761 if (vap->iv_opmode == IEEE80211_M_MBSS)
762 IEEE80211_ADDR_COPY(wh->i_addr3, sa);
765 IEEE80211_ADDR_COPY(wh->i_addr3, bssid);
767 *(uint16_t *)&wh->i_dur[0] = 0;
770 * XXX TODO: this is what the TX lock is for.
771 * Here we're incrementing sequence numbers, and they
772 * need to be in lock-step with what the driver is doing
773 * both in TX ordering and crypto encap (IV increment.)
775 * If the driver does seqno itself, then we can skip
776 * assigning sequence numbers here, and we can avoid
777 * requiring the TX lock.
779 tap = &ni->ni_tx_ampdu[tid];
780 if (tid != IEEE80211_NONQOS_TID && IEEE80211_AMPDU_RUNNING(tap)) {
781 m->m_flags |= M_AMPDU_MPDU;
783 if (IEEE80211_HAS_SEQ(type & IEEE80211_FC0_TYPE_MASK,
784 type & IEEE80211_FC0_SUBTYPE_MASK))
786 * 802.11-2012 9.3.2.10 - QoS multicast frames
787 * come out of a different seqno space.
789 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
790 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
792 seqno = ni->ni_txseqs[tid]++;
797 *(uint16_t *)&wh->i_seq[0] =
798 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
799 M_SEQNO_SET(m, seqno);
802 if (IEEE80211_IS_MULTICAST(wh->i_addr1))
803 m->m_flags |= M_MCAST;
808 * Send a management frame to the specified node. The node pointer
809 * must have a reference as the pointer will be passed to the driver
810 * and potentially held for a long time. If the frame is successfully
811 * dispatched to the driver, then it is responsible for freeing the
812 * reference (and potentially free'ing up any associated storage);
813 * otherwise deal with reclaiming any reference (on error).
816 ieee80211_mgmt_output(struct ieee80211_node *ni, struct mbuf *m, int type,
817 struct ieee80211_bpf_params *params)
819 struct ieee80211vap *vap = ni->ni_vap;
820 struct ieee80211com *ic = ni->ni_ic;
821 struct ieee80211_frame *wh;
824 KASSERT(ni != NULL, ("null node"));
826 if (vap->iv_state == IEEE80211_S_CAC) {
827 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
828 ni, "block %s frame in CAC state",
829 ieee80211_mgt_subtype_name(type));
830 vap->iv_stats.is_tx_badstate++;
831 ieee80211_free_node(ni);
833 return EIO; /* XXX */
836 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT);
838 ieee80211_free_node(ni);
842 IEEE80211_TX_LOCK(ic);
844 wh = mtod(m, struct ieee80211_frame *);
845 ieee80211_send_setup(ni, m,
846 IEEE80211_FC0_TYPE_MGT | type, IEEE80211_NONQOS_TID,
847 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
848 if (params->ibp_flags & IEEE80211_BPF_CRYPTO) {
849 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_AUTH, wh->i_addr1,
850 "encrypting frame (%s)", __func__);
851 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
853 m->m_flags |= M_ENCAP; /* mark encapsulated */
855 KASSERT(type != IEEE80211_FC0_SUBTYPE_PROBE_RESP, ("probe response?"));
856 M_WME_SETAC(m, params->ibp_pri);
858 #ifdef IEEE80211_DEBUG
859 /* avoid printing too many frames */
860 if ((ieee80211_msg_debug(vap) && doprint(vap, type)) ||
861 ieee80211_msg_dumppkts(vap)) {
862 printf("[%s] send %s on channel %u\n",
863 ether_sprintf(wh->i_addr1),
864 ieee80211_mgt_subtype_name(type),
865 ieee80211_chan2ieee(ic, ic->ic_curchan));
868 IEEE80211_NODE_STAT(ni, tx_mgmt);
870 ret = ieee80211_raw_output(vap, ni, m, params);
871 IEEE80211_TX_UNLOCK(ic);
876 ieee80211_nulldata_transmitted(struct ieee80211_node *ni, void *arg,
879 struct ieee80211vap *vap = ni->ni_vap;
885 * Send a null data frame to the specified node. If the station
886 * is setup for QoS then a QoS Null Data frame is constructed.
887 * If this is a WDS station then a 4-address frame is constructed.
889 * NB: the caller is assumed to have setup a node reference
890 * for use; this is necessary to deal with a race condition
891 * when probing for inactive stations. Like ieee80211_mgmt_output
892 * we must cleanup any node reference on error; however we
893 * can safely just unref it as we know it will never be the
894 * last reference to the node.
897 ieee80211_send_nulldata(struct ieee80211_node *ni)
899 struct ieee80211vap *vap = ni->ni_vap;
900 struct ieee80211com *ic = ni->ni_ic;
902 struct ieee80211_frame *wh;
907 if (vap->iv_state == IEEE80211_S_CAC) {
908 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT | IEEE80211_MSG_DOTH,
909 ni, "block %s frame in CAC state", "null data");
910 ieee80211_unref_node(&ni);
911 vap->iv_stats.is_tx_badstate++;
912 return EIO; /* XXX */
915 if (ni->ni_flags & (IEEE80211_NODE_QOS|IEEE80211_NODE_HT))
916 hdrlen = sizeof(struct ieee80211_qosframe);
918 hdrlen = sizeof(struct ieee80211_frame);
919 /* NB: only WDS vap's get 4-address frames */
920 if (vap->iv_opmode == IEEE80211_M_WDS)
921 hdrlen += IEEE80211_ADDR_LEN;
922 if (ic->ic_flags & IEEE80211_F_DATAPAD)
923 hdrlen = roundup(hdrlen, sizeof(uint32_t));
925 m = ieee80211_getmgtframe(&frm, ic->ic_headroom + hdrlen, 0);
928 ieee80211_unref_node(&ni);
929 vap->iv_stats.is_tx_nobuf++;
932 KASSERT(M_LEADINGSPACE(m) >= hdrlen,
933 ("leading space %zd", M_LEADINGSPACE(m)));
934 M_PREPEND(m, hdrlen, M_NOWAIT);
936 /* NB: cannot happen */
937 ieee80211_free_node(ni);
941 IEEE80211_TX_LOCK(ic);
943 wh = mtod(m, struct ieee80211_frame *); /* NB: a little lie */
944 if (ni->ni_flags & IEEE80211_NODE_QOS) {
945 const int tid = WME_AC_TO_TID(WME_AC_BE);
948 ieee80211_send_setup(ni, m,
949 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_QOS_NULL,
950 tid, vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
952 if (vap->iv_opmode == IEEE80211_M_WDS)
953 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos;
955 qos = ((struct ieee80211_qosframe *) wh)->i_qos;
956 qos[0] = tid & IEEE80211_QOS_TID;
957 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[WME_AC_BE].wmep_noackPolicy)
958 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK;
961 ieee80211_send_setup(ni, m,
962 IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_NODATA,
963 IEEE80211_NONQOS_TID,
964 vap->iv_myaddr, ni->ni_macaddr, ni->ni_bssid);
966 if (vap->iv_opmode != IEEE80211_M_WDS) {
967 /* NB: power management bit is never sent by an AP */
968 if ((ni->ni_flags & IEEE80211_NODE_PWR_MGT) &&
969 vap->iv_opmode != IEEE80211_M_HOSTAP)
970 wh->i_fc[1] |= IEEE80211_FC1_PWR_MGT;
972 if ((ic->ic_flags & IEEE80211_F_SCAN) &&
973 (ni->ni_flags & IEEE80211_NODE_PWR_MGT)) {
974 ieee80211_add_callback(m, ieee80211_nulldata_transmitted,
977 m->m_len = m->m_pkthdr.len = hdrlen;
978 m->m_flags |= M_ENCAP; /* mark encapsulated */
980 M_WME_SETAC(m, WME_AC_BE);
982 IEEE80211_NODE_STAT(ni, tx_data);
984 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS, ni,
985 "send %snull data frame on channel %u, pwr mgt %s",
986 ni->ni_flags & IEEE80211_NODE_QOS ? "QoS " : "",
987 ieee80211_chan2ieee(ic, ic->ic_curchan),
988 wh->i_fc[1] & IEEE80211_FC1_PWR_MGT ? "ena" : "dis");
990 ret = ieee80211_raw_output(vap, ni, m, NULL);
991 IEEE80211_TX_UNLOCK(ic);
996 * Assign priority to a frame based on any vlan tag assigned
997 * to the station and/or any Diffserv setting in an IP header.
998 * Finally, if an ACM policy is setup (in station mode) it's
1002 ieee80211_classify(struct ieee80211_node *ni, struct mbuf *m)
1004 const struct ether_header *eh = mtod(m, struct ether_header *);
1005 int v_wme_ac, d_wme_ac, ac;
1008 * Always promote PAE/EAPOL frames to high priority.
1010 if (eh->ether_type == htons(ETHERTYPE_PAE)) {
1011 /* NB: mark so others don't need to check header */
1012 m->m_flags |= M_EAPOL;
1017 * Non-qos traffic goes to BE.
1019 if ((ni->ni_flags & IEEE80211_NODE_QOS) == 0) {
1025 * If node has a vlan tag then all traffic
1026 * to it must have a matching tag.
1029 if (ni->ni_vlan != 0) {
1030 if ((m->m_flags & M_VLANTAG) == 0) {
1031 IEEE80211_NODE_STAT(ni, tx_novlantag);
1034 if (EVL_VLANOFTAG(m->m_pkthdr.ether_vtag) !=
1035 EVL_VLANOFTAG(ni->ni_vlan)) {
1036 IEEE80211_NODE_STAT(ni, tx_vlanmismatch);
1039 /* map vlan priority to AC */
1040 v_wme_ac = TID_TO_WME_AC(EVL_PRIOFTAG(ni->ni_vlan));
1043 /* XXX m_copydata may be too slow for fast path */
1045 if (eh->ether_type == htons(ETHERTYPE_IP)) {
1048 * IP frame, map the DSCP bits from the TOS field.
1050 /* NB: ip header may not be in first mbuf */
1051 m_copydata(m, sizeof(struct ether_header) +
1052 offsetof(struct ip, ip_tos), sizeof(tos), &tos);
1053 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */
1054 d_wme_ac = TID_TO_WME_AC(tos);
1058 if (eh->ether_type == htons(ETHERTYPE_IPV6)) {
1062 * IPv6 frame, map the DSCP bits from the traffic class field.
1064 m_copydata(m, sizeof(struct ether_header) +
1065 offsetof(struct ip6_hdr, ip6_flow), sizeof(flow),
1067 tos = (uint8_t)(ntohl(flow) >> 20);
1068 tos >>= 5; /* NB: ECN + low 3 bits of DSCP */
1069 d_wme_ac = TID_TO_WME_AC(tos);
1072 d_wme_ac = WME_AC_BE;
1080 * Use highest priority AC.
1082 if (v_wme_ac > d_wme_ac)
1090 if (ni->ni_vap->iv_opmode == IEEE80211_M_STA) {
1091 static const int acmap[4] = {
1092 WME_AC_BK, /* WME_AC_BE */
1093 WME_AC_BK, /* WME_AC_BK */
1094 WME_AC_BE, /* WME_AC_VI */
1095 WME_AC_VI, /* WME_AC_VO */
1097 struct ieee80211com *ic = ni->ni_ic;
1099 while (ac != WME_AC_BK &&
1100 ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[ac].wmep_acm)
1109 * Insure there is sufficient contiguous space to encapsulate the
1110 * 802.11 data frame. If room isn't already there, arrange for it.
1111 * Drivers and cipher modules assume we have done the necessary work
1112 * and fail rudely if they don't find the space they need.
1115 ieee80211_mbuf_adjust(struct ieee80211vap *vap, int hdrsize,
1116 struct ieee80211_key *key, struct mbuf *m)
1118 #define TO_BE_RECLAIMED (sizeof(struct ether_header) - sizeof(struct llc))
1119 int needed_space = vap->iv_ic->ic_headroom + hdrsize;
1122 /* XXX belongs in crypto code? */
1123 needed_space += key->wk_cipher->ic_header;
1126 * When crypto is being done in the host we must insure
1127 * the data are writable for the cipher routines; clone
1128 * a writable mbuf chain.
1129 * XXX handle SWMIC specially
1131 if (key->wk_flags & (IEEE80211_KEY_SWENCRYPT|IEEE80211_KEY_SWENMIC)) {
1132 m = m_unshare(m, M_NOWAIT);
1134 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
1135 "%s: cannot get writable mbuf\n", __func__);
1136 vap->iv_stats.is_tx_nobuf++; /* XXX new stat */
1142 * We know we are called just before stripping an Ethernet
1143 * header and prepending an LLC header. This means we know
1145 * sizeof(struct ether_header) - sizeof(struct llc)
1146 * bytes recovered to which we need additional space for the
1147 * 802.11 header and any crypto header.
1149 /* XXX check trailing space and copy instead? */
1150 if (M_LEADINGSPACE(m) < needed_space - TO_BE_RECLAIMED) {
1151 struct mbuf *n = m_gethdr(M_NOWAIT, m->m_type);
1153 IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
1154 "%s: cannot expand storage\n", __func__);
1155 vap->iv_stats.is_tx_nobuf++;
1159 KASSERT(needed_space <= MHLEN,
1160 ("not enough room, need %u got %d\n", needed_space, MHLEN));
1162 * Setup new mbuf to have leading space to prepend the
1163 * 802.11 header and any crypto header bits that are
1164 * required (the latter are added when the driver calls
1165 * back to ieee80211_crypto_encap to do crypto encapsulation).
1167 /* NB: must be first 'cuz it clobbers m_data */
1168 m_move_pkthdr(n, m);
1169 n->m_len = 0; /* NB: m_gethdr does not set */
1170 n->m_data += needed_space;
1172 * Pull up Ethernet header to create the expected layout.
1173 * We could use m_pullup but that's overkill (i.e. we don't
1174 * need the actual data) and it cannot fail so do it inline
1177 /* NB: struct ether_header is known to be contiguous */
1178 n->m_len += sizeof(struct ether_header);
1179 m->m_len -= sizeof(struct ether_header);
1180 m->m_data += sizeof(struct ether_header);
1182 * Replace the head of the chain.
1188 #undef TO_BE_RECLAIMED
1192 * Return the transmit key to use in sending a unicast frame.
1193 * If a unicast key is set we use that. When no unicast key is set
1194 * we fall back to the default transmit key.
1196 static __inline struct ieee80211_key *
1197 ieee80211_crypto_getucastkey(struct ieee80211vap *vap,
1198 struct ieee80211_node *ni)
1200 if (IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)) {
1201 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE ||
1202 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey]))
1204 return &vap->iv_nw_keys[vap->iv_def_txkey];
1206 return &ni->ni_ucastkey;
1211 * Return the transmit key to use in sending a multicast frame.
1212 * Multicast traffic always uses the group key which is installed as
1213 * the default tx key.
1215 static __inline struct ieee80211_key *
1216 ieee80211_crypto_getmcastkey(struct ieee80211vap *vap,
1217 struct ieee80211_node *ni)
1219 if (vap->iv_def_txkey == IEEE80211_KEYIX_NONE ||
1220 IEEE80211_KEY_UNDEFINED(&vap->iv_nw_keys[vap->iv_def_txkey]))
1222 return &vap->iv_nw_keys[vap->iv_def_txkey];
1226 * Encapsulate an outbound data frame. The mbuf chain is updated.
1227 * If an error is encountered NULL is returned. The caller is required
1228 * to provide a node reference and pullup the ethernet header in the
1231 * NB: Packet is assumed to be processed by ieee80211_classify which
1232 * marked EAPOL frames w/ M_EAPOL.
1235 ieee80211_encap(struct ieee80211vap *vap, struct ieee80211_node *ni,
1238 #define WH4(wh) ((struct ieee80211_frame_addr4 *)(wh))
1239 #define MC01(mc) ((struct ieee80211_meshcntl_ae01 *)mc)
1240 struct ieee80211com *ic = ni->ni_ic;
1241 #ifdef IEEE80211_SUPPORT_MESH
1242 struct ieee80211_mesh_state *ms = vap->iv_mesh;
1243 struct ieee80211_meshcntl_ae10 *mc;
1244 struct ieee80211_mesh_route *rt = NULL;
1247 struct ether_header eh;
1248 struct ieee80211_frame *wh;
1249 struct ieee80211_key *key;
1251 int hdrsize, hdrspace, datalen, addqos, txfrag, is4addr, is_mcast;
1252 ieee80211_seq seqno;
1253 int meshhdrsize, meshae;
1257 IEEE80211_TX_LOCK_ASSERT(ic);
1259 is_mcast = !! (m->m_flags & (M_MCAST | M_BCAST));
1262 * Copy existing Ethernet header to a safe place. The
1263 * rest of the code assumes it's ok to strip it when
1264 * reorganizing state for the final encapsulation.
1266 KASSERT(m->m_len >= sizeof(eh), ("no ethernet header!"));
1267 ETHER_HEADER_COPY(&eh, mtod(m, caddr_t));
1270 * Insure space for additional headers. First identify
1271 * transmit key to use in calculating any buffer adjustments
1272 * required. This is also used below to do privacy
1273 * encapsulation work. Then calculate the 802.11 header
1274 * size and any padding required by the driver.
1276 * Note key may be NULL if we fall back to the default
1277 * transmit key and that is not set. In that case the
1278 * buffer may not be expanded as needed by the cipher
1279 * routines, but they will/should discard it.
1281 if (vap->iv_flags & IEEE80211_F_PRIVACY) {
1282 if (vap->iv_opmode == IEEE80211_M_STA ||
1283 !IEEE80211_IS_MULTICAST(eh.ether_dhost) ||
1284 (vap->iv_opmode == IEEE80211_M_WDS &&
1285 (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY)))
1286 key = ieee80211_crypto_getucastkey(vap, ni);
1288 key = ieee80211_crypto_getmcastkey(vap, ni);
1289 if (key == NULL && (m->m_flags & M_EAPOL) == 0) {
1290 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_CRYPTO,
1292 "no default transmit key (%s) deftxkey %u",
1293 __func__, vap->iv_def_txkey);
1294 vap->iv_stats.is_tx_nodefkey++;
1300 * XXX Some ap's don't handle QoS-encapsulated EAPOL
1301 * frames so suppress use. This may be an issue if other
1302 * ap's require all data frames to be QoS-encapsulated
1303 * once negotiated in which case we'll need to make this
1306 * Don't send multicast QoS frames.
1307 * Technically multicast frames can be QoS if all stations in the
1310 * NB: mesh data frames are QoS, including multicast frames.
1313 (((is_mcast == 0) && (ni->ni_flags &
1314 (IEEE80211_NODE_QOS|IEEE80211_NODE_HT))) ||
1315 (vap->iv_opmode == IEEE80211_M_MBSS)) &&
1316 (m->m_flags & M_EAPOL) == 0;
1319 hdrsize = sizeof(struct ieee80211_qosframe);
1321 hdrsize = sizeof(struct ieee80211_frame);
1322 #ifdef IEEE80211_SUPPORT_MESH
1323 if (vap->iv_opmode == IEEE80211_M_MBSS) {
1325 * Mesh data frames are encapsulated according to the
1326 * rules of Section 11B.8.5 (p.139 of D3.0 spec).
1327 * o Group Addressed data (aka multicast) originating
1328 * at the local sta are sent w/ 3-address format and
1329 * address extension mode 00
1330 * o Individually Addressed data (aka unicast) originating
1331 * at the local sta are sent w/ 4-address format and
1332 * address extension mode 00
1333 * o Group Addressed data forwarded from a non-mesh sta are
1334 * sent w/ 3-address format and address extension mode 01
1335 * o Individually Address data from another sta are sent
1336 * w/ 4-address format and address extension mode 10
1338 is4addr = 0; /* NB: don't use, disable */
1339 if (!IEEE80211_IS_MULTICAST(eh.ether_dhost)) {
1340 rt = ieee80211_mesh_rt_find(vap, eh.ether_dhost);
1341 KASSERT(rt != NULL, ("route is NULL"));
1342 dir = IEEE80211_FC1_DIR_DSTODS;
1343 hdrsize += IEEE80211_ADDR_LEN;
1344 if (rt->rt_flags & IEEE80211_MESHRT_FLAGS_PROXY) {
1345 if (IEEE80211_ADDR_EQ(rt->rt_mesh_gate,
1347 IEEE80211_NOTE_MAC(vap,
1350 "%s", "trying to send to ourself");
1353 meshae = IEEE80211_MESH_AE_10;
1355 sizeof(struct ieee80211_meshcntl_ae10);
1357 meshae = IEEE80211_MESH_AE_00;
1359 sizeof(struct ieee80211_meshcntl);
1362 dir = IEEE80211_FC1_DIR_FROMDS;
1363 if (!IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr)) {
1365 meshae = IEEE80211_MESH_AE_01;
1367 sizeof(struct ieee80211_meshcntl_ae01);
1370 meshae = IEEE80211_MESH_AE_00;
1371 meshhdrsize = sizeof(struct ieee80211_meshcntl);
1377 * 4-address frames need to be generated for:
1378 * o packets sent through a WDS vap (IEEE80211_M_WDS)
1379 * o packets sent through a vap marked for relaying
1380 * (e.g. a station operating with dynamic WDS)
1382 is4addr = vap->iv_opmode == IEEE80211_M_WDS ||
1383 ((vap->iv_flags_ext & IEEE80211_FEXT_4ADDR) &&
1384 !IEEE80211_ADDR_EQ(eh.ether_shost, vap->iv_myaddr));
1386 hdrsize += IEEE80211_ADDR_LEN;
1387 meshhdrsize = meshae = 0;
1388 #ifdef IEEE80211_SUPPORT_MESH
1392 * Honor driver DATAPAD requirement.
1394 if (ic->ic_flags & IEEE80211_F_DATAPAD)
1395 hdrspace = roundup(hdrsize, sizeof(uint32_t));
1399 if (__predict_true((m->m_flags & M_FF) == 0)) {
1403 m = ieee80211_mbuf_adjust(vap, hdrspace + meshhdrsize, key, m);
1405 /* NB: ieee80211_mbuf_adjust handles msgs+statistics */
1408 /* NB: this could be optimized 'cuz of ieee80211_mbuf_adjust */
1409 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
1410 llc = mtod(m, struct llc *);
1411 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
1412 llc->llc_control = LLC_UI;
1413 llc->llc_snap.org_code[0] = 0;
1414 llc->llc_snap.org_code[1] = 0;
1415 llc->llc_snap.org_code[2] = 0;
1416 llc->llc_snap.ether_type = eh.ether_type;
1418 #ifdef IEEE80211_SUPPORT_SUPERG
1420 * Aggregated frame. Check if it's for AMSDU or FF.
1422 * XXX TODO: IEEE80211_NODE_AMSDU* isn't implemented
1423 * anywhere for some reason. But, since 11n requires
1424 * AMSDU RX, we can just assume "11n" == "AMSDU".
1426 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG, "%s: called; M_FF\n", __func__);
1427 if (ieee80211_amsdu_tx_ok(ni)) {
1428 m = ieee80211_amsdu_encap(vap, m, hdrspace + meshhdrsize, key);
1431 m = ieee80211_ff_encap(vap, m, hdrspace + meshhdrsize, key);
1437 datalen = m->m_pkthdr.len; /* NB: w/o 802.11 header */
1439 M_PREPEND(m, hdrspace + meshhdrsize, M_NOWAIT);
1441 vap->iv_stats.is_tx_nobuf++;
1444 wh = mtod(m, struct ieee80211_frame *);
1445 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_DATA;
1446 *(uint16_t *)wh->i_dur = 0;
1447 qos = NULL; /* NB: quiet compiler */
1449 wh->i_fc[1] = IEEE80211_FC1_DIR_DSTODS;
1450 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_macaddr);
1451 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
1452 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
1453 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, eh.ether_shost);
1454 } else switch (vap->iv_opmode) {
1455 case IEEE80211_M_STA:
1456 wh->i_fc[1] = IEEE80211_FC1_DIR_TODS;
1457 IEEE80211_ADDR_COPY(wh->i_addr1, ni->ni_bssid);
1458 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
1459 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_dhost);
1461 case IEEE80211_M_IBSS:
1462 case IEEE80211_M_AHDEMO:
1463 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
1464 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
1465 IEEE80211_ADDR_COPY(wh->i_addr2, eh.ether_shost);
1467 * NB: always use the bssid from iv_bss as the
1468 * neighbor's may be stale after an ibss merge
1470 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_bss->ni_bssid);
1472 case IEEE80211_M_HOSTAP:
1473 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
1474 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
1475 IEEE80211_ADDR_COPY(wh->i_addr2, ni->ni_bssid);
1476 IEEE80211_ADDR_COPY(wh->i_addr3, eh.ether_shost);
1478 #ifdef IEEE80211_SUPPORT_MESH
1479 case IEEE80211_M_MBSS:
1480 /* NB: offset by hdrspace to deal with DATAPAD */
1481 mc = (struct ieee80211_meshcntl_ae10 *)
1482 (mtod(m, uint8_t *) + hdrspace);
1485 case IEEE80211_MESH_AE_00: /* no proxy */
1487 if (dir == IEEE80211_FC1_DIR_DSTODS) { /* ucast */
1488 IEEE80211_ADDR_COPY(wh->i_addr1,
1490 IEEE80211_ADDR_COPY(wh->i_addr2,
1492 IEEE80211_ADDR_COPY(wh->i_addr3,
1494 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4,
1496 qos =((struct ieee80211_qosframe_addr4 *)
1498 } else if (dir == IEEE80211_FC1_DIR_FROMDS) {
1500 IEEE80211_ADDR_COPY(wh->i_addr1,
1502 IEEE80211_ADDR_COPY(wh->i_addr2,
1504 IEEE80211_ADDR_COPY(wh->i_addr3,
1506 qos = ((struct ieee80211_qosframe *)
1510 case IEEE80211_MESH_AE_01: /* mcast, proxy */
1511 wh->i_fc[1] = IEEE80211_FC1_DIR_FROMDS;
1512 IEEE80211_ADDR_COPY(wh->i_addr1, eh.ether_dhost);
1513 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
1514 IEEE80211_ADDR_COPY(wh->i_addr3, vap->iv_myaddr);
1516 IEEE80211_ADDR_COPY(MC01(mc)->mc_addr4,
1518 qos = ((struct ieee80211_qosframe *) wh)->i_qos;
1520 case IEEE80211_MESH_AE_10: /* ucast, proxy */
1521 KASSERT(rt != NULL, ("route is NULL"));
1522 IEEE80211_ADDR_COPY(wh->i_addr1, rt->rt_nexthop);
1523 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
1524 IEEE80211_ADDR_COPY(wh->i_addr3, rt->rt_mesh_gate);
1525 IEEE80211_ADDR_COPY(WH4(wh)->i_addr4, vap->iv_myaddr);
1526 mc->mc_flags = IEEE80211_MESH_AE_10;
1527 IEEE80211_ADDR_COPY(mc->mc_addr5, eh.ether_dhost);
1528 IEEE80211_ADDR_COPY(mc->mc_addr6, eh.ether_shost);
1529 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos;
1532 KASSERT(0, ("meshae %d", meshae));
1535 mc->mc_ttl = ms->ms_ttl;
1537 le32enc(mc->mc_seq, ms->ms_seq);
1540 case IEEE80211_M_WDS: /* NB: is4addr should always be true */
1544 if (m->m_flags & M_MORE_DATA)
1545 wh->i_fc[1] |= IEEE80211_FC1_MORE_DATA;
1550 qos = ((struct ieee80211_qosframe_addr4 *) wh)->i_qos;
1551 /* NB: mesh case handled earlier */
1552 } else if (vap->iv_opmode != IEEE80211_M_MBSS)
1553 qos = ((struct ieee80211_qosframe *) wh)->i_qos;
1554 ac = M_WME_GETAC(m);
1555 /* map from access class/queue to 11e header priorty value */
1556 tid = WME_AC_TO_TID(ac);
1557 qos[0] = tid & IEEE80211_QOS_TID;
1558 if (ic->ic_wme.wme_wmeChanParams.cap_wmeParams[ac].wmep_noackPolicy)
1559 qos[0] |= IEEE80211_QOS_ACKPOLICY_NOACK;
1560 #ifdef IEEE80211_SUPPORT_MESH
1561 if (vap->iv_opmode == IEEE80211_M_MBSS)
1562 qos[1] = IEEE80211_QOS_MC;
1566 wh->i_fc[0] |= IEEE80211_FC0_SUBTYPE_QOS;
1569 * If this is an A-MSDU then ensure we set the
1573 qos[0] |= IEEE80211_QOS_AMSDU;
1576 * XXX TODO TX lock is needed for atomic updates of sequence
1577 * numbers. If the driver does it, then don't do it here;
1578 * and we don't need the TX lock held.
1580 if ((m->m_flags & M_AMPDU_MPDU) == 0) {
1582 * 802.11-2012 9.3.2.10 -
1584 * If this is a multicast frame then we need
1585 * to ensure that the sequence number comes from
1586 * a separate seqno space and not the TID space.
1588 * Otherwise multicast frames may actually cause
1589 * holes in the TX blockack window space and
1590 * upset various things.
1592 if (IEEE80211_IS_MULTICAST(wh->i_addr1))
1593 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
1595 seqno = ni->ni_txseqs[tid]++;
1598 * NB: don't assign a sequence # to potential
1599 * aggregates; we expect this happens at the
1600 * point the frame comes off any aggregation q
1601 * as otherwise we may introduce holes in the
1602 * BA sequence space and/or make window accouting
1605 * XXX may want to control this with a driver
1606 * capability; this may also change when we pull
1607 * aggregation up into net80211
1609 seqno = ni->ni_txseqs[tid]++;
1610 *(uint16_t *)wh->i_seq =
1611 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
1612 M_SEQNO_SET(m, seqno);
1616 * XXX TODO TX lock is needed for atomic updates of sequence
1617 * numbers. If the driver does it, then don't do it here;
1618 * and we don't need the TX lock held.
1620 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
1621 *(uint16_t *)wh->i_seq =
1622 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
1623 M_SEQNO_SET(m, seqno);
1626 * XXX TODO: we shouldn't allow EAPOL, etc that would
1627 * be forced to be non-QoS traffic to be A-MSDU encapsulated.
1630 printf("%s: XXX ERROR: is_amsdu set; not QoS!\n",
1635 * Check if xmit fragmentation is required.
1637 * If the hardware does fragmentation offload, then don't bother
1640 if (IEEE80211_CONF_FRAG_OFFLOAD(ic))
1643 txfrag = (m->m_pkthdr.len > vap->iv_fragthreshold &&
1644 !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
1645 (vap->iv_caps & IEEE80211_C_TXFRAG) &&
1646 (m->m_flags & (M_FF | M_AMPDU_MPDU)) == 0);
1650 * IEEE 802.1X: send EAPOL frames always in the clear.
1651 * WPA/WPA2: encrypt EAPOL keys when pairwise keys are set.
1653 if ((m->m_flags & M_EAPOL) == 0 ||
1654 ((vap->iv_flags & IEEE80211_F_WPA) &&
1655 (vap->iv_opmode == IEEE80211_M_STA ?
1656 !IEEE80211_KEY_UNDEFINED(key) :
1657 !IEEE80211_KEY_UNDEFINED(&ni->ni_ucastkey)))) {
1658 wh->i_fc[1] |= IEEE80211_FC1_PROTECTED;
1659 if (!ieee80211_crypto_enmic(vap, key, m, txfrag)) {
1660 IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_OUTPUT,
1662 "%s", "enmic failed, discard frame");
1663 vap->iv_stats.is_crypto_enmicfail++;
1668 if (txfrag && !ieee80211_fragment(vap, m, hdrsize,
1669 key != NULL ? key->wk_cipher->ic_header : 0, vap->iv_fragthreshold))
1672 m->m_flags |= M_ENCAP; /* mark encapsulated */
1674 IEEE80211_NODE_STAT(ni, tx_data);
1675 if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1676 IEEE80211_NODE_STAT(ni, tx_mcast);
1677 m->m_flags |= M_MCAST;
1679 IEEE80211_NODE_STAT(ni, tx_ucast);
1680 IEEE80211_NODE_STAT_ADD(ni, tx_bytes, datalen);
1692 ieee80211_free_mbuf(struct mbuf *m)
1700 next = m->m_nextpkt;
1701 m->m_nextpkt = NULL;
1703 } while ((m = next) != NULL);
1707 * Fragment the frame according to the specified mtu.
1708 * The size of the 802.11 header (w/o padding) is provided
1709 * so we don't need to recalculate it. We create a new
1710 * mbuf for each fragment and chain it through m_nextpkt;
1711 * we might be able to optimize this by reusing the original
1712 * packet's mbufs but that is significantly more complicated.
1715 ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0,
1716 u_int hdrsize, u_int ciphdrsize, u_int mtu)
1718 struct ieee80211com *ic = vap->iv_ic;
1719 struct ieee80211_frame *wh, *whf;
1720 struct mbuf *m, *prev;
1721 u_int totalhdrsize, fragno, fragsize, off, remainder, payload;
1724 KASSERT(m0->m_nextpkt == NULL, ("mbuf already chained?"));
1725 KASSERT(m0->m_pkthdr.len > mtu,
1726 ("pktlen %u mtu %u", m0->m_pkthdr.len, mtu));
1729 * Honor driver DATAPAD requirement.
1731 if (ic->ic_flags & IEEE80211_F_DATAPAD)
1732 hdrspace = roundup(hdrsize, sizeof(uint32_t));
1736 wh = mtod(m0, struct ieee80211_frame *);
1737 /* NB: mark the first frag; it will be propagated below */
1738 wh->i_fc[1] |= IEEE80211_FC1_MORE_FRAG;
1739 totalhdrsize = hdrspace + ciphdrsize;
1741 off = mtu - ciphdrsize;
1742 remainder = m0->m_pkthdr.len - off;
1745 fragsize = MIN(totalhdrsize + remainder, mtu);
1746 m = m_get2(fragsize, M_NOWAIT, MT_DATA, M_PKTHDR);
1749 /* leave room to prepend any cipher header */
1750 m_align(m, fragsize - ciphdrsize);
1753 * Form the header in the fragment. Note that since
1754 * we mark the first fragment with the MORE_FRAG bit
1755 * it automatically is propagated to each fragment; we
1756 * need only clear it on the last fragment (done below).
1757 * NB: frag 1+ dont have Mesh Control field present.
1759 whf = mtod(m, struct ieee80211_frame *);
1760 memcpy(whf, wh, hdrsize);
1761 #ifdef IEEE80211_SUPPORT_MESH
1762 if (vap->iv_opmode == IEEE80211_M_MBSS) {
1763 if (IEEE80211_IS_DSTODS(wh))
1764 ((struct ieee80211_qosframe_addr4 *)
1765 whf)->i_qos[1] &= ~IEEE80211_QOS_MC;
1767 ((struct ieee80211_qosframe *)
1768 whf)->i_qos[1] &= ~IEEE80211_QOS_MC;
1771 *(uint16_t *)&whf->i_seq[0] |= htole16(
1772 (fragno & IEEE80211_SEQ_FRAG_MASK) <<
1773 IEEE80211_SEQ_FRAG_SHIFT);
1776 payload = fragsize - totalhdrsize;
1777 /* NB: destination is known to be contiguous */
1779 m_copydata(m0, off, payload, mtod(m, uint8_t *) + hdrspace);
1780 m->m_len = hdrspace + payload;
1781 m->m_pkthdr.len = hdrspace + payload;
1782 m->m_flags |= M_FRAG;
1784 /* chain up the fragment */
1785 prev->m_nextpkt = m;
1788 /* deduct fragment just formed */
1789 remainder -= payload;
1791 } while (remainder != 0);
1793 /* set the last fragment */
1794 m->m_flags |= M_LASTFRAG;
1795 whf->i_fc[1] &= ~IEEE80211_FC1_MORE_FRAG;
1797 /* strip first mbuf now that everything has been copied */
1798 m_adj(m0, -(m0->m_pkthdr.len - (mtu - ciphdrsize)));
1799 m0->m_flags |= M_FIRSTFRAG | M_FRAG;
1801 vap->iv_stats.is_tx_fragframes++;
1802 vap->iv_stats.is_tx_frags += fragno-1;
1806 /* reclaim fragments but leave original frame for caller to free */
1807 ieee80211_free_mbuf(m0->m_nextpkt);
1808 m0->m_nextpkt = NULL;
1813 * Add a supported rates element id to a frame.
1816 ieee80211_add_rates(uint8_t *frm, const struct ieee80211_rateset *rs)
1820 *frm++ = IEEE80211_ELEMID_RATES;
1821 nrates = rs->rs_nrates;
1822 if (nrates > IEEE80211_RATE_SIZE)
1823 nrates = IEEE80211_RATE_SIZE;
1825 memcpy(frm, rs->rs_rates, nrates);
1826 return frm + nrates;
1830 * Add an extended supported rates element id to a frame.
1833 ieee80211_add_xrates(uint8_t *frm, const struct ieee80211_rateset *rs)
1836 * Add an extended supported rates element if operating in 11g mode.
1838 if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
1839 int nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
1840 *frm++ = IEEE80211_ELEMID_XRATES;
1842 memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
1849 * Add an ssid element to a frame.
1852 ieee80211_add_ssid(uint8_t *frm, const uint8_t *ssid, u_int len)
1854 *frm++ = IEEE80211_ELEMID_SSID;
1856 memcpy(frm, ssid, len);
1861 * Add an erp element to a frame.
1864 ieee80211_add_erp(uint8_t *frm, struct ieee80211com *ic)
1868 *frm++ = IEEE80211_ELEMID_ERP;
1871 if (ic->ic_nonerpsta != 0)
1872 erp |= IEEE80211_ERP_NON_ERP_PRESENT;
1873 if (ic->ic_flags & IEEE80211_F_USEPROT)
1874 erp |= IEEE80211_ERP_USE_PROTECTION;
1875 if (ic->ic_flags & IEEE80211_F_USEBARKER)
1876 erp |= IEEE80211_ERP_LONG_PREAMBLE;
1882 * Add a CFParams element to a frame.
1885 ieee80211_add_cfparms(uint8_t *frm, struct ieee80211com *ic)
1887 #define ADDSHORT(frm, v) do { \
1891 *frm++ = IEEE80211_ELEMID_CFPARMS;
1893 *frm++ = 0; /* CFP count */
1894 *frm++ = 2; /* CFP period */
1895 ADDSHORT(frm, 0); /* CFP MaxDuration (TU) */
1896 ADDSHORT(frm, 0); /* CFP CurRemaining (TU) */
1901 static __inline uint8_t *
1902 add_appie(uint8_t *frm, const struct ieee80211_appie *ie)
1904 memcpy(frm, ie->ie_data, ie->ie_len);
1905 return frm + ie->ie_len;
1908 static __inline uint8_t *
1909 add_ie(uint8_t *frm, const uint8_t *ie)
1911 memcpy(frm, ie, 2 + ie[1]);
1912 return frm + 2 + ie[1];
1915 #define WME_OUI_BYTES 0x00, 0x50, 0xf2
1917 * Add a WME information element to a frame.
1920 ieee80211_add_wme_info(uint8_t *frm, struct ieee80211_wme_state *wme)
1922 static const struct ieee80211_wme_info info = {
1923 .wme_id = IEEE80211_ELEMID_VENDOR,
1924 .wme_len = sizeof(struct ieee80211_wme_info) - 2,
1925 .wme_oui = { WME_OUI_BYTES },
1926 .wme_type = WME_OUI_TYPE,
1927 .wme_subtype = WME_INFO_OUI_SUBTYPE,
1928 .wme_version = WME_VERSION,
1931 memcpy(frm, &info, sizeof(info));
1932 return frm + sizeof(info);
1936 * Add a WME parameters element to a frame.
1939 ieee80211_add_wme_param(uint8_t *frm, struct ieee80211_wme_state *wme)
1941 #define SM(_v, _f) (((_v) << _f##_S) & _f)
1942 #define ADDSHORT(frm, v) do { \
1946 /* NB: this works 'cuz a param has an info at the front */
1947 static const struct ieee80211_wme_info param = {
1948 .wme_id = IEEE80211_ELEMID_VENDOR,
1949 .wme_len = sizeof(struct ieee80211_wme_param) - 2,
1950 .wme_oui = { WME_OUI_BYTES },
1951 .wme_type = WME_OUI_TYPE,
1952 .wme_subtype = WME_PARAM_OUI_SUBTYPE,
1953 .wme_version = WME_VERSION,
1957 memcpy(frm, ¶m, sizeof(param));
1958 frm += __offsetof(struct ieee80211_wme_info, wme_info);
1959 *frm++ = wme->wme_bssChanParams.cap_info; /* AC info */
1960 *frm++ = 0; /* reserved field */
1961 for (i = 0; i < WME_NUM_AC; i++) {
1962 const struct wmeParams *ac =
1963 &wme->wme_bssChanParams.cap_wmeParams[i];
1964 *frm++ = SM(i, WME_PARAM_ACI)
1965 | SM(ac->wmep_acm, WME_PARAM_ACM)
1966 | SM(ac->wmep_aifsn, WME_PARAM_AIFSN)
1968 *frm++ = SM(ac->wmep_logcwmax, WME_PARAM_LOGCWMAX)
1969 | SM(ac->wmep_logcwmin, WME_PARAM_LOGCWMIN)
1971 ADDSHORT(frm, ac->wmep_txopLimit);
1977 #undef WME_OUI_BYTES
1980 * Add an 11h Power Constraint element to a frame.
1983 ieee80211_add_powerconstraint(uint8_t *frm, struct ieee80211vap *vap)
1985 const struct ieee80211_channel *c = vap->iv_bss->ni_chan;
1986 /* XXX per-vap tx power limit? */
1987 int8_t limit = vap->iv_ic->ic_txpowlimit / 2;
1989 frm[0] = IEEE80211_ELEMID_PWRCNSTR;
1991 frm[2] = c->ic_maxregpower > limit ? c->ic_maxregpower - limit : 0;
1996 * Add an 11h Power Capability element to a frame.
1999 ieee80211_add_powercapability(uint8_t *frm, const struct ieee80211_channel *c)
2001 frm[0] = IEEE80211_ELEMID_PWRCAP;
2003 frm[2] = c->ic_minpower;
2004 frm[3] = c->ic_maxpower;
2009 * Add an 11h Supported Channels element to a frame.
2012 ieee80211_add_supportedchannels(uint8_t *frm, struct ieee80211com *ic)
2014 static const int ielen = 26;
2016 frm[0] = IEEE80211_ELEMID_SUPPCHAN;
2018 /* XXX not correct */
2019 memcpy(frm+2, ic->ic_chan_avail, ielen);
2020 return frm + 2 + ielen;
2024 * Add an 11h Quiet time element to a frame.
2027 ieee80211_add_quiet(uint8_t *frm, struct ieee80211vap *vap, int update)
2029 struct ieee80211_quiet_ie *quiet = (struct ieee80211_quiet_ie *) frm;
2031 quiet->quiet_ie = IEEE80211_ELEMID_QUIET;
2035 * Only update every beacon interval - otherwise probe responses
2036 * would update the quiet count value.
2039 if (vap->iv_quiet_count_value == 1)
2040 vap->iv_quiet_count_value = vap->iv_quiet_count;
2041 else if (vap->iv_quiet_count_value > 1)
2042 vap->iv_quiet_count_value--;
2045 if (vap->iv_quiet_count_value == 0) {
2046 /* value 0 is reserved as per 802.11h standerd */
2047 vap->iv_quiet_count_value = 1;
2050 quiet->tbttcount = vap->iv_quiet_count_value;
2051 quiet->period = vap->iv_quiet_period;
2052 quiet->duration = htole16(vap->iv_quiet_duration);
2053 quiet->offset = htole16(vap->iv_quiet_offset);
2054 return frm + sizeof(*quiet);
2058 * Add an 11h Channel Switch Announcement element to a frame.
2059 * Note that we use the per-vap CSA count to adjust the global
2060 * counter so we can use this routine to form probe response
2061 * frames and get the current count.
2064 ieee80211_add_csa(uint8_t *frm, struct ieee80211vap *vap)
2066 struct ieee80211com *ic = vap->iv_ic;
2067 struct ieee80211_csa_ie *csa = (struct ieee80211_csa_ie *) frm;
2069 csa->csa_ie = IEEE80211_ELEMID_CSA;
2071 csa->csa_mode = 1; /* XXX force quiet on channel */
2072 csa->csa_newchan = ieee80211_chan2ieee(ic, ic->ic_csa_newchan);
2073 csa->csa_count = ic->ic_csa_count - vap->iv_csa_count;
2074 return frm + sizeof(*csa);
2078 * Add an 11h country information element to a frame.
2081 ieee80211_add_countryie(uint8_t *frm, struct ieee80211com *ic)
2084 if (ic->ic_countryie == NULL ||
2085 ic->ic_countryie_chan != ic->ic_bsschan) {
2087 * Handle lazy construction of ie. This is done on
2088 * first use and after a channel change that requires
2091 if (ic->ic_countryie != NULL)
2092 IEEE80211_FREE(ic->ic_countryie, M_80211_NODE_IE);
2093 ic->ic_countryie = ieee80211_alloc_countryie(ic);
2094 if (ic->ic_countryie == NULL)
2096 ic->ic_countryie_chan = ic->ic_bsschan;
2098 return add_appie(frm, ic->ic_countryie);
2102 ieee80211_add_wpa(uint8_t *frm, const struct ieee80211vap *vap)
2104 if (vap->iv_flags & IEEE80211_F_WPA1 && vap->iv_wpa_ie != NULL)
2105 return (add_ie(frm, vap->iv_wpa_ie));
2107 /* XXX else complain? */
2113 ieee80211_add_rsn(uint8_t *frm, const struct ieee80211vap *vap)
2115 if (vap->iv_flags & IEEE80211_F_WPA2 && vap->iv_rsn_ie != NULL)
2116 return (add_ie(frm, vap->iv_rsn_ie));
2118 /* XXX else complain? */
2124 ieee80211_add_qos(uint8_t *frm, const struct ieee80211_node *ni)
2126 if (ni->ni_flags & IEEE80211_NODE_QOS) {
2127 *frm++ = IEEE80211_ELEMID_QOS;
2136 * Send a probe request frame with the specified ssid
2137 * and any optional information element data.
2140 ieee80211_send_probereq(struct ieee80211_node *ni,
2141 const uint8_t sa[IEEE80211_ADDR_LEN],
2142 const uint8_t da[IEEE80211_ADDR_LEN],
2143 const uint8_t bssid[IEEE80211_ADDR_LEN],
2144 const uint8_t *ssid, size_t ssidlen)
2146 struct ieee80211vap *vap = ni->ni_vap;
2147 struct ieee80211com *ic = ni->ni_ic;
2148 struct ieee80211_node *bss;
2149 const struct ieee80211_txparam *tp;
2150 struct ieee80211_bpf_params params;
2151 const struct ieee80211_rateset *rs;
2156 bss = ieee80211_ref_node(vap->iv_bss);
2158 if (vap->iv_state == IEEE80211_S_CAC) {
2159 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, ni,
2160 "block %s frame in CAC state", "probe request");
2161 vap->iv_stats.is_tx_badstate++;
2162 ieee80211_free_node(bss);
2163 return EIO; /* XXX */
2167 * Hold a reference on the node so it doesn't go away until after
2168 * the xmit is complete all the way in the driver. On error we
2169 * will remove our reference.
2171 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2172 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
2174 ni, ether_sprintf(ni->ni_macaddr),
2175 ieee80211_node_refcnt(ni)+1);
2176 ieee80211_ref_node(ni);
2179 * prreq frame format
2181 * [tlv] supported rates
2182 * [tlv] RSN (optional)
2183 * [tlv] extended supported rates
2184 * [tlv] HT cap (optional)
2185 * [tlv] VHT cap (optional)
2186 * [tlv] WPA (optional)
2187 * [tlv] user-specified ie's
2189 m = ieee80211_getmgtframe(&frm,
2190 ic->ic_headroom + sizeof(struct ieee80211_frame),
2191 2 + IEEE80211_NWID_LEN
2192 + 2 + IEEE80211_RATE_SIZE
2193 + sizeof(struct ieee80211_ie_htcap)
2194 + sizeof(struct ieee80211_ie_vhtcap)
2195 + sizeof(struct ieee80211_ie_htinfo) /* XXX not needed? */
2196 + sizeof(struct ieee80211_ie_wpa)
2197 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
2198 + sizeof(struct ieee80211_ie_wpa)
2199 + (vap->iv_appie_probereq != NULL ?
2200 vap->iv_appie_probereq->ie_len : 0)
2203 vap->iv_stats.is_tx_nobuf++;
2204 ieee80211_free_node(ni);
2205 ieee80211_free_node(bss);
2209 frm = ieee80211_add_ssid(frm, ssid, ssidlen);
2210 rs = ieee80211_get_suprates(ic, ic->ic_curchan);
2211 frm = ieee80211_add_rates(frm, rs);
2212 frm = ieee80211_add_rsn(frm, vap);
2213 frm = ieee80211_add_xrates(frm, rs);
2216 * Note: we can't use bss; we don't have one yet.
2218 * So, we should announce our capabilities
2219 * in this channel mode (2g/5g), not the
2220 * channel details itself.
2222 if ((vap->iv_opmode == IEEE80211_M_IBSS) &&
2223 (vap->iv_flags_ht & IEEE80211_FHT_HT)) {
2224 struct ieee80211_channel *c;
2227 * Get the HT channel that we should try upgrading to.
2228 * If we can do 40MHz then this'll upgrade it appropriately.
2230 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
2232 frm = ieee80211_add_htcap_ch(frm, vap, c);
2236 * XXX TODO: need to figure out what/how to update the
2240 (vap->iv_flags_vht & IEEE80211_FVHT_VHT) {
2241 struct ieee80211_channel *c;
2243 c = ieee80211_ht_adjust_channel(ic, ic->ic_curchan,
2245 c = ieee80211_vht_adjust_channel(ic, c, vap->iv_flags_vht);
2246 frm = ieee80211_add_vhtcap_ch(frm, vap, c);
2250 frm = ieee80211_add_wpa(frm, vap);
2251 if (vap->iv_appie_probereq != NULL)
2252 frm = add_appie(frm, vap->iv_appie_probereq);
2253 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2255 KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ieee80211_frame),
2256 ("leading space %zd", M_LEADINGSPACE(m)));
2257 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT);
2259 /* NB: cannot happen */
2260 ieee80211_free_node(ni);
2261 ieee80211_free_node(bss);
2265 IEEE80211_TX_LOCK(ic);
2266 ieee80211_send_setup(ni, m,
2267 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_REQ,
2268 IEEE80211_NONQOS_TID, sa, da, bssid);
2269 /* XXX power management? */
2270 m->m_flags |= M_ENCAP; /* mark encapsulated */
2272 M_WME_SETAC(m, WME_AC_BE);
2274 IEEE80211_NODE_STAT(ni, tx_probereq);
2275 IEEE80211_NODE_STAT(ni, tx_mgmt);
2277 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
2278 "send probe req on channel %u bssid %s sa %6D da %6D ssid \"%.*s\"\n",
2279 ieee80211_chan2ieee(ic, ic->ic_curchan),
2280 ether_sprintf(bssid),
2285 memset(¶ms, 0, sizeof(params));
2286 params.ibp_pri = M_WME_GETAC(m);
2287 tp = &vap->iv_txparms[ieee80211_chan2mode(ic->ic_curchan)];
2288 params.ibp_rate0 = tp->mgmtrate;
2289 if (IEEE80211_IS_MULTICAST(da)) {
2290 params.ibp_flags |= IEEE80211_BPF_NOACK;
2291 params.ibp_try0 = 1;
2293 params.ibp_try0 = tp->maxretry;
2294 params.ibp_power = ni->ni_txpower;
2295 ret = ieee80211_raw_output(vap, ni, m, ¶ms);
2296 IEEE80211_TX_UNLOCK(ic);
2297 ieee80211_free_node(bss);
2302 * Calculate capability information for mgt frames.
2305 ieee80211_getcapinfo(struct ieee80211vap *vap, struct ieee80211_channel *chan)
2307 struct ieee80211com *ic = vap->iv_ic;
2310 KASSERT(vap->iv_opmode != IEEE80211_M_STA, ("station mode"));
2312 if (vap->iv_opmode == IEEE80211_M_HOSTAP)
2313 capinfo = IEEE80211_CAPINFO_ESS;
2314 else if (vap->iv_opmode == IEEE80211_M_IBSS)
2315 capinfo = IEEE80211_CAPINFO_IBSS;
2318 if (vap->iv_flags & IEEE80211_F_PRIVACY)
2319 capinfo |= IEEE80211_CAPINFO_PRIVACY;
2320 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
2321 IEEE80211_IS_CHAN_2GHZ(chan))
2322 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
2323 if (ic->ic_flags & IEEE80211_F_SHSLOT)
2324 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
2325 if (IEEE80211_IS_CHAN_5GHZ(chan) && (vap->iv_flags & IEEE80211_F_DOTH))
2326 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT;
2331 * Send a management frame. The node is for the destination (or ic_bss
2332 * when in station mode). Nodes other than ic_bss have their reference
2333 * count bumped to reflect our use for an indeterminant time.
2336 ieee80211_send_mgmt(struct ieee80211_node *ni, int type, int arg)
2338 #define HTFLAGS (IEEE80211_NODE_HT | IEEE80211_NODE_HTCOMPAT)
2339 #define senderr(_x, _v) do { vap->iv_stats._v++; ret = _x; goto bad; } while (0)
2340 struct ieee80211vap *vap = ni->ni_vap;
2341 struct ieee80211com *ic = ni->ni_ic;
2342 struct ieee80211_node *bss = vap->iv_bss;
2343 struct ieee80211_bpf_params params;
2347 int has_challenge, is_shared_key, ret, status;
2349 KASSERT(ni != NULL, ("null node"));
2352 * Hold a reference on the node so it doesn't go away until after
2353 * the xmit is complete all the way in the driver. On error we
2354 * will remove our reference.
2356 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2357 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
2359 ni, ether_sprintf(ni->ni_macaddr),
2360 ieee80211_node_refcnt(ni)+1);
2361 ieee80211_ref_node(ni);
2363 memset(¶ms, 0, sizeof(params));
2366 case IEEE80211_FC0_SUBTYPE_AUTH:
2369 has_challenge = ((arg == IEEE80211_AUTH_SHARED_CHALLENGE ||
2370 arg == IEEE80211_AUTH_SHARED_RESPONSE) &&
2371 ni->ni_challenge != NULL);
2374 * Deduce whether we're doing open authentication or
2375 * shared key authentication. We do the latter if
2376 * we're in the middle of a shared key authentication
2377 * handshake or if we're initiating an authentication
2378 * request and configured to use shared key.
2380 is_shared_key = has_challenge ||
2381 arg >= IEEE80211_AUTH_SHARED_RESPONSE ||
2382 (arg == IEEE80211_AUTH_SHARED_REQUEST &&
2383 bss->ni_authmode == IEEE80211_AUTH_SHARED);
2385 m = ieee80211_getmgtframe(&frm,
2386 ic->ic_headroom + sizeof(struct ieee80211_frame),
2387 3 * sizeof(uint16_t)
2388 + (has_challenge && status == IEEE80211_STATUS_SUCCESS ?
2389 sizeof(uint16_t)+IEEE80211_CHALLENGE_LEN : 0)
2392 senderr(ENOMEM, is_tx_nobuf);
2394 ((uint16_t *)frm)[0] =
2395 (is_shared_key) ? htole16(IEEE80211_AUTH_ALG_SHARED)
2396 : htole16(IEEE80211_AUTH_ALG_OPEN);
2397 ((uint16_t *)frm)[1] = htole16(arg); /* sequence number */
2398 ((uint16_t *)frm)[2] = htole16(status);/* status */
2400 if (has_challenge && status == IEEE80211_STATUS_SUCCESS) {
2401 ((uint16_t *)frm)[3] =
2402 htole16((IEEE80211_CHALLENGE_LEN << 8) |
2403 IEEE80211_ELEMID_CHALLENGE);
2404 memcpy(&((uint16_t *)frm)[4], ni->ni_challenge,
2405 IEEE80211_CHALLENGE_LEN);
2406 m->m_pkthdr.len = m->m_len =
2407 4 * sizeof(uint16_t) + IEEE80211_CHALLENGE_LEN;
2408 if (arg == IEEE80211_AUTH_SHARED_RESPONSE) {
2409 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2410 "request encrypt frame (%s)", __func__);
2411 /* mark frame for encryption */
2412 params.ibp_flags |= IEEE80211_BPF_CRYPTO;
2415 m->m_pkthdr.len = m->m_len = 3 * sizeof(uint16_t);
2417 /* XXX not right for shared key */
2418 if (status == IEEE80211_STATUS_SUCCESS)
2419 IEEE80211_NODE_STAT(ni, tx_auth);
2421 IEEE80211_NODE_STAT(ni, tx_auth_fail);
2423 if (vap->iv_opmode == IEEE80211_M_STA)
2424 ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
2425 (void *) vap->iv_state);
2428 case IEEE80211_FC0_SUBTYPE_DEAUTH:
2429 IEEE80211_NOTE(vap, IEEE80211_MSG_AUTH, ni,
2430 "send station deauthenticate (reason: %d (%s))", arg,
2431 ieee80211_reason_to_string(arg));
2432 m = ieee80211_getmgtframe(&frm,
2433 ic->ic_headroom + sizeof(struct ieee80211_frame),
2436 senderr(ENOMEM, is_tx_nobuf);
2437 *(uint16_t *)frm = htole16(arg); /* reason */
2438 m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
2440 IEEE80211_NODE_STAT(ni, tx_deauth);
2441 IEEE80211_NODE_STAT_SET(ni, tx_deauth_code, arg);
2443 ieee80211_node_unauthorize(ni); /* port closed */
2446 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
2447 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
2449 * asreq frame format
2450 * [2] capability information
2451 * [2] listen interval
2452 * [6*] current AP address (reassoc only)
2454 * [tlv] supported rates
2455 * [tlv] extended supported rates
2456 * [4] power capability (optional)
2457 * [28] supported channels (optional)
2458 * [tlv] HT capabilities
2459 * [tlv] VHT capabilities
2460 * [tlv] WME (optional)
2461 * [tlv] Vendor OUI HT capabilities (optional)
2462 * [tlv] Atheros capabilities (if negotiated)
2463 * [tlv] AppIE's (optional)
2465 m = ieee80211_getmgtframe(&frm,
2466 ic->ic_headroom + sizeof(struct ieee80211_frame),
2469 + IEEE80211_ADDR_LEN
2470 + 2 + IEEE80211_NWID_LEN
2471 + 2 + IEEE80211_RATE_SIZE
2472 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
2475 + sizeof(struct ieee80211_wme_info)
2476 + sizeof(struct ieee80211_ie_htcap)
2477 + sizeof(struct ieee80211_ie_vhtcap)
2478 + 4 + sizeof(struct ieee80211_ie_htcap)
2479 #ifdef IEEE80211_SUPPORT_SUPERG
2480 + sizeof(struct ieee80211_ath_ie)
2482 + (vap->iv_appie_wpa != NULL ?
2483 vap->iv_appie_wpa->ie_len : 0)
2484 + (vap->iv_appie_assocreq != NULL ?
2485 vap->iv_appie_assocreq->ie_len : 0)
2488 senderr(ENOMEM, is_tx_nobuf);
2490 KASSERT(vap->iv_opmode == IEEE80211_M_STA,
2491 ("wrong mode %u", vap->iv_opmode));
2492 capinfo = IEEE80211_CAPINFO_ESS;
2493 if (vap->iv_flags & IEEE80211_F_PRIVACY)
2494 capinfo |= IEEE80211_CAPINFO_PRIVACY;
2496 * NB: Some 11a AP's reject the request when
2497 * short premable is set.
2499 if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
2500 IEEE80211_IS_CHAN_2GHZ(ic->ic_curchan))
2501 capinfo |= IEEE80211_CAPINFO_SHORT_PREAMBLE;
2502 if (IEEE80211_IS_CHAN_ANYG(ic->ic_curchan) &&
2503 (ic->ic_caps & IEEE80211_C_SHSLOT))
2504 capinfo |= IEEE80211_CAPINFO_SHORT_SLOTTIME;
2505 if ((ni->ni_capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) &&
2506 (vap->iv_flags & IEEE80211_F_DOTH))
2507 capinfo |= IEEE80211_CAPINFO_SPECTRUM_MGMT;
2508 *(uint16_t *)frm = htole16(capinfo);
2511 KASSERT(bss->ni_intval != 0, ("beacon interval is zero!"));
2512 *(uint16_t *)frm = htole16(howmany(ic->ic_lintval,
2516 if (type == IEEE80211_FC0_SUBTYPE_REASSOC_REQ) {
2517 IEEE80211_ADDR_COPY(frm, bss->ni_bssid);
2518 frm += IEEE80211_ADDR_LEN;
2521 frm = ieee80211_add_ssid(frm, ni->ni_essid, ni->ni_esslen);
2522 frm = ieee80211_add_rates(frm, &ni->ni_rates);
2523 frm = ieee80211_add_rsn(frm, vap);
2524 frm = ieee80211_add_xrates(frm, &ni->ni_rates);
2525 if (capinfo & IEEE80211_CAPINFO_SPECTRUM_MGMT) {
2526 frm = ieee80211_add_powercapability(frm,
2528 frm = ieee80211_add_supportedchannels(frm, ic);
2532 * Check the channel - we may be using an 11n NIC with an
2533 * 11n capable station, but we're configured to be an 11b
2536 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) &&
2537 IEEE80211_IS_CHAN_HT(ni->ni_chan) &&
2538 ni->ni_ies.htcap_ie != NULL &&
2539 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_HTCAP) {
2540 frm = ieee80211_add_htcap(frm, ni);
2543 if ((vap->iv_flags_vht & IEEE80211_FVHT_VHT) &&
2544 IEEE80211_IS_CHAN_VHT(ni->ni_chan) &&
2545 ni->ni_ies.vhtcap_ie != NULL &&
2546 ni->ni_ies.vhtcap_ie[0] == IEEE80211_ELEMID_VHT_CAP) {
2547 frm = ieee80211_add_vhtcap(frm, ni);
2550 frm = ieee80211_add_wpa(frm, vap);
2551 if ((ic->ic_flags & IEEE80211_F_WME) &&
2552 ni->ni_ies.wme_ie != NULL)
2553 frm = ieee80211_add_wme_info(frm, &ic->ic_wme);
2556 * Same deal - only send HT info if we're on an 11n
2559 if ((vap->iv_flags_ht & IEEE80211_FHT_HT) &&
2560 IEEE80211_IS_CHAN_HT(ni->ni_chan) &&
2561 ni->ni_ies.htcap_ie != NULL &&
2562 ni->ni_ies.htcap_ie[0] == IEEE80211_ELEMID_VENDOR) {
2563 frm = ieee80211_add_htcap_vendor(frm, ni);
2565 #ifdef IEEE80211_SUPPORT_SUPERG
2566 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS)) {
2567 frm = ieee80211_add_ath(frm,
2568 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS),
2569 ((vap->iv_flags & IEEE80211_F_WPA) == 0 &&
2570 ni->ni_authmode != IEEE80211_AUTH_8021X) ?
2571 vap->iv_def_txkey : IEEE80211_KEYIX_NONE);
2573 #endif /* IEEE80211_SUPPORT_SUPERG */
2574 if (vap->iv_appie_assocreq != NULL)
2575 frm = add_appie(frm, vap->iv_appie_assocreq);
2576 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2578 ieee80211_add_callback(m, ieee80211_tx_mgt_cb,
2579 (void *) vap->iv_state);
2582 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2583 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
2585 * asresp frame format
2586 * [2] capability information
2588 * [2] association ID
2589 * [tlv] supported rates
2590 * [tlv] extended supported rates
2591 * [tlv] HT capabilities (standard, if STA enabled)
2592 * [tlv] HT information (standard, if STA enabled)
2593 * [tlv] VHT capabilities (standard, if STA enabled)
2594 * [tlv] VHT information (standard, if STA enabled)
2595 * [tlv] WME (if configured and STA enabled)
2596 * [tlv] HT capabilities (vendor OUI, if STA enabled)
2597 * [tlv] HT information (vendor OUI, if STA enabled)
2598 * [tlv] Atheros capabilities (if STA enabled)
2599 * [tlv] AppIE's (optional)
2601 m = ieee80211_getmgtframe(&frm,
2602 ic->ic_headroom + sizeof(struct ieee80211_frame),
2606 + 2 + IEEE80211_RATE_SIZE
2607 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
2608 + sizeof(struct ieee80211_ie_htcap) + 4
2609 + sizeof(struct ieee80211_ie_htinfo) + 4
2610 + sizeof(struct ieee80211_ie_vhtcap)
2611 + sizeof(struct ieee80211_ie_vht_operation)
2612 + sizeof(struct ieee80211_wme_param)
2613 #ifdef IEEE80211_SUPPORT_SUPERG
2614 + sizeof(struct ieee80211_ath_ie)
2616 + (vap->iv_appie_assocresp != NULL ?
2617 vap->iv_appie_assocresp->ie_len : 0)
2620 senderr(ENOMEM, is_tx_nobuf);
2622 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan);
2623 *(uint16_t *)frm = htole16(capinfo);
2626 *(uint16_t *)frm = htole16(arg); /* status */
2629 if (arg == IEEE80211_STATUS_SUCCESS) {
2630 *(uint16_t *)frm = htole16(ni->ni_associd);
2631 IEEE80211_NODE_STAT(ni, tx_assoc);
2633 IEEE80211_NODE_STAT(ni, tx_assoc_fail);
2636 frm = ieee80211_add_rates(frm, &ni->ni_rates);
2637 frm = ieee80211_add_xrates(frm, &ni->ni_rates);
2638 /* NB: respond according to what we received */
2639 if ((ni->ni_flags & HTFLAGS) == IEEE80211_NODE_HT) {
2640 frm = ieee80211_add_htcap(frm, ni);
2641 frm = ieee80211_add_htinfo(frm, ni);
2643 if ((vap->iv_flags & IEEE80211_F_WME) &&
2644 ni->ni_ies.wme_ie != NULL)
2645 frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
2646 if ((ni->ni_flags & HTFLAGS) == HTFLAGS) {
2647 frm = ieee80211_add_htcap_vendor(frm, ni);
2648 frm = ieee80211_add_htinfo_vendor(frm, ni);
2650 if (ni->ni_flags & IEEE80211_NODE_VHT) {
2651 frm = ieee80211_add_vhtcap(frm, ni);
2652 frm = ieee80211_add_vhtinfo(frm, ni);
2654 #ifdef IEEE80211_SUPPORT_SUPERG
2655 if (IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS))
2656 frm = ieee80211_add_ath(frm,
2657 IEEE80211_ATH_CAP(vap, ni, IEEE80211_F_ATHEROS),
2658 ((vap->iv_flags & IEEE80211_F_WPA) == 0 &&
2659 ni->ni_authmode != IEEE80211_AUTH_8021X) ?
2660 vap->iv_def_txkey : IEEE80211_KEYIX_NONE);
2661 #endif /* IEEE80211_SUPPORT_SUPERG */
2662 if (vap->iv_appie_assocresp != NULL)
2663 frm = add_appie(frm, vap->iv_appie_assocresp);
2664 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2667 case IEEE80211_FC0_SUBTYPE_DISASSOC:
2668 IEEE80211_NOTE(vap, IEEE80211_MSG_ASSOC, ni,
2669 "send station disassociate (reason: %d (%s))", arg,
2670 ieee80211_reason_to_string(arg));
2671 m = ieee80211_getmgtframe(&frm,
2672 ic->ic_headroom + sizeof(struct ieee80211_frame),
2675 senderr(ENOMEM, is_tx_nobuf);
2676 *(uint16_t *)frm = htole16(arg); /* reason */
2677 m->m_pkthdr.len = m->m_len = sizeof(uint16_t);
2679 IEEE80211_NODE_STAT(ni, tx_disassoc);
2680 IEEE80211_NODE_STAT_SET(ni, tx_disassoc_code, arg);
2684 IEEE80211_NOTE(vap, IEEE80211_MSG_ANY, ni,
2685 "invalid mgmt frame type %u", type);
2686 senderr(EINVAL, is_tx_unknownmgt);
2690 /* NB: force non-ProbeResp frames to the highest queue */
2691 params.ibp_pri = WME_AC_VO;
2692 params.ibp_rate0 = bss->ni_txparms->mgmtrate;
2693 /* NB: we know all frames are unicast */
2694 params.ibp_try0 = bss->ni_txparms->maxretry;
2695 params.ibp_power = bss->ni_txpower;
2696 return ieee80211_mgmt_output(ni, m, type, ¶ms);
2698 ieee80211_free_node(ni);
2705 * Return an mbuf with a probe response frame in it.
2706 * Space is left to prepend and 802.11 header at the
2707 * front but it's left to the caller to fill in.
2710 ieee80211_alloc_proberesp(struct ieee80211_node *bss, int legacy)
2712 struct ieee80211vap *vap = bss->ni_vap;
2713 struct ieee80211com *ic = bss->ni_ic;
2714 const struct ieee80211_rateset *rs;
2720 * probe response frame format
2722 * [2] beacon interval
2723 * [2] cabability information
2725 * [tlv] supported rates
2726 * [tlv] parameter set (FH/DS)
2727 * [tlv] parameter set (IBSS)
2728 * [tlv] country (optional)
2729 * [3] power control (optional)
2730 * [5] channel switch announcement (CSA) (optional)
2731 * [tlv] extended rate phy (ERP)
2732 * [tlv] extended supported rates
2733 * [tlv] RSN (optional)
2734 * [tlv] HT capabilities
2735 * [tlv] HT information
2736 * [tlv] VHT capabilities
2737 * [tlv] VHT information
2738 * [tlv] WPA (optional)
2739 * [tlv] WME (optional)
2740 * [tlv] Vendor OUI HT capabilities (optional)
2741 * [tlv] Vendor OUI HT information (optional)
2742 * [tlv] Atheros capabilities
2743 * [tlv] AppIE's (optional)
2744 * [tlv] Mesh ID (MBSS)
2745 * [tlv] Mesh Conf (MBSS)
2747 m = ieee80211_getmgtframe(&frm,
2748 ic->ic_headroom + sizeof(struct ieee80211_frame),
2752 + 2 + IEEE80211_NWID_LEN
2753 + 2 + IEEE80211_RATE_SIZE
2755 + IEEE80211_COUNTRY_MAX_SIZE
2757 + sizeof(struct ieee80211_csa_ie)
2758 + sizeof(struct ieee80211_quiet_ie)
2760 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
2761 + sizeof(struct ieee80211_ie_wpa)
2762 + sizeof(struct ieee80211_ie_htcap)
2763 + sizeof(struct ieee80211_ie_htinfo)
2764 + sizeof(struct ieee80211_ie_wpa)
2765 + sizeof(struct ieee80211_wme_param)
2766 + 4 + sizeof(struct ieee80211_ie_htcap)
2767 + 4 + sizeof(struct ieee80211_ie_htinfo)
2768 + sizeof(struct ieee80211_ie_vhtcap)
2769 + sizeof(struct ieee80211_ie_vht_operation)
2770 #ifdef IEEE80211_SUPPORT_SUPERG
2771 + sizeof(struct ieee80211_ath_ie)
2773 #ifdef IEEE80211_SUPPORT_MESH
2774 + 2 + IEEE80211_MESHID_LEN
2775 + sizeof(struct ieee80211_meshconf_ie)
2777 + (vap->iv_appie_proberesp != NULL ?
2778 vap->iv_appie_proberesp->ie_len : 0)
2781 vap->iv_stats.is_tx_nobuf++;
2785 memset(frm, 0, 8); /* timestamp should be filled later */
2787 *(uint16_t *)frm = htole16(bss->ni_intval);
2789 capinfo = ieee80211_getcapinfo(vap, bss->ni_chan);
2790 *(uint16_t *)frm = htole16(capinfo);
2793 frm = ieee80211_add_ssid(frm, bss->ni_essid, bss->ni_esslen);
2794 rs = ieee80211_get_suprates(ic, bss->ni_chan);
2795 frm = ieee80211_add_rates(frm, rs);
2797 if (IEEE80211_IS_CHAN_FHSS(bss->ni_chan)) {
2798 *frm++ = IEEE80211_ELEMID_FHPARMS;
2800 *frm++ = bss->ni_fhdwell & 0x00ff;
2801 *frm++ = (bss->ni_fhdwell >> 8) & 0x00ff;
2802 *frm++ = IEEE80211_FH_CHANSET(
2803 ieee80211_chan2ieee(ic, bss->ni_chan));
2804 *frm++ = IEEE80211_FH_CHANPAT(
2805 ieee80211_chan2ieee(ic, bss->ni_chan));
2806 *frm++ = bss->ni_fhindex;
2808 *frm++ = IEEE80211_ELEMID_DSPARMS;
2810 *frm++ = ieee80211_chan2ieee(ic, bss->ni_chan);
2813 if (vap->iv_opmode == IEEE80211_M_IBSS) {
2814 *frm++ = IEEE80211_ELEMID_IBSSPARMS;
2816 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */
2818 if ((vap->iv_flags & IEEE80211_F_DOTH) ||
2819 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD))
2820 frm = ieee80211_add_countryie(frm, ic);
2821 if (vap->iv_flags & IEEE80211_F_DOTH) {
2822 if (IEEE80211_IS_CHAN_5GHZ(bss->ni_chan))
2823 frm = ieee80211_add_powerconstraint(frm, vap);
2824 if (ic->ic_flags & IEEE80211_F_CSAPENDING)
2825 frm = ieee80211_add_csa(frm, vap);
2827 if (vap->iv_flags & IEEE80211_F_DOTH) {
2828 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) &&
2829 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) {
2831 frm = ieee80211_add_quiet(frm, vap, 0);
2834 if (IEEE80211_IS_CHAN_ANYG(bss->ni_chan))
2835 frm = ieee80211_add_erp(frm, ic);
2836 frm = ieee80211_add_xrates(frm, rs);
2837 frm = ieee80211_add_rsn(frm, vap);
2839 * NB: legacy 11b clients do not get certain ie's.
2840 * The caller identifies such clients by passing
2841 * a token in legacy to us. Could expand this to be
2842 * any legacy client for stuff like HT ie's.
2844 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) &&
2845 legacy != IEEE80211_SEND_LEGACY_11B) {
2846 frm = ieee80211_add_htcap(frm, bss);
2847 frm = ieee80211_add_htinfo(frm, bss);
2849 if (IEEE80211_IS_CHAN_VHT(bss->ni_chan) &&
2850 legacy != IEEE80211_SEND_LEGACY_11B) {
2851 frm = ieee80211_add_vhtcap(frm, bss);
2852 frm = ieee80211_add_vhtinfo(frm, bss);
2854 frm = ieee80211_add_wpa(frm, vap);
2855 if (vap->iv_flags & IEEE80211_F_WME)
2856 frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
2857 if (IEEE80211_IS_CHAN_HT(bss->ni_chan) &&
2858 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT) &&
2859 legacy != IEEE80211_SEND_LEGACY_11B) {
2860 frm = ieee80211_add_htcap_vendor(frm, bss);
2861 frm = ieee80211_add_htinfo_vendor(frm, bss);
2863 #ifdef IEEE80211_SUPPORT_SUPERG
2864 if ((vap->iv_flags & IEEE80211_F_ATHEROS) &&
2865 legacy != IEEE80211_SEND_LEGACY_11B)
2866 frm = ieee80211_add_athcaps(frm, bss);
2868 if (vap->iv_appie_proberesp != NULL)
2869 frm = add_appie(frm, vap->iv_appie_proberesp);
2870 #ifdef IEEE80211_SUPPORT_MESH
2871 if (vap->iv_opmode == IEEE80211_M_MBSS) {
2872 frm = ieee80211_add_meshid(frm, vap);
2873 frm = ieee80211_add_meshconf(frm, vap);
2876 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
2882 * Send a probe response frame to the specified mac address.
2883 * This does not go through the normal mgt frame api so we
2884 * can specify the destination address and re-use the bss node
2885 * for the sta reference.
2888 ieee80211_send_proberesp(struct ieee80211vap *vap,
2889 const uint8_t da[IEEE80211_ADDR_LEN], int legacy)
2891 struct ieee80211_node *bss = vap->iv_bss;
2892 struct ieee80211com *ic = vap->iv_ic;
2896 if (vap->iv_state == IEEE80211_S_CAC) {
2897 IEEE80211_NOTE(vap, IEEE80211_MSG_OUTPUT, bss,
2898 "block %s frame in CAC state", "probe response");
2899 vap->iv_stats.is_tx_badstate++;
2900 return EIO; /* XXX */
2904 * Hold a reference on the node so it doesn't go away until after
2905 * the xmit is complete all the way in the driver. On error we
2906 * will remove our reference.
2908 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
2909 "ieee80211_ref_node (%s:%u) %p<%s> refcnt %d\n",
2910 __func__, __LINE__, bss, ether_sprintf(bss->ni_macaddr),
2911 ieee80211_node_refcnt(bss)+1);
2912 ieee80211_ref_node(bss);
2914 m = ieee80211_alloc_proberesp(bss, legacy);
2916 ieee80211_free_node(bss);
2920 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT);
2921 KASSERT(m != NULL, ("no room for header"));
2923 IEEE80211_TX_LOCK(ic);
2924 ieee80211_send_setup(bss, m,
2925 IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_PROBE_RESP,
2926 IEEE80211_NONQOS_TID, vap->iv_myaddr, da, bss->ni_bssid);
2927 /* XXX power management? */
2928 m->m_flags |= M_ENCAP; /* mark encapsulated */
2930 M_WME_SETAC(m, WME_AC_BE);
2932 IEEE80211_DPRINTF(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_DUMPPKTS,
2933 "send probe resp on channel %u to %s%s\n",
2934 ieee80211_chan2ieee(ic, ic->ic_curchan), ether_sprintf(da),
2935 legacy ? " <legacy>" : "");
2936 IEEE80211_NODE_STAT(bss, tx_mgmt);
2938 ret = ieee80211_raw_output(vap, bss, m, NULL);
2939 IEEE80211_TX_UNLOCK(ic);
2944 * Allocate and build a RTS (Request To Send) control frame.
2947 ieee80211_alloc_rts(struct ieee80211com *ic,
2948 const uint8_t ra[IEEE80211_ADDR_LEN],
2949 const uint8_t ta[IEEE80211_ADDR_LEN],
2952 struct ieee80211_frame_rts *rts;
2955 /* XXX honor ic_headroom */
2956 m = m_gethdr(M_NOWAIT, MT_DATA);
2958 rts = mtod(m, struct ieee80211_frame_rts *);
2959 rts->i_fc[0] = IEEE80211_FC0_VERSION_0 |
2960 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_RTS;
2961 rts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2962 *(u_int16_t *)rts->i_dur = htole16(dur);
2963 IEEE80211_ADDR_COPY(rts->i_ra, ra);
2964 IEEE80211_ADDR_COPY(rts->i_ta, ta);
2966 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_rts);
2972 * Allocate and build a CTS (Clear To Send) control frame.
2975 ieee80211_alloc_cts(struct ieee80211com *ic,
2976 const uint8_t ra[IEEE80211_ADDR_LEN], uint16_t dur)
2978 struct ieee80211_frame_cts *cts;
2981 /* XXX honor ic_headroom */
2982 m = m_gethdr(M_NOWAIT, MT_DATA);
2984 cts = mtod(m, struct ieee80211_frame_cts *);
2985 cts->i_fc[0] = IEEE80211_FC0_VERSION_0 |
2986 IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_CTS;
2987 cts->i_fc[1] = IEEE80211_FC1_DIR_NODS;
2988 *(u_int16_t *)cts->i_dur = htole16(dur);
2989 IEEE80211_ADDR_COPY(cts->i_ra, ra);
2991 m->m_pkthdr.len = m->m_len = sizeof(struct ieee80211_frame_cts);
2997 ieee80211_tx_mgt_timeout(void *arg)
2999 struct ieee80211vap *vap = arg;
3001 IEEE80211_LOCK(vap->iv_ic);
3002 if (vap->iv_state != IEEE80211_S_INIT &&
3003 (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) {
3005 * NB: it's safe to specify a timeout as the reason here;
3006 * it'll only be used in the right state.
3008 ieee80211_new_state_locked(vap, IEEE80211_S_SCAN,
3009 IEEE80211_SCAN_FAIL_TIMEOUT);
3011 IEEE80211_UNLOCK(vap->iv_ic);
3015 * This is the callback set on net80211-sourced transmitted
3016 * authentication request frames.
3018 * This does a couple of things:
3020 * + If the frame transmitted was a success, it schedules a future
3021 * event which will transition the interface to scan.
3022 * If a state transition _then_ occurs before that event occurs,
3023 * said state transition will cancel this callout.
3025 * + If the frame transmit was a failure, it immediately schedules
3026 * the transition back to scan.
3029 ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status)
3031 struct ieee80211vap *vap = ni->ni_vap;
3032 enum ieee80211_state ostate = (enum ieee80211_state) arg;
3035 * Frame transmit completed; arrange timer callback. If
3036 * transmit was successfully we wait for response. Otherwise
3037 * we arrange an immediate callback instead of doing the
3038 * callback directly since we don't know what state the driver
3039 * is in (e.g. what locks it is holding). This work should
3040 * not be too time-critical and not happen too often so the
3041 * added overhead is acceptable.
3043 * XXX what happens if !acked but response shows up before callback?
3045 if (vap->iv_state == ostate) {
3046 callout_reset(&vap->iv_mgtsend,
3047 status == 0 ? IEEE80211_TRANS_WAIT*hz : 0,
3048 ieee80211_tx_mgt_timeout, vap);
3053 ieee80211_beacon_construct(struct mbuf *m, uint8_t *frm,
3054 struct ieee80211_node *ni)
3056 struct ieee80211vap *vap = ni->ni_vap;
3057 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
3058 struct ieee80211com *ic = ni->ni_ic;
3059 struct ieee80211_rateset *rs = &ni->ni_rates;
3063 * beacon frame format
3065 * TODO: update to 802.11-2012; a lot of stuff has changed;
3066 * vendor extensions should be at the end, etc.
3069 * [2] beacon interval
3070 * [2] cabability information
3072 * [tlv] supported rates
3073 * [3] parameter set (DS)
3074 * [8] CF parameter set (optional)
3075 * [tlv] parameter set (IBSS/TIM)
3076 * [tlv] country (optional)
3077 * [3] power control (optional)
3078 * [5] channel switch announcement (CSA) (optional)
3080 * XXX TODO: IBSS DFS
3081 * XXX TODO: TPC report
3082 * [tlv] extended rate phy (ERP)
3083 * [tlv] extended supported rates
3084 * [tlv] RSN parameters
3086 * (XXX EDCA parameter set, QoS capability?)
3087 * XXX TODO: AP channel report
3089 * [tlv] HT capabilities
3090 * [tlv] HT information
3091 * XXX TODO: 20/40 BSS coexistence
3094 * XXX TODO: mesh config
3095 * XXX TODO: mesh awake window
3096 * XXX TODO: beacon timing (mesh, etc)
3097 * XXX TODO: MCCAOP Advertisement Overview
3098 * XXX TODO: MCCAOP Advertisement
3099 * XXX TODO: Mesh channel switch parameters
3101 * XXX TODO: VHT capabilities
3102 * XXX TODO: VHT operation
3103 * XXX TODO: VHT transmit power envelope
3104 * XXX TODO: channel switch wrapper element
3105 * XXX TODO: extended BSS load element
3107 * XXX Vendor-specific OIDs (e.g. Atheros)
3108 * [tlv] WPA parameters
3109 * [tlv] WME parameters
3110 * [tlv] Vendor OUI HT capabilities (optional)
3111 * [tlv] Vendor OUI HT information (optional)
3112 * [tlv] Atheros capabilities (optional)
3113 * [tlv] TDMA parameters (optional)
3114 * [tlv] Mesh ID (MBSS)
3115 * [tlv] Mesh Conf (MBSS)
3116 * [tlv] application data (optional)
3119 memset(bo, 0, sizeof(*bo));
3121 memset(frm, 0, 8); /* XXX timestamp is set by hardware/driver */
3123 *(uint16_t *)frm = htole16(ni->ni_intval);
3125 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan);
3126 bo->bo_caps = (uint16_t *)frm;
3127 *(uint16_t *)frm = htole16(capinfo);
3129 *frm++ = IEEE80211_ELEMID_SSID;
3130 if ((vap->iv_flags & IEEE80211_F_HIDESSID) == 0) {
3131 *frm++ = ni->ni_esslen;
3132 memcpy(frm, ni->ni_essid, ni->ni_esslen);
3133 frm += ni->ni_esslen;
3136 frm = ieee80211_add_rates(frm, rs);
3137 if (!IEEE80211_IS_CHAN_FHSS(ni->ni_chan)) {
3138 *frm++ = IEEE80211_ELEMID_DSPARMS;
3140 *frm++ = ieee80211_chan2ieee(ic, ni->ni_chan);
3142 if (ic->ic_flags & IEEE80211_F_PCF) {
3144 frm = ieee80211_add_cfparms(frm, ic);
3147 if (vap->iv_opmode == IEEE80211_M_IBSS) {
3148 *frm++ = IEEE80211_ELEMID_IBSSPARMS;
3150 *frm++ = 0; *frm++ = 0; /* TODO: ATIM window */
3152 } else if (vap->iv_opmode == IEEE80211_M_HOSTAP ||
3153 vap->iv_opmode == IEEE80211_M_MBSS) {
3154 /* TIM IE is the same for Mesh and Hostap */
3155 struct ieee80211_tim_ie *tie = (struct ieee80211_tim_ie *) frm;
3157 tie->tim_ie = IEEE80211_ELEMID_TIM;
3158 tie->tim_len = 4; /* length */
3159 tie->tim_count = 0; /* DTIM count */
3160 tie->tim_period = vap->iv_dtim_period; /* DTIM period */
3161 tie->tim_bitctl = 0; /* bitmap control */
3162 tie->tim_bitmap[0] = 0; /* Partial Virtual Bitmap */
3163 frm += sizeof(struct ieee80211_tim_ie);
3166 bo->bo_tim_trailer = frm;
3167 if ((vap->iv_flags & IEEE80211_F_DOTH) ||
3168 (vap->iv_flags_ext & IEEE80211_FEXT_DOTD))
3169 frm = ieee80211_add_countryie(frm, ic);
3170 if (vap->iv_flags & IEEE80211_F_DOTH) {
3171 if (IEEE80211_IS_CHAN_5GHZ(ni->ni_chan))
3172 frm = ieee80211_add_powerconstraint(frm, vap);
3174 if (ic->ic_flags & IEEE80211_F_CSAPENDING)
3175 frm = ieee80211_add_csa(frm, vap);
3179 bo->bo_quiet = NULL;
3180 if (vap->iv_flags & IEEE80211_F_DOTH) {
3181 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) &&
3182 (vap->iv_flags_ext & IEEE80211_FEXT_DFS) &&
3183 (vap->iv_quiet == 1)) {
3185 * We only insert the quiet IE offset if
3186 * the quiet IE is enabled. Otherwise don't
3187 * put it here or we'll just overwrite
3188 * some other beacon contents.
3190 if (vap->iv_quiet) {
3192 frm = ieee80211_add_quiet(frm,vap, 0);
3197 if (IEEE80211_IS_CHAN_ANYG(ni->ni_chan)) {
3199 frm = ieee80211_add_erp(frm, ic);
3201 frm = ieee80211_add_xrates(frm, rs);
3202 frm = ieee80211_add_rsn(frm, vap);
3203 if (IEEE80211_IS_CHAN_HT(ni->ni_chan)) {
3204 frm = ieee80211_add_htcap(frm, ni);
3205 bo->bo_htinfo = frm;
3206 frm = ieee80211_add_htinfo(frm, ni);
3209 if (IEEE80211_IS_CHAN_VHT(ni->ni_chan)) {
3210 frm = ieee80211_add_vhtcap(frm, ni);
3211 bo->bo_vhtinfo = frm;
3212 frm = ieee80211_add_vhtinfo(frm, ni);
3213 /* Transmit power envelope */
3214 /* Channel switch wrapper element */
3215 /* Extended bss load element */
3218 frm = ieee80211_add_wpa(frm, vap);
3219 if (vap->iv_flags & IEEE80211_F_WME) {
3221 frm = ieee80211_add_wme_param(frm, &ic->ic_wme);
3223 if (IEEE80211_IS_CHAN_HT(ni->ni_chan) &&
3224 (vap->iv_flags_ht & IEEE80211_FHT_HTCOMPAT)) {
3225 frm = ieee80211_add_htcap_vendor(frm, ni);
3226 frm = ieee80211_add_htinfo_vendor(frm, ni);
3229 #ifdef IEEE80211_SUPPORT_SUPERG
3230 if (vap->iv_flags & IEEE80211_F_ATHEROS) {
3232 frm = ieee80211_add_athcaps(frm, ni);
3235 #ifdef IEEE80211_SUPPORT_TDMA
3236 if (vap->iv_caps & IEEE80211_C_TDMA) {
3238 frm = ieee80211_add_tdma(frm, vap);
3241 if (vap->iv_appie_beacon != NULL) {
3243 bo->bo_appie_len = vap->iv_appie_beacon->ie_len;
3244 frm = add_appie(frm, vap->iv_appie_beacon);
3247 /* XXX TODO: move meshid/meshconf up to before vendor extensions? */
3248 #ifdef IEEE80211_SUPPORT_MESH
3249 if (vap->iv_opmode == IEEE80211_M_MBSS) {
3250 frm = ieee80211_add_meshid(frm, vap);
3251 bo->bo_meshconf = frm;
3252 frm = ieee80211_add_meshconf(frm, vap);
3255 bo->bo_tim_trailer_len = frm - bo->bo_tim_trailer;
3256 bo->bo_csa_trailer_len = frm - bo->bo_csa;
3257 m->m_pkthdr.len = m->m_len = frm - mtod(m, uint8_t *);
3261 * Allocate a beacon frame and fillin the appropriate bits.
3264 ieee80211_beacon_alloc(struct ieee80211_node *ni)
3266 struct ieee80211vap *vap = ni->ni_vap;
3267 struct ieee80211com *ic = ni->ni_ic;
3268 struct ifnet *ifp = vap->iv_ifp;
3269 struct ieee80211_frame *wh;
3275 * Update the "We're putting the quiet IE in the beacon" state.
3277 if (vap->iv_quiet == 1)
3278 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE;
3279 else if (vap->iv_quiet == 0)
3280 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE;
3283 * beacon frame format
3285 * Note: This needs updating for 802.11-2012.
3288 * [2] beacon interval
3289 * [2] cabability information
3291 * [tlv] supported rates
3292 * [3] parameter set (DS)
3293 * [8] CF parameter set (optional)
3294 * [tlv] parameter set (IBSS/TIM)
3295 * [tlv] country (optional)
3296 * [3] power control (optional)
3297 * [5] channel switch announcement (CSA) (optional)
3298 * [tlv] extended rate phy (ERP)
3299 * [tlv] extended supported rates
3300 * [tlv] RSN parameters
3301 * [tlv] HT capabilities
3302 * [tlv] HT information
3303 * [tlv] VHT capabilities
3304 * [tlv] VHT operation
3305 * [tlv] Vendor OUI HT capabilities (optional)
3306 * [tlv] Vendor OUI HT information (optional)
3307 * XXX Vendor-specific OIDs (e.g. Atheros)
3308 * [tlv] WPA parameters
3309 * [tlv] WME parameters
3310 * [tlv] TDMA parameters (optional)
3311 * [tlv] Mesh ID (MBSS)
3312 * [tlv] Mesh Conf (MBSS)
3313 * [tlv] application data (optional)
3314 * NB: we allocate the max space required for the TIM bitmap.
3315 * XXX how big is this?
3317 pktlen = 8 /* time stamp */
3318 + sizeof(uint16_t) /* beacon interval */
3319 + sizeof(uint16_t) /* capabilities */
3320 + 2 + ni->ni_esslen /* ssid */
3321 + 2 + IEEE80211_RATE_SIZE /* supported rates */
3322 + 2 + 1 /* DS parameters */
3323 + 2 + 6 /* CF parameters */
3324 + 2 + 4 + vap->iv_tim_len /* DTIM/IBSSPARMS */
3325 + IEEE80211_COUNTRY_MAX_SIZE /* country */
3326 + 2 + 1 /* power control */
3327 + sizeof(struct ieee80211_csa_ie) /* CSA */
3328 + sizeof(struct ieee80211_quiet_ie) /* Quiet */
3330 + 2 + (IEEE80211_RATE_MAXSIZE - IEEE80211_RATE_SIZE)
3331 + (vap->iv_caps & IEEE80211_C_WPA ? /* WPA 1+2 */
3332 2*sizeof(struct ieee80211_ie_wpa) : 0)
3333 /* XXX conditional? */
3334 + 4+2*sizeof(struct ieee80211_ie_htcap)/* HT caps */
3335 + 4+2*sizeof(struct ieee80211_ie_htinfo)/* HT info */
3336 + sizeof(struct ieee80211_ie_vhtcap)/* VHT caps */
3337 + sizeof(struct ieee80211_ie_vht_operation)/* VHT info */
3338 + (vap->iv_caps & IEEE80211_C_WME ? /* WME */
3339 sizeof(struct ieee80211_wme_param) : 0)
3340 #ifdef IEEE80211_SUPPORT_SUPERG
3341 + sizeof(struct ieee80211_ath_ie) /* ATH */
3343 #ifdef IEEE80211_SUPPORT_TDMA
3344 + (vap->iv_caps & IEEE80211_C_TDMA ? /* TDMA */
3345 sizeof(struct ieee80211_tdma_param) : 0)
3347 #ifdef IEEE80211_SUPPORT_MESH
3348 + 2 + ni->ni_meshidlen
3349 + sizeof(struct ieee80211_meshconf_ie)
3351 + IEEE80211_MAX_APPIE
3353 m = ieee80211_getmgtframe(&frm,
3354 ic->ic_headroom + sizeof(struct ieee80211_frame), pktlen);
3356 IEEE80211_DPRINTF(vap, IEEE80211_MSG_ANY,
3357 "%s: cannot get buf; size %u\n", __func__, pktlen);
3358 vap->iv_stats.is_tx_nobuf++;
3361 ieee80211_beacon_construct(m, frm, ni);
3363 M_PREPEND(m, sizeof(struct ieee80211_frame), M_NOWAIT);
3364 KASSERT(m != NULL, ("no space for 802.11 header?"));
3365 wh = mtod(m, struct ieee80211_frame *);
3366 wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
3367 IEEE80211_FC0_SUBTYPE_BEACON;
3368 wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
3369 *(uint16_t *)wh->i_dur = 0;
3370 IEEE80211_ADDR_COPY(wh->i_addr1, ifp->if_broadcastaddr);
3371 IEEE80211_ADDR_COPY(wh->i_addr2, vap->iv_myaddr);
3372 IEEE80211_ADDR_COPY(wh->i_addr3, ni->ni_bssid);
3373 *(uint16_t *)wh->i_seq = 0;
3379 * Update the dynamic parts of a beacon frame based on the current state.
3382 ieee80211_beacon_update(struct ieee80211_node *ni, struct mbuf *m, int mcast)
3384 struct ieee80211vap *vap = ni->ni_vap;
3385 struct ieee80211_beacon_offsets *bo = &vap->iv_bcn_off;
3386 struct ieee80211com *ic = ni->ni_ic;
3387 int len_changed = 0;
3389 struct ieee80211_frame *wh;
3390 ieee80211_seq seqno;
3394 * Handle 11h channel change when we've reached the count.
3395 * We must recalculate the beacon frame contents to account
3396 * for the new channel. Note we do this only for the first
3397 * vap that reaches this point; subsequent vaps just update
3398 * their beacon state to reflect the recalculated channel.
3400 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA) &&
3401 vap->iv_csa_count == ic->ic_csa_count) {
3402 vap->iv_csa_count = 0;
3404 * Effect channel change before reconstructing the beacon
3405 * frame contents as many places reference ni_chan.
3407 if (ic->ic_csa_newchan != NULL)
3408 ieee80211_csa_completeswitch(ic);
3410 * NB: ieee80211_beacon_construct clears all pending
3411 * updates in bo_flags so we don't need to explicitly
3412 * clear IEEE80211_BEACON_CSA.
3414 ieee80211_beacon_construct(m,
3415 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni);
3417 /* XXX do WME aggressive mode processing? */
3418 IEEE80211_UNLOCK(ic);
3419 return 1; /* just assume length changed */
3423 * Handle the quiet time element being added and removed.
3424 * Again, for now we just cheat and reconstruct the whole
3425 * beacon - that way the gap is provided as appropriate.
3427 * So, track whether we have already added the IE versus
3428 * whether we want to be adding the IE.
3430 if ((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) &&
3431 (vap->iv_quiet == 0)) {
3433 * Quiet time beacon IE enabled, but it's disabled;
3436 vap->iv_flags_ext &= ~IEEE80211_FEXT_QUIET_IE;
3437 ieee80211_beacon_construct(m,
3438 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni);
3439 /* XXX do WME aggressive mode processing? */
3440 IEEE80211_UNLOCK(ic);
3441 return 1; /* just assume length changed */
3444 if (((vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE) == 0) &&
3445 (vap->iv_quiet == 1)) {
3447 * Quiet time beacon IE disabled, but it's now enabled;
3450 vap->iv_flags_ext |= IEEE80211_FEXT_QUIET_IE;
3451 ieee80211_beacon_construct(m,
3452 mtod(m, uint8_t*) + sizeof(struct ieee80211_frame), ni);
3453 /* XXX do WME aggressive mode processing? */
3454 IEEE80211_UNLOCK(ic);
3455 return 1; /* just assume length changed */
3458 wh = mtod(m, struct ieee80211_frame *);
3461 * XXX TODO Strictly speaking this should be incremented with the TX
3462 * lock held so as to serialise access to the non-qos TID sequence
3465 * If the driver identifies it does its own TX seqno management then
3466 * we can skip this (and still not do the TX seqno.)
3468 seqno = ni->ni_txseqs[IEEE80211_NONQOS_TID]++;
3469 *(uint16_t *)&wh->i_seq[0] =
3470 htole16(seqno << IEEE80211_SEQ_SEQ_SHIFT);
3471 M_SEQNO_SET(m, seqno);
3473 /* XXX faster to recalculate entirely or just changes? */
3474 capinfo = ieee80211_getcapinfo(vap, ni->ni_chan);
3475 *bo->bo_caps = htole16(capinfo);
3477 if (vap->iv_flags & IEEE80211_F_WME) {
3478 struct ieee80211_wme_state *wme = &ic->ic_wme;
3481 * Check for aggressive mode change. When there is
3482 * significant high priority traffic in the BSS
3483 * throttle back BE traffic by using conservative
3484 * parameters. Otherwise BE uses aggressive params
3485 * to optimize performance of legacy/non-QoS traffic.
3487 if (wme->wme_flags & WME_F_AGGRMODE) {
3488 if (wme->wme_hipri_traffic >
3489 wme->wme_hipri_switch_thresh) {
3490 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
3491 "%s: traffic %u, disable aggressive mode\n",
3492 __func__, wme->wme_hipri_traffic);
3493 wme->wme_flags &= ~WME_F_AGGRMODE;
3494 ieee80211_wme_updateparams_locked(vap);
3495 wme->wme_hipri_traffic =
3496 wme->wme_hipri_switch_hysteresis;
3498 wme->wme_hipri_traffic = 0;
3500 if (wme->wme_hipri_traffic <=
3501 wme->wme_hipri_switch_thresh) {
3502 IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
3503 "%s: traffic %u, enable aggressive mode\n",
3504 __func__, wme->wme_hipri_traffic);
3505 wme->wme_flags |= WME_F_AGGRMODE;
3506 ieee80211_wme_updateparams_locked(vap);
3507 wme->wme_hipri_traffic = 0;
3509 wme->wme_hipri_traffic =
3510 wme->wme_hipri_switch_hysteresis;
3512 if (isset(bo->bo_flags, IEEE80211_BEACON_WME)) {
3513 (void) ieee80211_add_wme_param(bo->bo_wme, wme);
3514 clrbit(bo->bo_flags, IEEE80211_BEACON_WME);
3518 if (isset(bo->bo_flags, IEEE80211_BEACON_HTINFO)) {
3519 ieee80211_ht_update_beacon(vap, bo);
3520 clrbit(bo->bo_flags, IEEE80211_BEACON_HTINFO);
3522 #ifdef IEEE80211_SUPPORT_TDMA
3523 if (vap->iv_caps & IEEE80211_C_TDMA) {
3525 * NB: the beacon is potentially updated every TBTT.
3527 ieee80211_tdma_update_beacon(vap, bo);
3530 #ifdef IEEE80211_SUPPORT_MESH
3531 if (vap->iv_opmode == IEEE80211_M_MBSS)
3532 ieee80211_mesh_update_beacon(vap, bo);
3535 if (vap->iv_opmode == IEEE80211_M_HOSTAP ||
3536 vap->iv_opmode == IEEE80211_M_MBSS) { /* NB: no IBSS support*/
3537 struct ieee80211_tim_ie *tie =
3538 (struct ieee80211_tim_ie *) bo->bo_tim;
3539 if (isset(bo->bo_flags, IEEE80211_BEACON_TIM)) {
3540 u_int timlen, timoff, i;
3542 * ATIM/DTIM needs updating. If it fits in the
3543 * current space allocated then just copy in the
3544 * new bits. Otherwise we need to move any trailing
3545 * data to make room. Note that we know there is
3546 * contiguous space because ieee80211_beacon_allocate
3547 * insures there is space in the mbuf to write a
3548 * maximal-size virtual bitmap (based on iv_max_aid).
3551 * Calculate the bitmap size and offset, copy any
3552 * trailer out of the way, and then copy in the
3553 * new bitmap and update the information element.
3554 * Note that the tim bitmap must contain at least
3555 * one byte and any offset must be even.
3557 if (vap->iv_ps_pending != 0) {
3558 timoff = 128; /* impossibly large */
3559 for (i = 0; i < vap->iv_tim_len; i++)
3560 if (vap->iv_tim_bitmap[i]) {
3564 KASSERT(timoff != 128, ("tim bitmap empty!"));
3565 for (i = vap->iv_tim_len-1; i >= timoff; i--)
3566 if (vap->iv_tim_bitmap[i])
3568 timlen = 1 + (i - timoff);
3575 * TODO: validate this!
3577 if (timlen != bo->bo_tim_len) {
3578 /* copy up/down trailer */
3579 int adjust = tie->tim_bitmap+timlen
3580 - bo->bo_tim_trailer;
3581 ovbcopy(bo->bo_tim_trailer,
3582 bo->bo_tim_trailer+adjust,
3583 bo->bo_tim_trailer_len);
3584 bo->bo_tim_trailer += adjust;
3585 bo->bo_erp += adjust;
3586 bo->bo_htinfo += adjust;
3587 bo->bo_vhtinfo += adjust;
3588 #ifdef IEEE80211_SUPPORT_SUPERG
3589 bo->bo_ath += adjust;
3591 #ifdef IEEE80211_SUPPORT_TDMA
3592 bo->bo_tdma += adjust;
3594 #ifdef IEEE80211_SUPPORT_MESH
3595 bo->bo_meshconf += adjust;
3597 bo->bo_appie += adjust;
3598 bo->bo_wme += adjust;
3599 bo->bo_csa += adjust;
3600 bo->bo_quiet += adjust;
3601 bo->bo_tim_len = timlen;
3603 /* update information element */
3604 tie->tim_len = 3 + timlen;
3605 tie->tim_bitctl = timoff;
3608 memcpy(tie->tim_bitmap, vap->iv_tim_bitmap + timoff,
3611 clrbit(bo->bo_flags, IEEE80211_BEACON_TIM);
3613 IEEE80211_DPRINTF(vap, IEEE80211_MSG_POWER,
3614 "%s: TIM updated, pending %u, off %u, len %u\n",
3615 __func__, vap->iv_ps_pending, timoff, timlen);
3617 /* count down DTIM period */
3618 if (tie->tim_count == 0)
3619 tie->tim_count = tie->tim_period - 1;
3622 /* update state for buffered multicast frames on DTIM */
3623 if (mcast && tie->tim_count == 0)
3624 tie->tim_bitctl |= 1;
3626 tie->tim_bitctl &= ~1;
3627 if (isset(bo->bo_flags, IEEE80211_BEACON_CSA)) {
3628 struct ieee80211_csa_ie *csa =
3629 (struct ieee80211_csa_ie *) bo->bo_csa;
3632 * Insert or update CSA ie. If we're just starting
3633 * to count down to the channel switch then we need
3634 * to insert the CSA ie. Otherwise we just need to
3635 * drop the count. The actual change happens above
3636 * when the vap's count reaches the target count.
3638 if (vap->iv_csa_count == 0) {
3639 memmove(&csa[1], csa, bo->bo_csa_trailer_len);
3640 bo->bo_erp += sizeof(*csa);
3641 bo->bo_htinfo += sizeof(*csa);
3642 bo->bo_vhtinfo += sizeof(*csa);
3643 bo->bo_wme += sizeof(*csa);
3644 #ifdef IEEE80211_SUPPORT_SUPERG
3645 bo->bo_ath += sizeof(*csa);
3647 #ifdef IEEE80211_SUPPORT_TDMA
3648 bo->bo_tdma += sizeof(*csa);
3650 #ifdef IEEE80211_SUPPORT_MESH
3651 bo->bo_meshconf += sizeof(*csa);
3653 bo->bo_appie += sizeof(*csa);
3654 bo->bo_csa_trailer_len += sizeof(*csa);
3655 bo->bo_quiet += sizeof(*csa);
3656 bo->bo_tim_trailer_len += sizeof(*csa);
3657 m->m_len += sizeof(*csa);
3658 m->m_pkthdr.len += sizeof(*csa);
3660 ieee80211_add_csa(bo->bo_csa, vap);
3663 vap->iv_csa_count++;
3664 /* NB: don't clear IEEE80211_BEACON_CSA */
3668 * Only add the quiet time IE if we've enabled it
3671 if (IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) &&
3672 (vap->iv_flags_ext & IEEE80211_FEXT_DFS)) {
3673 if (vap->iv_quiet &&
3674 (vap->iv_flags_ext & IEEE80211_FEXT_QUIET_IE)) {
3675 ieee80211_add_quiet(bo->bo_quiet, vap, 1);
3678 if (isset(bo->bo_flags, IEEE80211_BEACON_ERP)) {
3680 * ERP element needs updating.
3682 (void) ieee80211_add_erp(bo->bo_erp, ic);
3683 clrbit(bo->bo_flags, IEEE80211_BEACON_ERP);
3685 #ifdef IEEE80211_SUPPORT_SUPERG
3686 if (isset(bo->bo_flags, IEEE80211_BEACON_ATH)) {
3687 ieee80211_add_athcaps(bo->bo_ath, ni);
3688 clrbit(bo->bo_flags, IEEE80211_BEACON_ATH);
3692 if (isset(bo->bo_flags, IEEE80211_BEACON_APPIE)) {
3693 const struct ieee80211_appie *aie = vap->iv_appie_beacon;
3699 aielen += aie->ie_len;
3700 if (aielen != bo->bo_appie_len) {
3701 /* copy up/down trailer */
3702 int adjust = aielen - bo->bo_appie_len;
3703 ovbcopy(bo->bo_tim_trailer, bo->bo_tim_trailer+adjust,
3704 bo->bo_tim_trailer_len);
3705 bo->bo_tim_trailer += adjust;
3706 bo->bo_appie += adjust;
3707 bo->bo_appie_len = aielen;
3713 frm = add_appie(frm, aie);
3714 clrbit(bo->bo_flags, IEEE80211_BEACON_APPIE);
3716 IEEE80211_UNLOCK(ic);
3722 * Do Ethernet-LLC encapsulation for each payload in a fast frame
3723 * tunnel encapsulation. The frame is assumed to have an Ethernet
3724 * header at the front that must be stripped before prepending the
3725 * LLC followed by the Ethernet header passed in (with an Ethernet
3726 * type that specifies the payload size).
3729 ieee80211_ff_encap1(struct ieee80211vap *vap, struct mbuf *m,
3730 const struct ether_header *eh)
3735 /* XXX optimize by combining m_adj+M_PREPEND */
3736 m_adj(m, sizeof(struct ether_header) - sizeof(struct llc));
3737 llc = mtod(m, struct llc *);
3738 llc->llc_dsap = llc->llc_ssap = LLC_SNAP_LSAP;
3739 llc->llc_control = LLC_UI;
3740 llc->llc_snap.org_code[0] = 0;
3741 llc->llc_snap.org_code[1] = 0;
3742 llc->llc_snap.org_code[2] = 0;
3743 llc->llc_snap.ether_type = eh->ether_type;
3744 payload = m->m_pkthdr.len; /* NB: w/o Ethernet header */
3746 M_PREPEND(m, sizeof(struct ether_header), M_NOWAIT);
3747 if (m == NULL) { /* XXX cannot happen */
3748 IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG,
3749 "%s: no space for ether_header\n", __func__);
3750 vap->iv_stats.is_tx_nobuf++;
3753 ETHER_HEADER_COPY(mtod(m, void *), eh);
3754 mtod(m, struct ether_header *)->ether_type = htons(payload);
3759 * Complete an mbuf transmission.
3761 * For now, this simply processes a completed frame after the
3762 * driver has completed it's transmission and/or retransmission.
3763 * It assumes the frame is an 802.11 encapsulated frame.
3765 * Later on it will grow to become the exit path for a given frame
3766 * from the driver and, depending upon how it's been encapsulated
3767 * and already transmitted, it may end up doing A-MPDU retransmission,
3768 * power save requeuing, etc.
3770 * In order for the above to work, the driver entry point to this
3771 * must not hold any driver locks. Thus, the driver needs to delay
3772 * any actual mbuf completion until it can release said locks.
3774 * This frees the mbuf and if the mbuf has a node reference,
3775 * the node reference will be freed.
3778 ieee80211_tx_complete(struct ieee80211_node *ni, struct mbuf *m, int status)
3782 struct ifnet *ifp = ni->ni_vap->iv_ifp;
3785 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
3786 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
3787 if (m->m_flags & M_MCAST)
3788 if_inc_counter(ifp, IFCOUNTER_OMCASTS, 1);
3790 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
3791 if (m->m_flags & M_TXCB)
3792 ieee80211_process_callback(ni, m, status);
3793 ieee80211_free_node(ni);
projects / FreeBSD / FreeBSD.git / blob