Merge r259175 from stable/10 (head r257065 by adrian):

Fix a use-after-free node reference issue when waiting for a return
from a management frame transmission.

Approved by: re (glebius)

Merge r259174 from stable/10 (head r256294 by adrian):

Fix the "am I a net80211 vap" check for bpf listeners.

I changed it to use if_transmit a while ago but apparently with monitor
mode the if_transmit method is overridden.

This is (mostly) a workaround until a more permanent solution can be
found.

Submitted by: Patrick Kelsey <kelsey@ieee.org>
Approved by: re (glebius)

Merge r259173 from stable/10 (head r258758 by adrian):

Make sure any waiters on the scan results get notified if the scan task
decides to do nothing.

If this isn't done, then a scan request whilst a scan occurs in an
active channel set or a completed channel set will hang.

Approved by: re (glebius)

Merge r259172 from stable/10 (head r257754 by adrian):

Don't return ENOBUFS if the transmit path handles the frame but queues
it (eg in power save.)

PR: kern/183727
Approved by: re (glebius)

- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Create a new function to complete 802.11 mbuf transmission.

The aim of this function is to eventually be the completion entry point
for all 802.11 encapsulated mbufs. All the wifi drivers end up doing
what is in this function so it's an easy win to turn it into a net80211
method and abstract out this code.

Ideally the drivers will all eventually be modified to queue up completed
mbufs and call this function with all the driver locks not held.
This will allow for some much more interesting software queue handling
in the future (like net80211 based A-MSDU, fast-frames, A-MPDU aggregation
and retransmission.)

Tested:

* ath(4), iwn(4)

Migrate the ff_encap1() routine out into the normal output code.

This will eventually be used by the A-MSDU encapsulation code that
I'm writing - the sub-frame encapsulation requirement is the same.

Add in some backwards compatability hacks to make -HEAD net80211 compile
on -9.

Reorder the mbuf defines to make more sense and group related flags
together.

Add M_FLAG_PRINTF for use with printf(9) %b indentifier.

Use the generic mbuf flags print names in the net80211 code and adjust
the protocol specific bits for their new positions.

Change SCTP M_PROTO mapping from 5 to 1 to fit within the 16bit field
they use internally to store some additional information.

Discussed with: trociny, glebius

Migrate the net80211 protocol specific use of M_FRAG, M_FIRSTFRAG and
M_LASTFRAG flags to protocol specific flags.

Remove the now unused M_FRAG, M_FIRSTFRAG and M_LASTFRAG mbuf flags.

Discussed with: trociny, glebius, adrian

Add m_clrprotoflags() to clear protocol specific mbuf flags at up and
downwards layer crossings.

Consistently use it within IP, IPv6 and ethernet protocols.

Discussed with: trociny, glebius

Don't return ENOTSUPP here - the net80211 pluggable ioctl API will treat
this as the final item in the linker set and not try others.

This stopped the fast frames IOCTLs from being called.

Return the correct status if ieee80211_ff_check() consumes the mbuf.

I broke this when converting the net80211 TX path to use if_transmit.

Replace the homegrown implementation of nitems() with calls to nitems()
(param.h).

Operating systems that don't have nitems() can easily define it on their own
net80211 OS-specific header file.

Discussed with: adrian

Blank m_nextpkt before passing it up.

When flushing packets from the powersave queue, make sure that
m_nextpkt is NULL before passing it up to the parent transmit
method.

Add in missing m_free()'s during error conditions.

Convert net80211 over to using if_transmit for the dispatch from the
upper layer(s).

This eliminates the if_snd queue from net80211. Yay!

This unfortunately has a few side effects:

* It breaks ALTQ to net80211 for now - sorry everyone, but fixing
parallelism and eliminating the if_snd queue is more important
than supporting this broken traffic scheduling model. :-)

* There's no VAP and IC flush methods just yet - I think I'll add
some NULL methods for now just as placeholders.

* It reduces throughput a little because now net80211 will drop packets
rather than buffer them if the driver doesn't do its own buffering.
This will be addressed in the future as I implement per-node software
queues.

Tested:

* ath(4) and iwn(4) in STA operation

Allow net80211 to compile on stable/9 and stable/8.

Fix compilation when debugging is disabled.

Commit the missing header change.

Refactor the VAP transmit path code into a utility function that both
the normal and the mesh transmit paths can use.

The API is a bit horrible because it both consumes the mbuf and frees
the node reference regardless of whether it succeeds or not.
It's a hold-over from how the code behaves; it'd be nice to have it
not free the node reference / mbuf if TX fails and let the caller
decide what to do.

Add ieee80211_add_{qos,wpa,rsn}() functions since they are needed by an
OpenBSD driver that is being ported to FreeBSD.

Reviewed by: adrian

Make kassert_printf use __printflike.

Fix associated errors/warnings while I'm here.

Requested by: avg

Add a missing unlock.

Document the current 11n rate selection shortcoming in the AMRR code.

Implement basic 802.11n awareness in the PHY and AMRR rate control code.

* Add 802.11n 2ghz and 5ghz tables, including legacy rates and up to
MCS23 rates (3x3.)

* Populate the rate code -> rate index lookup table with MCS _and_
normal rates, but _not_ the basic rate flag. Since the basic rate flag
is the same as the MCS flag, we can only use one.

* Introduce some accessor inlines that do PLCP and rate table lookup/access
and enforce that it doesn't set the basic rate bit. They're not
designed for MCS rates, so it will panic.

* Start converting drivers that use the rate table stuff to use the
accessor inlines and strip the basic flag.

* Teach AMRR about basic 11n - it's still as crap for MCS as it is
being used by iwn, so it's not a step _backwardS_.

* Convert iwn over to accept 11n MCS rates rather than 'translate' legacy
to MCS rates. It doesn't use a lookup table any longer; instead it's a
function which takes the current node (for HT parameters) and the
rate code, and returns the hardware PLCP code to use.

Tested:

* ath - it's a no-op, and it works that way
* iwn - both 11n and non-11n

Don't panic the kernel if we run wpa_supplicant on a hostap VAP.

Reviewed by: adrian

Fix typo (dbM -> dBm)

Submitted by: Daan@vitsch.nl
Reviewed by: adrian

Don't hold the node lock over the iterator.

The "find node" function call will increase the node reference anyway;
so there's no reason to hold the node table lock during the MLME change.

The only reason I could think of is to stop overlapping mlme ioctls
from causing issues, but this should be fixed a different way.

This fixes a whole class of LORs that creep up when nodes are being
timed out or removed by hostapd.

Tested:

* AR5416, hostap, with nodes coming and going. No LORs or stability
issues were observed.

Fix net80211 fragment creation.

When creating fragment frames, the header length should honour the
DATAPAD flag.

This fixes the fragments that are queued to the ath(4) driver but it
doesn't yet fix fragment transmission. That requires further changes
to the ath(4) transmit path. Well, strictly speaking, it requires
further changes to _all_ wifi driver transmit paths, but this is at least
a start.

Tested:

* AR5416, STA mode, w/ fragthreshold set to 256.

Fix a VAP BSS node reference in the HT code to actually take a reference
before using said node.

The "blessed" way here is to take a node reference before referencing
anything inside the node, otherwise the node can be freed between
the time the pointer is copied/dereferenced and the time the node contents
are used.

This mirrors fixes that I've done elsewhere in the net80211/driver
stack.

PR: kern/178470

Add const qualifier to the dst parameter of the ifnet if_output method.

Implement a utility function to return the current TX power cap for
the given node.

This takes into account the per-node cap, the ic cap and the
per-channel regulatory caps.

This is designed to replace references to ni_txpower in various net80211
drivers - ni_txpower doesn't necessarily reflect the actual cap for
the given node (eg if the node has the default value of 50dBm (100) and
the administrator has manually configured a lower TX power.)

Add VNET wrappers around the rest of the ieee80211 rtsock messages.

I triggered the cac/radar messages when doing testing in DFS channels.

Kill this, it's not needed at this point and (hopefully) the parent
has correctly locked the ic/vap.

Fix another compiler warning issue when invariants are disabled.

Fix non-invariant compilation.

Bring over my initial work from the net80211 TX locking branch.

This patchset implements a new TX lock, covering both the per-VAP (and
thus per-node) TX locking and the serialisation through to the underlying
physical device.

This implements the hard requirement that frames to the underlying physical
device are scheduled to the underlying device in the same order that they
are processed at the VAP layer. This includes adding extra encapsulation
state (such as sequence numbers and CCMP IV numbers.) Any order mismatch
here will result in dropped packets at the receiver.

There are multiple transmit contexts from the upper protocol layers as well
as the "raw" interface via the management and BPF transmit paths.
All of these need to be correctly serialised or bad behaviour will result
under load.

The specifics:

* add a new TX IC lock - it will eventually just be used for serialisation
to the underlying physical device but for now it's used for both the
VAP encapsulation/serialisation and the physical device dispatch.

This lock is specifically non-recursive.

* Methodize the parent transmit, vap transmit and ic_raw_xmit function
pointers; use lock assertions in the parent/vap transmit routines.

* Add a lock assertion in ieee80211_encap() - the TX lock must be held
here to guarantee sensible behaviour.

* Refactor out the packet sending code from ieee80211_start() - now
ieee80211_start() is just a loop over the ifnet queue and it dispatches
each VAP packet send through ieee80211_start_pkt().

Yes, I will likely rename ieee80211_start_pkt() to something that
better reflects its status as a VAP packet transmit path. More on
that later.

* Add locking around the management and BAR TX sending - to ensure that
encapsulation and TX are done hand-in-hand.

* Add locking in the mesh code - again, to ensure that encapsulation
and mesh transmit are done hand-in-hand.

* Add locking around the power save queue and ageq handling, when
dispatching to the parent interface.

* Add locking around the WDS handoff.

* Add a note in the mesh dispatch code that the TX path needs to be
re-thought-out - right now it's doing a direct parent device transmit
rather than going via the vap layer. It may "work", but it's likely
incorrect (as it bypasses any possible per-node power save and
aggregation handling.)

Why not a per-VAP or per-node lock?

Because in order to ensure per-VAP ordering, we'd have to hold the
VAP lock across parent->if_transmit(). There are a few problems
with this:

* There's some state being setup during each driver transmit - specifically,
the encryption encap / CCMP IV setup. That should eventually be dragged
back into the encapsulation phase but for now it lives in the driver TX path.
This should be locked.

* Two drivers (ath, iwn) re-use the node->ni_txseqs array in order to
allocate sequence numbers when doing transmit aggregation. This should
also be locked.

* Drivers may have multiple frames queued already - so when one calls
if_transmit(), it may end up dispatching multiple frames for different
VAPs/nodes, each needing a different lock when handling that particular
end destination.

So to be "correct" locking-wise, we'd end up needing to grab a VAP or
node lock inside the driver TX path when setting up crypto / AMPDU sequence
numbers, and we may already _have_ a TX lock held - mostly for the same
destination vap/node, but sometimes it'll be for others. That could lead
to LORs and thus deadlocks.

So for now, I'm sticking with an IC TX lock. It has the advantage of
papering over the above and it also has the added advantage that I can
assert that it's being held when doing a parent device transmit.
I'll look at splitting the locks out a bit more later on.

General outstanding net80211 TX path issues / TODO:

* Look into separating out the VAP serialisation and the IC handoff.
It's going to be tricky as parent->if_transmit() doesn't give me the
opportunity to split queuing from driver dispatch. See above.

* Work with monthadar to fix up the mesh transmit path so it doesn't go via
the parent interface when retransmitting frames.

* Push the encryption handling back into the driver, if it's at all
architectually sane to do so. I know it's possible - it's what mac80211
in Linux does.

* Make ieee80211_raw_xmit() queue a frame into VAP or parent queue rather
than doing a short-cut direct into the driver. There are QoS issues
here - you do want your management frames to be encapsulated and pushed
onto the stack sooner than the (large, bursty) amount of data frames
that are queued. But there has to be a saner way to do this.

* Fragments are still broken - drivers need to be upgraded to an if_transmit()
implementation and then fragmentation handling needs to be properly fixed.

Tested:

* STA - AR5416, AR9280, Intel 5300 abgn wifi
* Hostap - AR5416, AR9160, AR9280
* Mesh - some testing by monthadar@, more to come.

Disable this variable; the code using it is also disabled.

Disable this code and add a note as to why.

It wasn't currently being called anyway - but being explicit about it
can't hurt.

Fix an incorrect sizeof()

Spotted by: clang

Submitted by: dim

Mesh: QoS Control field bit flags fix.

* The following bit flags where incroccetly defined:
o Mesh Control Present
o Mesh Power Save Level
o RSPI
This is now corrected according to Table 8.4 as per IEEE 802.11 2012;

Approved by: adrian (mentor)

Substitute '#ifdef ALIGNED_POINTER' with '#ifndef __NO_STRICT_ALIGNMENT',
since the former is defined everywhere. This cuts off some code not
necessary on non strict aligment arches.

Reviewed by: adrian
Sponsored by: Nginx, Inc.

Fix ieee80211_mesh.c compilation.

* Add the superg.h header to allow ieee80211_check_ff() to work
* Since the assert stuff creates assertions based on line numbers and there
was a conflict, just nudge things down a bit.

Mesh: recevied GANN frames where not parsed correctly.

* Added mesh_parse_meshgate_action that parse all values to host endian;
* Add more detailed debug output;

Approved by: adrian (mentor)

Mesh HWMP forwarding information: updating FI for transmitter.

* Added hwmp_update_transmitter function that checks if the metric
to the transmitter have improved. If old FI is invalid or metric
is larger the FI to the transmitter is updated occurdingly.
This is a recommendation from the 802.11 2012 standard, table 13-9;

Approved by: adrian (mentor)

Mesh HWMP PERR bug fixes.

* When calling ieee80211_mesh_rt_flush_peer, the rt->rt_dest argument
should not be passed because it can get freed before invalidating
the other routes that depends on it to compare with next_hop.
Use PERR_DADDR(i) instead;

Approved by: adrian (mentor)

Mesh bug: debug infomartion showing swapped SA and DA address.

* Fix bug for "forward frame from SA(%6D), DA(%6D)" where addresses where
swapped between SA and DA;

Approved by: adrian (mentor)

Update ddb to print mesh routing table.

* Modified _db_show_vap and _db_show_com to print mesh routing table
if the 'm' modifier is specified;

Approved by: adrian (mentor)

Mesh HWMP PREQ: fixed conditions for discarding elements.

Approved by: adrian (mentor)

Mesh HWMP: don't send an intermediate PREP for proxy entries.

* The standard is unclear about what should happen in case a mesh STA (not
marked as a mesh gate) recevies a PREQ for a destination that is marked
as proxy. Solution for now is not to do intermediate reply at all, and
let the PREQ reach the mesh gate;

Approved by: adrian (mentor)

Mesh HWMP PREQ update: proxy reply only if mesh STA is a meshgate.

* Original PREP frame is transmitted only by the target mesh STA or the
mesh STA that is the proxy target;
* Fixed so that metric value is not over written incorrectly in
hwmp_recv_preq for when replying back with a PREP;

Approved by: adrian (mentor)

HWMP: ic->raw_xmit didn't always point to correct ni.

This is a code re-write. ic->raw_xmit need a pointer to ieee80211_node
for the destination node (da). I have reorganized the code so that
a pointer to the da node is searched for in the end & in one place.

* Make mesh_find_txnode public to be used by HWMP, renamed to
ieee80211_mesh_finx_txnode;
* changed the argument from ieee80211_node to ieee80211vap for all
hwmp_send_* functions;
* removed the 'sa' argument from hwmp_send_* functions as all HWMP frames
have the source address equal to vap->iv_myaddr;
* Modified hwmp_send_action so that if da is MULTCAST ni=vap->iv_bss
otherwise we called ieee80211_mesh_find_txnode. Also no need to hold
a reference in this functions if da is not MULTICAST as by finding the
node it became referenced in ieee80211_find_txnode;

Approved by: adrian (mentor)

Mesh gate code to transmit to all mesh gates.

* Modified mesh_find_txnode to be able to handle proxy marked entries by
recursively calling itself to find the txnode towards the active mesh gate;
* Mesh Gate: Added a new function that transmits data frames
similar to ieee80211_start;
* Modified ieee80211_mesh_forward_to_gates so that:
+ Frames are duplicated and sent to each valid Mesh Gate;
+ Route is marked invalid before return of function, this is
because we dont know yet which Mesh Gate is we will use;

Approved by: adrian (mentor)

Send frames to mesh gate if 11s discovery fails.

* Send frames that have no path to a known valid Mesh Gate;
* Added the function ieee80211_mesh_forward_to_gates that sends the frame
to the first found Mesh Gate in the forwarding information;
* If we try to discover again while we are discovering queue frame,
the discovery callout will send the frames either to mesh gates
or discards them silently;
* Queue frame also if we try to discover to frequently;

Approved by: adrian (mentor)

Mark root mesh as gate when mesh gate flag set.

* Add function ieee80211_mesh_mark_gate in ieee80211_mesh.h;
* When received a proactive PREQ or RANN with corresponding mesh gate
flag set, create a new entry in the known mesh gate list;

Approved by: adrian (mentor)

Propagate GANN frames, and store know gate info.

* Modified mesh_recv_action_meshgate to do following:
+ if mesh STA already knows the mesh gate of the recevied GANN frame
+ if mesh gate is know, check seq number according to 802.11 standard
+ if mesh gate is not know, add it to the list of known mesh gates
+ if forwarding is enabled and ttl >= 1 then propagate the GANN frame;
* Declare a new malloc type M_80211_MESH_GT_RT;
* Declare a struct to store GANN information, ieee80211_mesh_gate_route. And
add it as a TAILQ list to ieee80211_mesh_state;

Approved by: adrian (mentor)

Mesh update: add base Mesh Gate functionality.

A Mesh Gate should transmit a Mesh Action frame containing
ieee80211_meshgann_ie as its only information element periodically
every ieee80211_mesh_gateint ms. Unless the mesh gate is also configure
as a ROOT, then these frames should not be send.
This is according to 802.11 2012 standard;

* Introduce new SYSCTL net.wlan.mesh.gateint, with 10s default;
* Add two new functions mesh_gatemode_setup and mesh_gatemode_cb. This
is similar to how HWMP setups up a callout;
* Add two new action handlers mesh_recv_action_meshgate and
mesh_send_action_meshgate;
* Added ieee80211_add_meshgate to ieee80211_mesh.h;
* Modified mesh_send_action to look similar to hwmp_send_action. This is
because we need to send out broadcast management frames.
* Introduced a new flag for mesh state IEEE80211_MESHFLAGS_ROOT. This flag
is now set by HWMP code when a mesh STA is configured as a ROOT. This
is then checked by mesh_gatemode_cb before scheduling a new callout;
* Added to new field to ieee80211_mesh_state:
+ struct callout ms_gatetimer
+ ieee80211_mesh_seq ms_gateseq;

Approved by: adrian (mentor)

Start accepting IEEE80211_ACTION_MESH_GANN frames;

* Add IEEE80211_ACTION_MESH_GANN Action frame verification in
ieee80211_parse_action;

Approved by: adrian (mentor)

Mesh: management mesh action frames are to be discarded
when not peered.

* Modified ieee80211_recv_action to check if neighbour is peered for
IEEE80211_ACTION_CAT_MESH frames, if not frame is discarded. This is
according to IEEE802.11 2012 standard;
* Removed duplicate checks in each hwmp_recv_* handlers because HWMP
is a subtype of mesh action;

Approved by: adrian (mentor)

Update in ieee80211_action.c for mesh code handlers.

* Removed meshlm_send_action and hwmp_send_action. Introduced one common
for all Mesh Action frames meshaction_send_action. According to 802.11
standard Link Metric and HWMP are all under Mesh Action category;
* Did similar changes to recv_action part;
* The size of meshaction_*_action is set to 12. This is to make room for
the rest of Mesh Action category subtypes;

Approved by: adrian (mentor)

Update net80211 mesh struct ieee80211_meshgann_ie.

* Change all field prefix from pann_ to gann_;
* Added IEEE80211_MESHGANN_BASE_SZ macro to be used in the length field
of a GANN frame according to 802.11 standard;
* Changed gann_seq field type to uint32_t;
* Added a Gate Announcement interval field according to
IEEE802.11 2012 standard;
* Added IEEE80211_MESHRT_FLAGS_GATE as flag bit to ieee80211_mesh_route;
* Added IEEE80211_MESHRT_FLAGS_GATE as flag bit to ieee80211req_mesh_route;

Approved by: adrian (mentor)

HWMP: Accept a PERR even if path is valid.

* An HWMP PERR should be accepted even if path is valid. Because
we check if we recevied it from a neighbour that we use as a next hop;

Approved by: adrian (mentor)

Add mesh debug for interarction between DS & MBSS.

* Add mesh debug information when frames enter or leave the MBSS;
* Set IEEE80211_MSG_OUTPUT bit to enable output;

Approved by: adrian (mentor)

Fix mesh path flag.

* A bug occurs while in discovery mode which leaves a path marked with
both Discover and Valid flag. This happens when receiving/sending
PREQ and PREP in a particular order. Solution is to assign the Valid bit
instead of oring it;

Approved by: adrian (mentor)

Stop a mesh STA from flooding with peer frames.

This problem happens when using ACL policy to filter mesh STA
but two nodes have different policy. Then one of them will try to
peer all the time. This can also help if for any reason one of the
peering mesh STA have problems sending/receiving peer frames.

* Modified struct ieee80211_node to include two new fields:
+ struct callout ni_mlhtimer /* link mesh backoff timer */
+ uint8_t ni_mlhcnt /* link mesh holding counter */
* Added two new sysctl (check sysctl -d for more info):
+ net.wlan.mesh.backofftimeout=5000
+ net.wlan.mesh.maxholding=2;
* When receiving a beacon and we are in IEEE80211_NODE_MESH_IDLE
check if ni_mlhcnt >= ieee80211_mesh_maxholding, if so do not do anything;
* In mesh_peer_timeout_cb when transitioning from IEEE80211_NODE_MESH_HOLDING
to IEEE80211_NODE_MESH_IDLE increment ni_mlhcnt, and eventually start
ieee80211_mesh_backofftimeout;

Approved by: adrian (mentor)

Wrap this in an #ifdef so IEEE80211_SUPPORT_SUPERG will work correctly
in a wlan.ko module.

Initial cut at making IBSS support 802.11n aware.

* Add HTINFO field decoding to ieee80211_ies_expand() - it's likely not
100% correct as it's not looking at the draft 11n HTINFO location,
but I don't think anyone will care.

* When doing an IBSS join make sure the 11n channel configuration
is used - otherwise the 11a/11bg channel will be used
and there won't be any chance for an upgrade to 11n.

* When creating an IBSS network, ensure the channel is updated to an
11n channel so other 11n nodes can see it and speak to it with MCS
rates.

* Add a bit of code that's disabled for now which handles the HT
field updating. This won't work out very well with lots of adhoc
nodes as we'd end up ping-ponging between the HT configuration for
each node. Instead, we should likely only pay attention to the
"master" node we initially associated against and then ensure we
propagate that information forward in our subsequent beacons. However,
due to the nature of IBSS (ie, there's no specific "master" node in
the specification) it's unclear which node we should lift the HT
parameters from.

So for now this assumes the HT parameters are squirreled away in the
initial beacon/probe response.

So there's some trickiness here.

With ap/sta pairing, the probe response just populates a legacy node
and the association request/response is what is used for negotiation
11n-ness (and upgrading things as needed.)

With ibss networks, the pairing is done with probe request/response,
with discovery being done by creating nodes when new beacons in the
IBSS / BSSID are heard. There's no assoc request/response frames going on.

So the trick here has been to figure out where to upgrade things.
I don't like how I just taught ieee80211_sta_join() to "speak" HT -
I'd rather there be an upgrade path when an IBSS node joins and there
are HT parameters present. Once I've done that, I'll kill this
HT special casing that's going on in ieee80211_sta_join().

Tested:

* AR9280, AR5416, AR5212 - basic iperf and ping interoperability tests
whilst in a non-encrypted adhoc network.

TODO:

* Fix up the HT upgrade path for IBSS nodes rather than adding code
in ieee80211_sta_join(), then remove my code from there.

* When associating, there's a concept of a "master" node in the IBSS
which is the node you first joined the network through. It's possible
the correct thing to do is to listen to HT updates and configure WME
parameters from that node. However, once that node goes away, which
node(s) should be listened to for configuration changes?

For things like HT channel width, it's likely going to be ok to
just associate as HT40 and then use the per-neighbor rate control
and HTINFO/HTCAP fields to figure out which rates and configuration
to speak. Ie, for a 20MHz 11n node, just speak 20MHz rates to
it. It shouldn't "change", like what goes on in AP/STA configurations.

Remove the use of the ifnet send queue and if_start() in the power
save queue code.

Instead, use if_transmit() directly - and handle the cases where frame
transmission fails.

I don't necessarily like this and I think at this point the M_ENCAP check,
node freeing upon fail and the actual if_transmit() call should be done
in methods in ieee80211_freebsd.c, but I digress slightly..

This removes one of the last few uses of if_start() and the ifnet
if_snd queue. The last major offender is ieee80211_output.c, where
ieee80211_start() implements if_start() and uses the ifnet queue
directly.

(There's a couple of gotchas here, where the if_start pointer is
compared to ieee80211_start(), but that's a later problem.)

Add in the missing radiotap definitions from the sipsolutions.net
radiotap "upstream" source.

Handle ps-poll data frame if_transmit() failure.

If the data frame transmission failures, it may have a node reference
that needs cleaning up.

If the frame is marked as M_ENCAP then it should treat recvif as a node
reference and clear it.

Now - since the mbuf has been freed by calling if_transmit() (even on
failure), the mbuf has to be treated as invalid. Hence why the ifp is
used.

Handle HWMP if_transmit() failure gracefully.

If if_transmit() fails, the node ref may need freeing.

This is based on the same logic used by the ageq, which the mesh code
(re) uses for frames which need to be staged before transmitting.
It also does the same thing - if M_ENCAP is set on the mbuf, it treats
the recvif pointer as a node reference and derefs it.

if_start() is being used here as a way of kick-starting the new queue
processing. For if_transmit() style hardware drivers (which none publicly
exist yet, for wireless) they will need to still implement if_start()
but only to re-start the TX queue.

Remove a use of if_start() - instead, use if_transmit() to dispatch the
frame.

Adjust the channel to correctly setup the HT flags when transitioning
an IBSS VAP to RUN.

An 11n IBSS was beaconing HTINFO/HTCAP IE's that didn't have any HT
information setup (like the HT TX/RX MCS bitmask.)

Tested:

* AR9280, IBSS - both a statically setup channel and a scanned channel

PR: kern/172955

Update the aggressive mode logic to also enable aggressive mode
parameters in IBSSes.

IBSS was just being plainly ignored here even though aggressive mode
was 'on'.

This still doesn't fix the "why are the WME parameters reset upon
interface down/up" issue.

PR: kern/165969

Undo the previous adhoc commit - doing the WME IE handling here
is totally wrong.

If we parse the WME IE here, we'll be constantly updating the WME
configuration from each WME enabled IBSS node we see.

There's a separate issue where the WME configuration is blanked out
when the interface is brought up; the WME parameters aren't "sticky."

Also, ieee80211_init_neighbor() parses the ath IE, so doing it here
isn't required.

Sorry about the noise.

PR: kern/165969

Handle ath-specific and WME IE's in adhoc mode.

The Adhoc support wasn't parsing and handling the ath specific and WME
IEs, thus the atheros vendor support and WME TXOP parameters aren't being
copied from the peer.

It copies the WME parameters from whichever adhoc node it decides to
associate to, rather than just having them be statically configured
per adhoc node. This may or may not be exactly "right", but it's certainly
going to be more convienent for people - they just have to ensure their
adhoc nodes are setup with correct WME parameters.

Since WME parameters aren't per-node but are configured on hardware TX
queues, if some nodes support WME and some don't - or perhaps, have
different WME parameters - things will get quite quirky.

So ensure that you configure your adhoc nodes with the same WME
parameters.

Secondly - the Atheros Vendor IE is parsed and operated on per-node, so
this should work out ok between nodes that do and don't do Atheros
extensions. Once you see a becaon from that node and you setup the
association state, it _should_ parse things correctly.

TODO:

* I do need to ensure that both adhoc setup paths are correctly updating
the IE stuff. Ie, if the adhoc node is created by a data frame instead
of a beacon frame, it'll come up with no WME/ath IE config. The next
beacon frame that it receives from that node will update the state.
I just need to sit down and better understand how that's suppose to
work in IBSS mode.

Tested:

* AR5416 <-> AR9280 - fast frames and the WME configuration both popped
up. (This is with a local HAL patch that enables the fast frames
capability on the AR5416 chipsets.)

PR: kern/165969

Atheros SuperG bug fixes, as part of hunting down kern/174283.

The stageqdepth (global, over all staging queues) was being kept
incorrectly. It was being incremented whenever things were added,
but only decremented during a flush. During active fast frames activity
it wasn't being decremented, resulting in it always having a non-zero
value during normal fast-frames operation.

It was only used when checking if the aging queue should be checked;
we may as well just defer to each of those staging queue counters (which
look correct, thankfully.)

Whilst I'm here, add locking assertions in the staging queue add/remove
functions. The current crash shows that the staging queue has one frame,
but only has a tail pointer set (the head pointer being set to NULL.)
I'd like to grab a few more crashes where these locking assertions are
in place so I can narrow down the issue between "somehow locking is
messed up and things are racy" and "the stage queue head/tail pointer
manipulation logic is subtly wrong."

Tested:

* AR5416 STA, AR5413 AP; with FastFrames enabled in the AR5416 HAL.

PR: kern/174283

Don't panic if the stageq here is empty; just fall through with NULL
pointers and leave the stage queue flush routine to just do nothing
(since both head and tail here will be NULL.)

This should quieten the "stageq empty" panic where the stageq itself
is empty, but it won't fix the second KASSERT() here "staging queue empty"
as that's likely a different underlying problem.

PR: kern/174283

Fix a use-after-free bug in the Atheros fast-frames support.

Tested:

* AR5212 AP, AR5413 STA, iperf TCP STA->AP, destroyed and/or shutdown
the STA vap during active iperf TCP traffic.

PR: kern/174273
MFC after: 1 week

Add a new 900MHz GSM regulatory SKU for the Xagyl Communications XC900M.

The XC900M acts as a Ubiquiti XR9 (and I _think_ SR9) by default;
it uses the same 900MHz<->2.4GHz downconverter mapping.

However it has an alternative frequency mapping which squeezes in a couple
more half/quarter rate channels. Since the default HAL doesn't support
fractional tuning (sub-1MHz) in 2.4GHz mode on the AR5413/AR5414, they
implement it using a jumper.

Datasheet: http://www.xagyl.com/download/XC900M_Datasheet.pdf

Thankyou to Xagyl Communications for the XC900M NICs and Edgar Martinez
for organising the donation.

Tested:

* XC900M <-> XC900M
* Ubiquiti XR9 <-> XC900M

TODO:

* Test against SR9 and GZ901 if possible (the IEEE channel<->frequency
mapping may not match up, thanks to the slightly different channels
involved)

Mechanically substitute flags from historic mbuf allocator with
malloc(9) flags within sys.

Exceptions:

- sys/contrib not touched
- sys/mbuf.h edited manually

Add a primitive to check if a lock is not owned.

Add some further BAR TX debugging; it was useful when figuring out
when BAR TX was actually failing.

Oops, missed in my last commit.

Allow net80211 to be built on -9 and -8.

There are some people who use the -HEAD net80211 and wireless drivers
on earlier FreeBSD versions in order to get the updated 802.11n support.
The previous if_clone API changes broke this.

Fix up some initial issues with creation and deletion of hotplugged
net80211 devices and vaps.

* vnet sets vnet0 during kldload and device probe/attach, but not for
the hotplug event. Thus, plugging in a NIC causes things to panic.
So, add a CURVNET_SET(vnet0) for now during the attach phase, until
the hotplug code is taught to set CURVNET_SET(vnet0).

* there's also no implied detach vnet context - so teach the detach
path about ifp->if_vnet.

* When creating/deleting vaps, also set the vnet context appropriately.
These can be done at any time.

Now, the problems!

* ieee80211.c is supposed to be OS-portable code, with no OS-specific stuff
like vnet. That should be fixed.

* When the device hotplug code gets taught about CURVNET_SET(vnet0), the
device vnet set can go away; but the VAP vnet set still needs to be there.

* .. and there still is the question about potentially adding an implied
CURVNET_SET(ifp->if_vnet) on if_free(), since any/all devices may end up
being detached by a hotplug event in today's world. That's going to be
a topic of a subsequent commit.

Make the "struct if_clone" opaque to users of the cloning API. Users
now use function calls:

if_clone_simple()
if_clone_advanced()

to initialize a cloner, instead of macros that initialize if_clone
structure.

Discussed with: brooks, bz, 1 year ago

Revert previous commit...

Pointyhat to: kevlo (myself)

Prefer NULL over 0 for pointers

Migrate the power-save functions to be overridable VAP methods.

This turns ieee80211_node_pwrsave(), ieee80211_sta_pwrsave() and
ieee80211_recv_pspoll() into methods.

The intent is to let drivers override these and tie into the power save
management pathway.

For ath(4), this is the beginning of forcing a node software queue to
stop and start as needed, as well as supporting "leaking" single frames
from the software queue to the hardware.

Right now, ieee80211_recv_pspoll() will attempt to transmit a single frame
to the hardware (whether it be a data frame on the power-save queue or
a NULL data frame) but the driver may have hardware/software queued frames
queued up. This initial work is an attempt at providing the hooks required
to implement correct behaviour.

Allowing ieee80211_node_pwrsave() to be overridden allows the ath(4)
driver to pause and unpause the entire software queue for a given node.
It doesn't make sense to transmit anything whilst the node is asleep.

Please note that there are other corner cases to correctly handle -
specifically, setting the MORE data bit correctly on frames to a station,
as well as keeping the TIM updated. Those particular issues can be
addressed later.

Fix a crash bug introduced in the iterate node work recently done.

When resuming, the first VAP is checked for max_aid; however if there
is no VAP, this results in a NULL pointer dereference and kernel
panic.

s/ is is / is /g
s/ a a / a /g

Approved by: cperciva
MFC after: 3 days

Fix an incorrect comparison.

PR: kern/170098

Don't call the node iteration function inside the node table / node
iterate lock.

This causes LORs and deadlocks as some code paths will have the com lock
held when calling ieee80211_iterate_nodes().

Here, the comlock isn't held during the node table and node iteration
locks; and the callback isn't called with any (extra) lock held.

PR: kern/170098
Submitted by: moonlightakkiy@yahoo.ca
MFC after: 4 weeks

Fix an incorrect comment.

Fixed some debug output in hwmp_recv_prep.

Fix a PREQ comparison error in 11s HWMP.

* Earlier we compared two not equal metrics, one was what we recevied
in the 'new PREQ' while the other was what we already have saved which
was 'old PREQ' + link metric for the last hop;
* Fixed by adding 'new PREQ' + link metric for the last hop in a
temporary variable;

Fix bugs in net80211s found with wtap simulator.

For description of the test scripts refer to projects/net80211_testsuite/wtap.

* Test 007 showed a bug in intermediate PREP for a proxy entry. Resolved;
* Test 002 showed a bug in the Addressing Mode flag for a PREQ. Resolved;

Add a check for dynamic OFDM/CCK channel types.

Mesh mode, potential garbage in QoS subfield.

* qos[1] subfield is never assigned a value before this statement.
qos[1] can potentially be OR:ed with garbage. Make it an assignment instead;
* Remove brackets around if statement;

Approved by: adrian

Extend the radiotap code to be aware of the size of any extra vendor
bitmaps that may occur.

The way this works is:

* the beginning of the radiotap frame has a 32 bit "radiotap" namespace
bitmap;
* if the vendor bitmap bit is set, then the next bitmap will be interpreted
as a vendor bitmap;
* this can keep going on and on (ie, more vendor and radiotap namespace
bitmaps can be added) until the last bitmap with no "more bitmaps" set.

Now, the radiotap code gets its grubby fingers into the supplied
radiotap rx/tx buffer and replaces the channel configuration
for each frame. I don't know why it's not up to the drivers themselves
to do this, but I digress. So, if a vendor bitmap (or two, etc) exists,
the offset calculations will be all completely wrong.

This particular patch introduces ieee80211_radiotap_attachv(), which
includes the number of vendor bitmaps (well, any other bitmaps, vendor
or otherwise) between the end of the bitmap/header and the start of the
actual radiotap field entries. This makes the radiotap calculations
"right", so it correctly calculates where to overwrite the channel
configuration.

The long term fix is to go through and make each driver update the channel
configuration, as some of the fields are already being updated.

That, however, is a longer term fix that will need each driver fixed.

I leave that as an exercise to someone in the future.

Fix some corner cases in the ieee80211_send_bar() handling.

* If the first call succeeded but failed to transmit, a timer would
reschedule it via bar_timeout(). Unfortunately bar_timeout() didn't
check the return value from the ieee80211_send_bar() reattempt and
if that failed (eg the driver ic_raw_xmit() failed), it would never
re-arm the timer.

* If BARPEND is cleared (which ieee80211_send_bar() will do if it can't
TX), then re-arming the timer isn't enough - once bar_timeout() occurs,
it'll see BARPEND is 0 and not run through the rest of the routine.
So when rearming the timer, also set that flag.

* If the TX wasn't occuring, bar_tx_complete() wouldn't be called and the
driver callback wouldn't be called either. So the driver had no idea
that the BAR TX attempt had failed. In the ath(4) case, TX would stay
paused.

(There's no callback to indicate that BAR TX had failed or not;
only a "BAR TX was attempted". That's a separate, later problem.)

So call the driver callback (ic_bar_response()) before the ADDBA session
is torn down, so it has a chance of being notified that things didn't
quite go to plan.

I've verified that yes, this does suspend traffic for ath(4), retry BAR
TX even if the driver is failing ic_raw_xmit(), and then eventually giving
up and sending a DELBA. I'll address the "out of ath_buf" issue in ath(4)
in a subsequent commit - this commit just fixes the edge case where any
driver is (way) out of internal buffers/descriptors and fails frame TX.

PR: kern/168170
Reviewed by: bschmidt
MFC after: 1 month

Update HWMP Proactive code and mesh route flags.

* Modified hwmp_recv_preq:
o cleaned up code, removed rootmac variable because preq->origaddr
is the root when we recevie a Proactive PREQ;
o Modified so that a PREP in response of a Proactive PREQ is unicast,
a PREP is ALWAYS unicast;
* Modified hwmp_recv_prep:
o Before we mark a route to be valid we should remove the discovery
flag and then mark it valid in such a way we wont lose the isgate flag;

Approved by: adrian

PREQ discovery update.

* Added a new discovery flag IEEE80211_MESHRT_FLAGS_DISCOVER;
* Modified ieee80211_ioctl.h to include IEEE80211_MESHRT_FLAGS_DISCOVER;
* Added hwmp_rediscover_cb, which will be called by a timeout to do
rediscovery if we have not reach max number of preq discovery;
* Modified hwmp_discover to setup a callout for path rediscovery;
* Added to ieee80211req_mesh_route to have a back pointer to ieee80211vap
for the discovery callout context;
* Modified mesh_rt_add_locked arguemnt from ieee80211_mesh_state to
ieee80211vap, this because we have to initialize the above back pointer;

Approved by: adrian

Net80211s update: Mesh Gate Announcement and removal of Portal Announcement.

* Renamed IEEE80211_ELEMID_MESHPANN to IEEE80211_ELEMID_MESHGANN according to
amendment;
* Added IEEE80211_IOC_MESH_GATE that controls whether Mesh Gate Announcement
is activated or not;
* Renamed all flags from Portal to Gate in HWMP frames;
* Removed IEEE80211_ACTION_MESHPANN enum cause its part of the Mesh Action
category now as per amendment;
* Renamed IEEE80211_MESHFLAGS_PORTAL to IEEE80211_MESHFLAGS_GATE in
ieee80211_mesh_state flags;
* Modified ieee80211_hwmp.c/ieee80211_mesh.c to use new GATE flags;

Approved by: adrian

RANN update

* Introduced a new HWMP sysctl, Root Confirmation Interval;
* Added hr_lastrootconf to hwmp_route, is for ratecheck for a specific ROOT;
* We missed reading RANN.interval subfield from a RANN frame before;
* Updated hwmp_recv_rann according to amendment, see comments;

Approved by: adrian

PERR update to be called from mesh code.

* Added mpp_senderror for Mesh Path Selection protocol;
* Added hwmp_senderror that will send an HWMP PERR according to the
supplied reason code;
* Call mpp_senderror when deleting a route with correct reason code
for whether the route is marked proxy or not;
* Call mpp_senderror when trying to forward an individually addressed
frame and there is no forwarding information;

Approved by: adrian

* Modified PERR acceptance criteria according to amendment;
* Modified how PERR is handled and propagated according to amendment;

Approved by: adrian

Updated PREQ propagation code;

* When receiving a Proactive PREQ dont return after processing it but propagate;
* When we propagate we should not enforce ratechecking;
* Added checking for multiple pred ID detection;
* Storing proxy orig address when PREQ is not for us;

Approved by: adrian

* PREQ acceptance criteria updated to check for proxy condition as in amendment;

Approved by: adrian

* Proactive PREQ (original transmission) must also set
IEEE80211_MESHPREQ_TFLAGS_USN flag in target_flag field;

Approved by: adrian

* Fixed hwmp_discover code to populate a PREQ packet correctly;
* Removed IEEE80211_MESHPREQ_TFLAGS_RF which is no longer part of the
amendment spec;

Approved by: adrian

* Fixed PREQ flag field Adressing mode subfiled according to amendment specs;

Approved by: adria

* Added a mesh max PREQ retires sysctl that governous how many times
we try to discover an address;
* Added a mesh net travelse time across an MBSS, which is used to enforce
discovery rate check;

Approved by: adrian

Change how we enforce PREQ minimum interval.

* Moved hs_lastpreq to be hr_lastpreq cause this rate check should be per
target mesh STA according to amendment (NB: not applicable for PERR);
* Modified hwmp_send_preq to use two extra arguments for last sent PREQ and
minimum PREQ interval;
* hwmp_send_preq is called with last two arguments equal to NULL when sending
Proactive PREQs cause the call back task enforces the rate check;

Approved by: adrian

PREP update

* Added assertion in mesh_rt_update;
* Fixed some prep propagation that where multicast, ALL PREPS ARE UNICAST;
* Fixed PREP acceptance criteria;
* Fixed some PREP debug messages;
* HWMP intermediate reply (PREP) should only be sent if we have newer
forwarding infomration (FI) about target;
* Fixed PREP propagation condition and PREP w/ AE handling;
* Ignore PREPs that have unknown originator.
* Removed old code inside PREP that was for proactive path building
to root mesh;

Other errors include:
* use seq number of target and not orig mesh STA;
* Metric is what we have stored in our FI;
* Error in amendment, Hop count is not 0 but equals FI hopcount for target;

Approved by: adrian

* MeshForwarding update mesh_recv_indiv_data_to_fwrd to silently discard
unknown meshDA instead of panic, which is allowed per amendment spec;

Approved by: adrian

Added route lifetime update for destination and source mesh along a mesh path;

* In mesh_recv_indiv_data_to_fwd update route entry for both meshDA and meshSA;
* In mesh_recv_indiv_data_to_me update route entry for meshSA;
* in ieee80211_mesh_rt_update put code so that a proxy entry that is gated
by us (number of hops == 0) is never invalidated;
* Fixed so that we always call ieee80211_mesh_rt_update with lifetime in ms;

Approved by: adrian

Mesh forwarding with proxy support.

* Modified HWMP PREP/PREQ to contain a proxy entry and also changed PREP
frame processing according to amendment as following:
o Fixed PREP to always update/create if acceptance criteria is meet;
o PREQ processing to reply if request is for a proxy entry that is
proxied by us;
o Removed hwmp_discover call from PREQ, because sending a PREP will
build the forward path, and by receving and accepting a PREQ we
have already built the reverse path (non-proactive code);
* Disabled code for pro-active in PREP for now (will make a separate patch for
pro-active HWMP routing later)
* Added proxy information for a Mesh route, mesh gate to use and proxy seqno;
* Modified ieee80211_encap according to amendment;
* Introduced Mesh control address extension enum and removed unused struct,
also rename some structure element names.
* Modified mesh_input and added mesh_recv_* that should verify and process mesh
data frames according to 9.32 Mesh forwarding framework in amendment;
* Modified mesh_decap accordingly to changes done in mesh control AE struct;

Approved by: adrian

Implemented so that Mesh forwarding information lifetime is dynamic.

* Introduced ieee80211_mesh_rt_update that updates a route with the
maximum(lifetime left, new lifetime);
* Modified ieee80211_mesh_route struct by adding a lock that will be used
by both ieee80211_mesh_rt_update and precursor code (added in future commit);
* Modified in ieee80211_hwmp.c HWMP code to use new ieee80211_mesh_rt_update;
* Modified mesh_rt_flush_invalid to use new ieee80211_mesh_rt_update;
* mesh_rt_flush also checks that lifetime == 0, this gives route discovery
a change to complete;
* Modified mesh_recv_mgmt case IEEE80211_FC0_SUBTYPE_BEACON:
when ever we received a beacon from a neighbor we update route lifetime;

Approved by: adrian

Fixed some MPM reason codes and max number of neighbors check

* Added IEEE80211_MESH_MAX_NEIGHBORS and it is set to 15, same as before;
* Modified mesh_parse_meshpeering_action to verify MPM frame and send
correct reason code for when a frame is rejected according to standard spec;
* Modified mesh_recv_action_meshpeering_* according to the standard spec;
* Modified mesh_peer_timeout_cb to always send CLOSE frame when in CONFIRMRCV
state according to the standard spec;

Approved by: adrian

Modified structure and code that handles Mesh peering management.

* Old struct ieee80211_meshpeer_ie had wrong peer_proto field size;
* Added IEEE80211_MPM_* size macros;
* Created an enum for the Mesh Peering Protocol Identifier field according
to the standard spec and removed old defines;
* Abbreviated Handshake Protocol is not used by the standard anymore;
* Modified mesh_verify_meshpeer to use IEEE80211_MPM_* macros for verification;
* Modified mesh_parse_meshpeering_action to parse complete frame, also to parse
it according to the standard spec;
* Modified ieee80211_add_meshpeer to construct correct MPM frames according to
the standard spec;

Approved by: adrian

Added Self-protected action category (including MPM).

* Added new action category IEEE80211_ACTION_CAT_SELF_PROT which is used by 11s
for Mesh Peering Management;
* Updated Self protected enum Action codes to start from 1 instead of 0
according to the standard spec;
* Removed old and wrong action categories IEEE80211_ACTION_CAT_MESHPEERING;
* Modified ieee80211_mesh.c and ieee80211_action.c to use the new action
category code;
* Added earlier verification code in ieee80211_input;

Approved by: adrian

Migrate the net80211 TX aggregation state to be from per-AC to per-TID.

TODO:

* Test mwl(4) more thoroughly!

Reviewed by: bschmidt (for iwn)

Add some statistics to track BAR TX.

Add basic HT channel setup to ieee80211_init_channels(), this will be
used by at least ral(4).

Reviewed by: ray

Correct the ordering of tid/crypto ic_name.

Because the code lacks all the GNU extensions to printf() format stuff,
the compiler doesn't helpfully tell us that I messed up in a previous
commit.

Pointy hat to: adrian, who likely only cares about this because he's the
only one who bothers flipping on net80211 debugging.

Create a new task to handle 802.11n channel width changes.

Currently, a channel width change updates the 802.11n HT info data in
net80211 but it doesn't trigger any device changes. So the device
driver may decide that HT40 frames can be transmitted but the last
device channel set only had HT20 set.

Now, a task is scheduled so a hardware reset or change isn't done
during any active ongoing RX. It also means that it's serialised
with the other task operations (eg channel change.)

This isn't the final incantation of this work, see below.

For now, any unmodified drivers will simply receive a channel
change log entry. A subsequent patch to ath(4) will introduce
some basic channel change handling (by resetting the NIC.)
Other NICs may need to update their rate control information.

TODO:

* There's still a small window at the present moment where the
channel width has been updated but the task hasn't been fired.
The final version of this should likely pass in a channel width
field to the driver and let the driver atomically do whatever
it needs to before changing the channel.

PR: kern/166286

Re-commit this - store the alq payload in network order.

.. revert out a local change that I hadn't yet completely finished fleshing
out and testing.

sorry!

Add a missing endian conversion.

Pull in a dependency on ALQ if it's compiled with IEEE80211_ALQ.

Add missing \n's.

This showed up when testing the wtap module, as it attaches with
no radiotap tx/rx configuration.

Modify HWMP to be able to allocate memory for PREQ/PREP/PERR for all scenarios.

* Added verify_mesh_*_len functions that verify the length
according to the amendment spec and return number of destination addresses
for allocation of appropriate struct size in memory;
* Modified hwmp_recv_action_meshpath to allocate HWMP ie instead of
storing them on the stack and store all available field according the flags;
* Modify hwmp_add_mesh* to work with all cases of HWMP according to amendment.
* Modify hwmp_send_* to calculate correct len of bytes for the HWMP ie.
* Added new M_80211_MESH_* malloc defines.
* Added macros with magic numbers for HWMP ie sizes according to amendment.
* Added the external address to all HWMP ie structs.

Submitted by: monthadar@gmail.com

Oops - used the wrong field.

Noticed by: nwhitehorn

Add the thread id to the net80211 alq records.

This will (hopefully) aid in debugging concurrency related issues.

Fix style(9) issues.

Fix build w/o 'options IEEE80211_SUPPORT_MESH'.

* Introduce new flag for QoS control field;
* Change in mesh_input to validate that QoS is set and Mesh Control field
is present, also both bytes of the QoS are read;
* Moved defragmentation in mesh_input before we try to forward packet as
inferred from amendment spec, because Mesh Control field only present in first
fragment;
* Changed in ieee80211_encap to set QoS subtype and Mesh Control field present,
only first fragment have Mesh Control field present bit equal to 1;

Submitted by: monthadar@gmail.com

* Added IEEE80211_ACTION_CAT_MESH in ieee80211.h as specified amendment spec;
* Moved old categories as specified by D4.0 to be action fields of MESH category
as specified in amendment spec;
* Modified functions to use MESH category and its action fields:
+ ieee80211_send_action_register
+ ieee80211_send_action
+ ieee80211_recv_action_register
+ieee80211_recv_action;
* Modified ieee80211_hwmp_init and hwmp_send_action so they uses correct
action fields as specified in amendment spec;
* Modified ieee80211_parse_action so that it verifies MESH frames.
* Change Mesh Link Metric to use one information element as amendment spec.
Draft 4.0 defined two different information elements for request and response.

Submitted by: monthadar@gmail.com

Attempt to catch scan cancellations at exactly the wrong time from occuring.

The scan code unlocks the comlock and calls into the driver. It then
assumes the state hasn't changed from underneath it.

Although I haven't seen this particular condition trigger, I'd like to
be informed if I or anyone else sees it.

What I'm thinking may occur:

* A cancellation comes in during the scan_end call;
* the cancel flag is set;
* but it's never checked, so scandone isn't updated;
* .. and the interface stays in the STA power save mode.

It's a subtle race, if it even exists.

PR: kern/163318

Only increment is_beacon_bad if we're not scanning.

Otherwise things such as off-channel probe responses and beacons are also
silently discarded and logged against this error counter.

Print out the bogus beacon interval.

Track the number of bad beacons received.

PR: kern/165517

Hold IF_LOCK when manipulating the interface flags.

It doesn't _really_ help all that much, I'll commit something to
sys/net/if.c at some point explaining why, but the lock should be held
when checking/manipulating/branching because of said lock.

Although it's documented that the vap newstate call can drop the
comlock, I'd like to find and analyse these cases to see if they
really are valid.

So, throw in a lock here and wait for the (hopefully!) inevitable
complaints.

Add a radiotap vendor header definition.

Remove redundant forward declaration of struct ieee80211com.

Approved by: bschmidt

Correct the 802.11s mesh configuration structure and related tidbits.

* Change the mesh IE size to be IEEE80211_MESH_CONF_SZ rather than the
size of the structure;
* conf_cap is now a uint8_t rather than a uint16_t (uint16_t in D3.0,
uint8_t in the amendment spec);
* Update mesh config capability bits - earlier bits were from draft X,
current is amendment spec;
* Update the following to be an enum rather than #define and added
a VENDOR entry too from the amendment spec;
IEEE80211_MESHCONF_PATH_*
IEEE80211_MESHCONF_METRIC_*
IEEE80211_MESHCONF_CC_*
IEEE80211_MESHCONF_SYNC_*
IEEE80211_MESHCONF_AUTH_*
* Kept IEEE80211_MESHCONF_FORM_* and IEEE80211_MESHCONF_CAP_* as
defines because they are defined in a way that we need to mask in/out
information;
* In IEEE80211_MESHCONF_CAP_* IEEE80211_MESHCONF_CAP_TBTTA is removed
and 0x80 is made reserved as defined in the amendment spec.

Submitted by: monthadar@gmail.com
Reviewed by: rpaulo

Update the 802.11s IE numbers to represent the latest 802.11 amendment standard.

Submitted by: monthadar@gmail.com
Reviewed by: rpaulo

Update the mesh reason codes to match the latest 802.11s specification.

Submitted by: <monthadar@gmail.com>
Reviewed by: rpaulo

Whitespace removal.

Add a DFS debugging mode which is useful when doing automated DFS
compliance testing.

In order to allow for radar pattern matching to occur, the DFS CAC/NOL
handling needs to be made configurable. This commit introduces a new
sysctl, "net.wlan.dfs_debug", which controls which DFS debug mode
net80211 is in.

* 0 = default, CSA/NOL handling as per normal.
* 1 = announce a CSA, but don't add the channel to the non-occupy list
(NOL.)
* 2 = disable both CSA and NOL - only print that a radar event occured.

This code is not compiled/enabled by default as it breaks regulatory
handling. A user must enable IEEE80211_DFS_DEBUG in their kernel
configuration file for this option to become available.

Obtained from: Atheros

Missing code for receiving MESH PREP that should be part of r230409.

Submitted by: <monthadar@gmail.com>

Mark the taskqueue as the _net80211_ taskqueue.

This makes it much easier to determine whether an event occurs in the
net80211 taskqueue (which was called "ath0 taskq") or the ath driver
taskqueue (which is also called "ath0 taskq".)

Fix the hwmp code to handle nodes in a "line" topology.

For example, this particular topology didn't work correctly from all
nodes:

[A] - [B] - [C] - [D]

Submitted by: Monthadar Al Jaberi <monthadar@gmail.com>
Reviewed by: bschmidt, adrian

Change the hwmp debugging to use %6D rather than ether_sprintf().

This allows for multiple MAC addresses to be printed on the same
debugging line. ether_sprintf() uses a static char buffer and
thus isn't very useful here.

Submitted by: Monthadar Al Jaberi <monthadar@gmail.com>

Fix the situation where net80211 is built with IEEE80211_SUPPORT_TDMA but a module
is used.

Although the module _builds_, it fails to load because of a missing symbol from
ieee80211_tdma.c.

Specifics:

* Always build ieee80211_tdma.c in the module;
* only compile in the code if IEEE80211_SUPPORT_TDMA is defined.

Add the ability to kick an existing mesh node without waiting for it
to time out.

Submitted by: Monthadar Al Jaberi <monthadar@gmail.com>

Add the MCS radiotype entry.

Add in the vendor extension bit in the radiotap header.

Correct comment for the IPv6 case to say "traffic class" not "TOS"
as pointed out back in 2009.

MFC after: 3 days

MCS32 equals 32, not 8*ic_txstream.

Remove now redundant mac argument.

Discussed with: adrian@

Fix some net80211 enum nits:
- ic_vap_create() uses an ieee80211_opmode argument
- ieee80211_rate2media() takes an ieee80211_phymode argument
- ieee80211_plcp2rate() takes an ieee80211_phytype argument
- cast to enum ieee80211_protmode and ieee80211_roamingmode to silence
compiler warnings

Submitted by: arundel@

Modify the ACL code slightly to support a few nifty things:

* Call it before sending probe responses, so the ACL code has the
chance to reject sending them.

* Pass the whole frame to the ACL code now, rather than just the
destination MAC - that way the ACL module can look at the frame
contents to determine what the response should be.

This is part of some uncommitted work to support band steering.

Sponsored by: Hobnob, Inc.

.. add missing include from an incorrect merge.

Sponsored by: Hobnob, Inc.

Reject frames in STA mode which are not destined to the local STA address.

Some hardware (eg the AR9160 in STA mode) seems to "leak" unicast FROMDS
frames which aren't destined to itself. This angers the net80211 stack -
the existing code would fail to find an address in the node table and try
passing the frame up to each vap BSS. It would then be accepted in the
input routine and its contents would update the local crypto and sequence
number state.

If the sequence number / crypto IV replay counters from the leaked frame
were greater than the "real" state, subsequent "real" frames would be
rejected due to out of sequence / IV replay conditions.

This is also likely helpful if/when multi-STA modes are added to net80211.

Sponsored by: Hobnob, Inc.

Add 802.11h quiet time element support into net80211.

This supports both station and hostap modes:

* Station mode quiet time element support listens to quiet time
IE's and modifies the local quiet time configuration as appropriate;
* Hostap mode both obeys the locally configured quiet time period
and includes it in beacon frames so stations also can obey as needed.

Submitted by: Himali Patel <himali.patel@sibridgetech.com>
Sponsored by: Sibridge Technologies

Mark all SYSCTL_NODEs static that have no corresponding SYSCTL_DECLs.

The SYSCTL_NODE macro defines a list that stores all child-elements of
that node. If there's no SYSCTL_DECL macro anywhere else, there's no
reason why it shouldn't be static.

Mark MALLOC_DEFINEs static that have no corresponding MALLOC_DECLAREs.

This means that their use is restricted to a single C file.

Include the tid when printing out crypto replay errors.

I found this useful when trying to debug the AR9160 STA RX filter issue -
I'd get crypto reply errors but it wasn't entirely clear which TID it
was for.

Fix an unused variable warning/error when invariants isn't enabled.

Reported by: bz

Fix a panic in the wifi stack when a software beacon miss occurs in the wrong state.

The ieee80211_swbmiss() callout is not called with the ic lock held, so it's
quite possible the scheduler will run the callout during a state change.

This patch:

* changes the swbmiss callout to be locked by the ic lock
* enforces the ic lock being held across the beacon vap functions
by grabbing it inside beacon_miss() and beacon_swmiss().

This ensures that the ic lock is held (and thus the VAP state
stays constant) during beacon miss and software miss processing.
Since the callout is removed whilst the ic lock is held, it also
ensures that the ic lock can't be called during a state change
or exhibit any race conditions seen above.

Both Edgar and Joel report that this patch fixes the crash and
doesn't introduce new issues.

Reported by: Edgar Martinez <emartinez@kbcnetworks.com>
Reported by: Joel Dahl <joel@vnode.se>
Reported by: emaste

This patch fixes beacon frame sequence number generation. The code
didn't set a sequence number; it didn't show up earlier because the
hardware most people use for hostap (ie, AR5212 series stuff) sets the
sequence numbers up in hardware. Later hardware (AR5416, etc) which
can do 11n and aggregation require sequence numbers to be generated in
software.

Submitted by: paradyse@gmail.com
Approved by: re (kib)

Correctly handle BAR TX failures.

On a TX failure, ic_raw_xmit will still call ieee80211_node_free().
There's no need to call it here.

Submitted by: moonlightakkiy@yahoo.ca
Approved by: re (kib)

Fix BAR frame TX completion - successful transmission is indicated
by a status of 0.

Approved by: re (kib)

When setting a fixed channel on adapters with 11n support the scan
channel list ends up with 2 entries, the HT and the legacy channel.
The scan itself is currently always done at legacy rates so we end
up receiving scan results for legacy networks on the HT channel and
erroneously assigning the BSS to the 11n channel. As the channel's
capabilities are used to setup the adapter we might end up with
non-working settings and/or firmware crashes.

Fix this by ensuring that scan results received on a HT channel
are only assigned to that channel if the htcap IE is available,
else use the legacy channel equivalent.

Tested by: Pawel Worach, Raoul Megelas, Maciej Milewski,
Andrei <az at azsupport dot com>
Approved by: re (kib)

Fix brokenness introduced by my last commit.

Approved by: re (implicit)

This sets the BSS channel for each VAP for the given interface.
It's only relevant in STA mode.

The CSA forces a channel switch for the interface, but doesn't update
the VAP channel.

Approved by: re (bz)

Fix memset sizeofs

Reviewed by: bschmidt

Print out a big warning if DFS can't find a channel to use.
This way people debugging DFS won't be surprised when their
AP stops talking.

Add a callback for ADDBA response timeouts.

TX for the given TID needs to be paused during ADDBA requests (and unpaused
once the session is established.) Since net80211 currently doesn't implement
software aggregation, if this pause/unpause is done in the driver (as it
is in my development branch) then it will need to be unpaused both on
ADDBA response and on ADDBA timeout.

This callback allows the driver to unpause TX for the relevant TID.

Reviewed by: bschmidt

Change i_len in ieee80211req to be unsigned and fix other signed/unsigned
issues.

Reviewed by: bschmidt
Obtained from: NetBSD

Certain adapters have HT40 support on some but not all channels. The
Intel 4965 devices for example have HT40 on 2GHz completely disabled
but it is still supported for 5GHz. To handle that in sta mode we
need to check if we can "upgrade" to a HT40 channel after the
association, if that is not possible but we are still announcing
support to the remote side we are left with a very flabby connection.

Reviewed by: adrian

Data frames sent over the mgmt path might be part of a TX aggr session
too. In that case don't fiddle with the seqno as drivers are supposed
to handle that.

Currently only the powersave feature does sent QoS-null-data frames
before and after a background scan which must be handled correctly. Due
to this being quite rare we don't fiddle around with starting of aggr
sessions.

Fix typo, it is MPDU not MDPU.

Fix up the net80211 alq logging - this commit makes it usable.

* revert a local path change that shouldn't have made it to the commit
* fix some indenting/wrapping

* Fix the ale data copy - i should be copying into the ale data pointer,
not over the ale entry itself.

net80211 alq bugfixes:

* Track number of logged operations
* call alq_post() so things are logged
* network order things

Fix some corner cases in the net80211 sequence number retransmission
handling.

The current sequence number code does a few things incorrectly:

* It didn't try eliminating duplications from HT nodes. I guess it's assumed
that out of order / retransmission handling would be handled by the AMPDU RX
routines. If a HT node isn't doing AMPDU RX, then retransmissions need to
be eliminated. Since most of my debugging is based on this (as AMPDU TX
software packet aggregation isn't yet handled), handle this corner case.

* When a sequence number of 4095 was received, any subsequent sequence number
is going to be (by definition) less than 4095. So if the following sequence
number (0) doesn't initially occur and the retransmit is received, it's
incorrectly eliminated by the IEEE80211_FC1_RETRY && SEQ_LEQ() check.
Try to handle this better.

This almost completely eliminates out of order TCP statistics showing up during
iperf testing for the 11a, 11g and non-aggregate 11n AMPDU RX case. The only
other packet loss conditions leading to this are due to baseband resets or
heavy interference.

We need in.h for both INET and INET6, as according to RFC 3493 it
defines struct in6_addr, which is needed by ip6_hdr used in here.

Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 5 days

Revert r220907 and r220915.

Changing the size of struct ieee80211_mimo_info changes
the STA info data, breaking ifconfig in general.

Implement very basic ALQ logging for net80211.

This is destined to be a lightweight and optional set of ALQ
probes for debugging events which are just impossible to debug
with printf/log (eg packet TX/RX handling; AMPDU handling.)

The probes and operations themselves will appear in subsequent
commits.

Change the MIMO userland export ABI to include flags, number of radio chains,
extended EVM statistics and EXT channel data.

ifconfig still displays 3 chains worth of ctl noise/rssi.

Re-add the pad[2] I deleted by accident.

Add initial support for MIMO statistics to net80211.

This introduces struct ieee80211_rx_stats - which stores the various kinds
of RX statistics which a MIMO and non-MIMO 802.11 device can export.

It also fleshes out the mimo export to userland (node_getmimoinfo()).

It assumes that MIMO radios (for now) export both ctl and ext channels.
Non-11n MIMO radios are possible (and I believe Atheros made at least
one), so if that chipset support is added, extra flags to the
struct ieee80211_rx_stats can be added to extend this support.

Two new input functions have been added - ieee80211_input_mimo() and
ieee80211_input_mimo_all() - which MIMO-aware devices can call with
MIMO specific statistics.

802.11 devices calling the non-MIMO input functions will still function.

Fix a WME corner case found by the FreeBSD 802.11n testing crew.

The symptom: sometimes 11n (and non-11n) throughput is great.
Sometimes it isn't. Much teeth gnashing occured, and much kernel
bisecting happened, until someone figured out it was the order
of which things were rebooted, not the kernel versions.
(Which was great news to me, it meant that I hadn't broken if_ath.)

What we found was that sometimes the WME parameters for the best-effort
queue had a burst window ("txop") in which the station would be allowed
to TX as many packets as it could fit inside that particular burst
window. This improved throughput.

After initially thinking it was a bug - the WME parameters for the
best-effort queue -should- have a txop of 0, Bernard and I discovered
"aggressive mode" in net80211 - where the WME BE queue parameters
are changed if there's not a lot of high priority traffic going on.
The WME parameters announced in the association response and beacon
frames just "change" based on what the current traffic levels are.
So in fact yes, the STA was acutally supposed to be doing this higher
throughput stuff as it's just meant to be configuring things based on
the WME parameters - but it wasn't.

What was eventually happening was this:

* at startup, the wme qosinfo count field would be 0;
* it'd be parsed in ieee80211_parse_wmeparams();
* and it would be bumped (to say 10);
* .. and the WME queue parameters would be correctly parsed and set.

But then, when you restarted the assocation (eg hostap goes away and
comes back with the same qosinfo count field of 10, or if you
destroy the sta VIF and re-create it), the WME qosinfo count field -
which is associated not to the VIF, but to the main interface -
wouldn't be cleared, so the queue default parameters would be used
(which include no burst setting for the BE queue) and would remain
that way until the hostap qosinfo count field changed, or the STA
was actually rebooted.

This fix simply cleares the wme capability field (which has the count
field) to 0, forcing it to be reset by the next received beacon.

Thanks go to Milu for finding it and helping me track down what was
going on, and Bernard Schmidt for working through the net80211 and
WME specific magic.

Constantly use MHz instead of Mhz.

Pointed out by: N.J. Mann <njm at njm.me.uk>

When injecting frames a temporary node is faked, during this several
uses of ic_curchan occur. Due to the nature of a scan, switching
channels constantly and all this happening without any kind of locks
held, it might happen that ic_curchan points to nowhere leading to
panics. Fix this by not allowing frame injections while in SCAN state.

Tested by: Paul B. Mahol <onemda at gmail.com>

Fix a cut&paste error while parsing htcap/htinfo elements. This one is
reponsible for not filling ni_htrates if a pre-ht information element is
present.

Honor device capabilities while initializing ni_htrates.

Instead of hardcoding MCS0-15 generate the table dynamically, also
restrict the MCS rates to our own capabilities while parsing a htcap
element.

Fix rmax calculation during BSS selection.

If multiple networks are available the max bandwidth is one
condition used for selecting the "best" BSS. To achieve that
we should consider all parameters which affect the max RX rate.
This includes 20/40MHz, SGI and the of course the MCS set.

If the TX MCS parameters are available we should use those,
because an AP announcing support for receiving frames at 450Mbps
might only be able to transmit at 150Mbps (1T3R). I haven't seen
devices with support for transmitting at higher rates then
receiving, so prefering TX over RX information should be safe.

While here, remove the hardcoded assumption that MCS15 is the max
possible MCS rate, use MCS31 instead which really is the highest
rate (according to the 802.11n std). Also, fix a mismatch of an
40MHz/SGI check.

Fill hc_mcsset completely.

Contrary to the rateset information in legacy frames the MCS Set
field also contains TX capability information in cases where the
number of available TX and RX spartial streams differ. Because a
rateset doesn't contain that information we have to pull the
those directly from the hardware capabilities.

While determining the maxrate for ieee80211_media_setup() honor
the device capabilities.

Change the way HT capatibilities are announced.

Get rid of the assumption that every device is capable of 40MHz,
SGI and 2 spartial streams. Instead of printing, in the worst case,
8 times 76 MCS rates, print logically connect ranges and the
support RX/TX streams.

A device without 40MHz and SGI support looks like:
ath0: 2T2R
ath0: 11na MCS 20Mhz
ath0: MCS 0-7: 6.5Mbps - 65Mbps
ath0: MCS 8-15: 13Mbps - 130Mbps
ath0: 11ng MCS 20Mhz
ath0: MCS 0-7: 6.5Mbps - 65Mbps
ath0: MCS 8-15: 13Mbps - 130Mbps

First step on removing the harcoded RX/TX stream and MCS0-15 assumptions.

Initialize ic_rxstream/ic_txstream with 2, for compatibility reasons.
Introduce 4 new HTC flags, which are used in addition to ic_rxstream
and ic_txstream to compute the hc_mcsset content and also for initializing
ni_htrates. The number of spatial streams is enough to determine support
for MCS0-31 but not for MCS32-76 as well as some TX parameters in the
hc_mcsset field.

Complete the MCS rate table based on the final 802.11n std. While here
adjust the IEEE80211_HTRATE_MAXSIZE constant, only MCS0 - 76 are valid
the other bits in the mcsset IE (77 - 127) are either reserved or used
for TX parameters.

Fix typos - remove duplicate "is".

PR: docs/154934
Submitted by: Eitan Adler <lists at eitanadler.com>
MFC after: 3 days

Make sure to only accept and handle action frames which are for us. In
promiscuous mode we might receive stuff which otherwise gets filtered
by hardware.

It is IEEE80211_SUPPORT_XXX not IEEE80211_XXX_SUPPORT.

Add a new mgmt subtype "ACTION NO ACK" defined in 802.11n-2009, while here
clean up parts of the *_recv_mgmt() functions.
- make sure appropriate counters are bumped and debug messages are printed
- order the unhandled subtypes by value and add a few missing ones
- fix some whitespace nits
- remove duplicate code in adhoc_recv_mgmt()
- remove a useless comment, probably left in while c&p

Default to the lowest negotiated rate for mgmt/multicast traffic in 11n mode

The current code transmits management and multicast frames at MCS 0.
What it should do is check whether the negotiated basic set is zero (and
the MCS set is not) before making this decision.

For now, simply default to the lowest negotiated rate, rather than
MCS 0. This fixes the behaviour with at least the DLINK DIR-825, which
ACKs but silently ignores block-ack (BA) response frames.

Instead of always returning 0 to a scan request, indicate if there is
one running already.

MFC after: 1 month

Change return code semantics of start_scan_locked(). Instead of reporting
if a scan is running, report if a scan has been started. The return value
itself is not (yet) used anywhere in the tree and it is also not exported
to userspace.

MFC after: 1 month

Honor the IEEE80211_SCAN_BGSCAN flag, which makes it possible to actually
request a background scan using IEEE80211_IOC_SCAN_BGSCAN.

MFC after: 1 month

Jump to the next element and not to an arbitrary point. frm[1] contains
the element's data length, frm[2] is the first byte of the element's data.

Submitted by: Monthadar Al Jaberi <monthadar at gmail.com>
MFC after: 1 week

Specify a CTLTYPE_FOO so that a future sysctl(8) change does not need
to rely on the format string. For SYSCTL_PROC instances that I
noticed a discrepancy between the CTLTYPE and the format specifier,
fix the CTLTYPE.

Pull ieee80211_ratectl_node_init() calls from drivers into net80211.
This fixes hostap mode for at least ral(4) and run(4), because there is
no sufficient call into drivers which could be used initialize the node
related ratectl variables.

MFC after: 3 days

sysctl(9) cleanup checkpoint: amd64 GENERIC builds cleanly.

Commit the net* piece.

The meshid element is memcpy()'ed into se_meshid if included in either
beacon or probe-response frames. Fix the condition by checking for the
the array's content instead of the always existing array itself.

Reviewed by: rpaulo, stefanf
MFC after: 3 days

The ni_rctls checks are used to verify that a ratectl algo has set up
its internal data. This has been used to bypass missing calls in drivers
which do not use the ratectl framework correctly. Issue is, not all algos
use that variable, or even have internal data, therefore valid calls are
not done. Fix this by removing the checks, all driver issues should be
resolved.

MFC after: 1 week

Some device drivers calculate various timing related things based on
the currently selected rate. The calculations of course need a valid
rate. To make that possible before any call to node_rate() is done,
initialize ni_txrate on none_node_init() calls.

MFC after: 1 week

Instead of using the AMRR ratectl algo as default for drivers which have
the IEEE80211_C_RATECTL flag set, default to NONE for all drivers. Only if
a driver calls ieee80211_ratectl_init() check if the NONE algo is still
selected and try to use AMRR in that case. Drivers are still free to use
any other algo by calling ieee80211_ratectl_set() prior to the
ieee80211_ratectl_init() call.

After this change it is now safe to assume that a ratectl algo is always
available and selected, which renders the IEEE80211_C_RATECTL flag pretty
much useless. Therefore revert r211314 and 211546.

Reviewed by: rpaulo
MFC after: 2 weeks

Fix an undefined behaviour if the desired ratectl algo is not available.
This can happen if the algos are built as modules but are not loaded. If
the selected ratectl algo is not available, try to load it (The load
module functions does nothing currently). Add a dummy ratectl algo which
always selects the first available rate. Use that one if the desired algo
is not available.

MFC after: 1 week

Fix background roaming to actually work in AUTO roaming mode.

IEEE80211_F_BGSCAN is a vap flag, not a channel flag. So although bgscan
occured, sta_roam_check() would never be called.

Wrap remaining ieee80211_ratectl_node_init() calls missed in r211314.

MFC after: 1 week

Introduce IEEE80211_C_RATECTL, drivers which use the ratectl framework
should set this capability.

MFC after: 2 weeks

Initialize ni_txrate after txparams have been setup. Some drivers
calculate various things prior to association based on ni_txrate and
rely on it being nonzero.

PR: kern/149185
MFC after: 2 weeks

- Introduce IEEE80211_KEY_NOREPLAY, a per-key flag to ignore replay
violations.
- Use SIOCGIFMEDIA to determine VAP's opmode, cache it and set
IEEE80211_KEY_NOREPLAY for AHDEMO and IBSS.

Approved by: rpaulo (mentor)

Remove GNU-style struct initialization.

Spotted by: clang
Approved by: rpaulo

Fixing compilation bustage by adding the missing && back.

Some odd APs send beacons on the same TX queue as non-beacons. This breaks
802.11 duplicate detection. Upon looking at the standard, we discover
that 802.11-2007 says:
"A receiving QoS STA is also required to keep only the most recent
cache entry per<Address 2, TID, sequence-number> triple, storing only
the most recently received fragment number for that triple. A receiving
STA may omit tuples obtained from broadcast/multicast or ATIM frames
from the cache."

To fix this, we just disable duplicate detection for multicast/broadcast
frames.

Reviewed by: sam
MFC after: 4 weeks
Obtained from: DragonFly

Add missing braces.

Submitted by: sam
MFC after: 3 days

Fix resource leaks in ieee80211_ioctl_setchanlist() in case of error.

Found with: Coverity Prevent(tm)
CID: 4115
MFC after: 3 days

Compare the address of the array, not the array.

Found with: Coverity Prevent(tm)
CID: 3690
MFC after: 3 days

Don't reference null pointer in hwmp_recv_preq().

Found with: Coverity Prevent(tm)
CID: 3912
MFC after: 3 days

Properly initialize stack variable sr in setmlme_assoc_adhoc().

Found with: Coverity Prevent(tm)
CID 4365
MFC after: 3 days

Add new tunable 'net.link.ifqmaxlen' to set default send interface
queue length. The default value for this parameter is 50, which is
quite low for many of today's uses and the only way to modify this
parameter right now is to edit if_var.h file. Also add read-only
sysctl with the same name, so that it's possible to retrieve the
current value.

MFC after: 1 month

Decrement rxa_pad due to the addition of rxa_private.

Add a private field to struct ieee80211_rx_ampdu do hold driver specific
data.

Sponsored by: iXsystems, inc

Add ic_rxstream and ic_txstream. These variables hold the number of RX
streams and the number of TX streams respectively.

Obtained from: //depot/user/rpaulo/80211n/...
Sponsored by: iXsystems, inc.

When in the RUN -> AUTH -> RUN FSM transition happens, we'll call the
ratectl_node_init() functions and since ni_rtctls was already
malloc'ed() we will panic. Fix this by using the already malloc'ed
pointer.

Found by: bschmidt
Reviewed by: bschmidt

Fix typo. No functional change.

Obtained from: DragonFlyBSD

Make this code a little more portable by wrapping the mtx calls into
macros.

MFC after: 1 week

Add WPA-None support:
* WPA-None requires ap_scan=2:
The major difference between ap_scan=1 (default) and 2 is, that no
IEEE80211_IOC_SCAN* ioctls/functions are called, though, there is a
dependency on those. For example the call to wpa_driver_bsd_scan()
sets the interface UP, this never happens, therefore the interface
must be marked up in wpa_driver_bsd_associate(). IEEE80211_IOC_SSID
also is not called, which means that the SSID has not been set prior
to the IEEE80211_MLME_ASSOC call.
* WPA-None has no support for sequence number updates, it doesn't make
sense to check for replay violations..
* I had some crashes right after the switch to RUN state, issue is
that sc->sc_lastrs was not yet defined.

Approved by: rpaulo (mentor)
MFC after: 3 weeks

Use M_NOWAIT instead of M_WAITOK to avoid race conditions.

MFC after: 1 month

Swap IEEE80211_RATECTL_TX_SUCCESS/IEEE80211_RATECTL_TX_FAILURE.

Submitted by: PseudoCylon Furukoshi <moonlightakkiy at yahoo.ca>
MFC after: 1 month

Prevent foot-shooting in ieee80211_ratectl_node_deinit().

MFC after: 1 month

Fix build.

Pointy hat: me
MFC after: 1 month

net80211 rate control framework (net80211 ratectl).

This framework allows drivers to abstract the rate control algorithm and
just feed the framework with the usable parameters. The rate control
framework will now deal with passing the parameters to the selected
algorithm. Right now we have AMRR (the default) and RSSADAPT but there's
no way to select one with ifconfig, yet.
The objective is to have more rate control algorithms in the net80211
stack so all drivers[0] can use it. Ideally, we'll have the well-known
sample rate control algorithm in the net80211 at some point so all
drivers can use it (not just ath).

[0] all drivers that do rate control in software, that is.

Reviewed by: bschmidt, thompsa, weyongo
MFC after: 1 months

Constify vap argument of ieee80211_{note,discard}* functions.

MFC after: 1 week

Add a comment explaining the previous commit.

Submitted by: sam
> Description of fields to fill in above: 76 columns --|
> PR: If a GNATS PR is affected by the change.
> Submitted by: If someone else sent in the change.
> Reviewed by: If someone else reviewed your modification.
> Approved by: If you needed approval for this commit.
> Obtained from: If the change is from a third party.
> MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email.
> Security: Vulnerability reference (one per line) or description.
> Empty fields above will be automatically removed.

M ieee80211_hostap.c

When receiving a management frame, pass the mbuf to bpf before calling
iv_recv_mgmt(). iv_recv_mgmt() will generate management frame responses
and pass them to bpf before the management frame that triggered the
response.

PR: 144323
Submitted by: Alexander Egorenkov <egorenar at gmail.com>
MFC after: 2 weeks
Sponsored by: iXsystems, inc.

Add a new field for extended HT capabilities.

Submitted by: Alexander Egorenkov <egorenar at gmail.com>
MFC after: 2 weeks
Sponsored by: iXsystems, inc.

Unbreak build by removing a code bit that is only related to other code
in my branch.

Fix a couple of bugs with 802.11n:
o Process the BAR frame on the adhoc, mesh and sta modes
o Fix the format of the ADDBA reply frame
o Fix references to the spec section numbers

Also, print the all the MCS rates in bootverbose.

Sponsored by: iXsystems, Inc.
Obtained from: //depot/user/rpaulo/80211n/...

fixes a broken software beacon miss handler. There is a race to check
vap->iv_bmiss_count == 0 in ieee80211_swbmiss because iv_swbmiss_task is
enqueued by taskqueue.

Reviewed by: rpaulo

Ensure that tkip_mixing_phase1() is called after a rekeying event when
useing plain s/w crypto.

Approved by: rpaulo (mentor)
Reviewed by: sam

Revert unwanted changes in revision 203422.

Spotted by: sam

Avoid a null pointer deref when parsing the meshid.

Found with: clang static analyzer

When taking the AMPDU reorder fastpath, need_tap wasn't being
initialized. Initialize on declaration to avoid this.

Found with: clang static analyzer

Call ieee80211_radiotap_rx, not ieee80211_radiotap_tx on sta_input()

PR: 143163
Submitted by: Alexander Egorenkov <egorenar at gmail.com>
MFC after: 3 days

While flushing the multicast filter of an interface, do not zero the relevant
ifmultiaddr structures' reference to the parent interface, unless the parent
interface is really detaching. While here, program only link layer multicast
filters to a wlan's hardware parent interface.

PR: kern/142391, kern/142392
Reviewed by: sam, rpaolo, bms
MFC after: 1 week

Use the iflladdr_event event to keep the mac address on the vap in sync with
the parent wirless interface. If the user passed in a mac address or it was
autogenerated then flag this to avoid trashing it on update.

This will fix wlan+lagg in a post vap world.

Fix bugs introduced in previous commit: off-by-one in add_meshconf() and
big-endian bug on verify_meshconf()

Update mesh code to to D4.0.

Fix #ifdefs so that GCC 4.4 doesn't complain about it.

Reviewed by: rpaulo

Remove extraneous semicolons, no functional changes.

Submitted by: Marc Balmer <marc@msys.ch>
MFC after: 1 week

Fix typo in comment

Submitted by: Paul B Mahol <onemda at gmail.com>

Remove trailing ";" in struct ieee80211_beacon_offsets declaration

Found by: phk's FlexeLint in September
Reviewed by: rpaulo@
MFC after: 1 month

Fix off by one in ieee80211_send_action_register

Found by: phk's FlexeLint in September
Reviewed by: rpaulo@
MFC after: 1 month

The isr_intval in ieee80211req_scan_result structure should be 16 bit.
This makes ifconfig list scan display the correct beacon interval
(previously it would int overflow). As a side effect, this makes the
ieee80211req_scan_result word aligned.

Submitted by: Paul B Mahol <onemda at gmail.com>

Take a step towards removing if_watchdog/if_timer. Don't explicitly set
if_watchdog/if_timer to NULL/0 when initializing an ifnet. if_alloc()
sets those members to NULL/0 already.

Update the route's sequence number upon receiving a RANN.

MFC after: 3 days

The draft spec doesn't say beacon frames need to have a wildcard BSSID,
so remove the mesh code necessary for that.

MFC after: 2 days

Initialize rann_flags properly.

MFC after: 2 days

Don't call the newstate callback as that's dangerous. Rely no ENETRESET
to DTRT.

MFC after: 3 days

Fix a bug in composing PERR frames introduced by latest draft update.

MFC after: 3 days

Implement the missing support for updating the mesh conf number of
neighbors via ieee80211_beacon_notify().

MFC after: 3 days

HWMP fixes, namely:
* fix the processing of RANN frames
* the originator and target addresses were swapped and while it worked
fine, it was not spec compliant.

MFC after: 3 days

Properly initialize the mesh conf capabilities byte.

MFC after: 2 days

Fix a wrong initialization that snuck in the latest commit.

MFC after: 3 days

Another 3.03 draft bit that I missed in the previous 802.11s stack
update. The Mesh Configuration IE has changed quite a bit. Refactor the
code to handle this change.

MFC after: 3 days

Update 802.11s mesh support to draft 3.03. This includes a revised frame
format for peering and changes to the PERR frames.
Note that this is incompatible with the previous code.

Reviewed by: sam
MFC after: 1 week

Revert previous commit and add myself to the list of people who should
know better than to commit with a cat in the area.

Add necessary include.

correct timeout for doing NOL processing; need a ticks-relative value

Obtained from: Marvell
MFC after: 3 days

on transition to SLEEP state mark the station in power save, not awake

MFC after: 3 days

Fix a typo in ifdef mesh support. This would make mesh unworkable if
TDMA support was compiled out.

Approved by: re (kib)

Drain link state event changes posted during vap destroy. This is a
band-aid for the general problem that if_link_state_change can be
called between if_detach and if_free leaving a task queued that has
been free'd.

Spotted by: thompsa
Reviewed by: rwatson
Approved by: re (rwatson)

Merge the remainder of kern_vimage.c and vimage.h into vnet.c and
vnet.h, we now use jails (rather than vimages) as the abstraction
for virtualization management, and what remained was specific to
virtual network stacks. Minor cleanups are done in the process,
and comments updated to reflect these changes.

Reviewed by: bz
Approved by: re (vimage blanket)

fix misplaced #endif that caused tdma handling to be merged with ESS handling
(causing tdma scanning to break)

Approved by: re (kib)

Filter setting IFF_PROMISC on tdma vaps; we don't want the underyling device
to be in promiscuous mode as we have a h/w bssid.

Approved by: re (kib)

Mesh fixes, namely:
* don't clobber proxy entries
* HWMP seq number processing, including discard of old frames
* flush routing table entries based on nexthop
* print route flags in ifconfig
* more debugging messages and comments

Proxy changes submitted by sam.

Approved by: re (kib)

revert OACTIVE part of r195845; instead fix the comment so it does not refer
to the old hack removed in r193312

Approved by: re (implicit)

correct handling of IFF_PROMISC; this should not be pushed to the parent
device except for monitor and ahdemo mode vaps

Reviewed by: rpaulo
Approved by: re (kensmith)

monitor mode vaps are meant to be read-only so they can operate on any
frequency w/o regulatory issues, do this by hooking if_transmit and
if_output with routines that discard all transmits

Reviewed by: thompsa, cbzimmer (intent)
Approved by: re (kensmith)

o kill old code no longer needed after r193312
o count output packets+errors for frames sent through ieee80211_output

Approved by: re (kensmith)

store mesh timers as ticks and sysctls for changing the defaults

Reviewed by: rpaulo
Approved by: re (kib)

Correct handling of keys that already have a hardware/device key index:
this was broken in r183248 when the check of wk_keyix was replaced by
a check of IEEE80211_KEY_DEVKEY (because the flag was clobbered). Define
IEEE80211_KEY_DEVICE to specify flags that are owned by net80211/driver
and use this to preserve IEEE80211_KEY_DEVKEY so we don't ask the driver
for another key index when we already have one.

Testing by: Daniel Thiele, Wes Morgan
Reviewed by: rpaulo
Approved by: re (kib)

More mesh bits, namely:
* bridge support (sam)
* handling of errors (sam)
* deletion of inactive routing entries
* more debug msgs (sam)
* fixed some inconsistencies with the spec.
* decap is now specific to mesh (sam)
* print mesh seq. no. on ifconfig list mesh
* small perf. improvements

Reviewed by: sam
Approved by: re (kib)

Move code that does payload realigment to a new routine, ieee80211_realign,
so it can be reused. While here rewrite the logic to always use a single mbuf.

Reviewed by: rpaulo
Approved by: re (kib)

Build on Jeff Roberson's linker-set based dynamic per-CPU allocator
(DPCPU), as suggested by Peter Wemm, and implement a new per-virtual
network stack memory allocator. Modify vnet to use the allocator
instead of monolithic global container structures (vinet, ...). This
change solves many binary compatibility problems associated with
VIMAGE, and restores ELF symbols for virtualized global variables.

Each virtualized global variable exists as a "reference copy", and also
once per virtual network stack. Virtualized global variables are
tagged at compile-time, placing the in a special linker set, which is
loaded into a contiguous region of kernel memory. Virtualized global
variables in the base kernel are linked as normal, but those in modules
are copied and relocated to a reserved portion of the kernel's vnet
region with the help of a the kernel linker.

Virtualized global variables exist in per-vnet memory set up when the
network stack instance is created, and are initialized statically from
the reference copy. Run-time access occurs via an accessor macro, which
converts from the current vnet and requested symbol to a per-vnet
address. When "options VIMAGE" is not compiled into the kernel, normal
global ELF symbols will be used instead and indirection is avoided.

This change restores static initialization for network stack global
variables, restores support for non-global symbols and types, eliminates
the need for many subsystem constructors, eliminates large per-subsystem
structures that caused many binary compatibility issues both for
monitoring applications (netstat) and kernel modules, removes the
per-function INIT_VNET_*() macros throughout the stack, eliminates the
need for vnet_symmap ksym(2) munging, and eliminates duplicate
definitions of virtualized globals under VIMAGE_GLOBALS.

Bump __FreeBSD_version and update UPDATING.

Portions submitted by: bz
Reviewed by: bz, zec
Discussed with: gnn, jamie, jeff, jhb, julian, sam
Suggested by: peter
Approved by: re (kensmith)

Fix inline function declaration and prototype.

Approved by: re (kensmith)

Implementation of the upcoming Wireless Mesh standard, 802.11s, on the
net80211 wireless stack. This work is based on the March 2009 D3.0 draft
standard. This standard is expected to become final next year.
This includes two main net80211 modules, ieee80211_mesh.c
which deals with peer link management, link metric calculation,
routing table control and mesh configuration and ieee80211_hwmp.c
which deals with the actually routing process on the mesh network.
HWMP is the mandatory routing protocol on by the mesh standard, but
others, such as RA-OLSR, can be implemented.

Authentication and encryption are not implemented.

There are several scripts under tools/tools/net80211/scripts that can be
used to test different mesh network topologies and they also teach you
how to setup a mesh vap (for the impatient: ifconfig wlan0 create
wlandev ... wlanmode mesh).

A new build option is available: IEEE80211_SUPPORT_MESH and it's enabled
by default on GENERIC kernels for i386, amd64, sparc64 and pc98.

Drivers that support mesh networks right now are: ath, ral and mwl.

More information at: http://wiki.freebsd.org/WifiMesh

Please note that this work is experimental. Also, please note that
bridging a mesh vap with another network interface is not yet supported.

Many thanks to the FreeBSD Foundation for sponsoring this project and to
Sam Leffler for his support.
Also, I would like to thank Gateworks Corporation for sending me a
Cambria board which was used during the development of this project.

Reviewed by: sam
Approved by: re (kensmith)
Obtained from: projects/mesh11s

mark struct ieee80211req_maclist packed so sizeof works as intended on arm;
fixes "list mac"

Approved by: re (kensmith)

correctly set the tailq ptr when removing the last item in the q

Approved by: re (kensmith)

Add ieee80211_ageq; a facility for staging packets that require
long-term work before they can be serviced. Packets are tagged and
assigned an age (in seconds) at the point they are added to the
queue. If a packet is not retrieved before it's age expires it is
reclaimed. Tagging can take two forms: a reference to an ieee80211_node
(as happens in the tx path) or an opaque token in cases where there
is no reference or the node structure is not stable (i.e. it's going
to be destroyed).

o add ic_stageq to replace the per-node wds staging queue used for
dynamic wds
o add ieee80211_mac_hash for building ageq tokens; this computes a
32-bit hash from an 802.11 mac address (copied from the bridge)
o while here fix a stray ';' noticed in IEEE80211_PSQ_INIT

Reviewed by: rpaulo
Approved by: re (kensmith)

Revamp 802.11 action frame handling:
o add a new facility for components to register send+recv handlers
o ieee80211_send_action and ieee80211_recv_action now use the registered
handlers to dispatch operations
o rev ieee80211_send_action api to enable passing arbitrary data
o rev ieee80211_recv_action api to pass the 802.11 frame header as it may
be difficult to locate
o update existing IEEE80211_ACTION_CAT_BA and IEEE80211_ACTION_CAT_HT handling
o update mwl for api rev

Reviewed by: rpaulo
Approved by: re (kensmith)

Modify most routines returning 'struct ifaddr *' to return references
rather than pointers, requiring callers to properly dispose of those
references. The following routines now return references:

ifaddr_byindex
ifa_ifwithaddr
ifa_ifwithbroadaddr
ifa_ifwithdstaddr
ifa_ifwithnet
ifaof_ifpforaddr
ifa_ifwithroute
ifa_ifwithroute_fib
rt_getifa
rt_getifa_fib
IFP_TO_IA
ip_rtaddr
in6_ifawithifp
in6ifa_ifpforlinklocal
in6ifa_ifpwithaddr
in6_ifadd
carp_iamatch6
ip6_getdstifaddr

Remove unused macro which didn't have required referencing:

IFP_TO_IA6

This closes many small races in which changes to interface
or address lists while an ifaddr was in use could lead to use of freed
memory (etc). In a few cases, add missing if_addr_list locking
required to safely acquire references.

Because of a lack of deep copying support, we accept a race in which
an in6_ifaddr pointed to by mbuf tags and extracted with
ip6_getdstifaddr() doesn't hold a reference while in transmit. Once
we have mbuf tag deep copy support, this can be fixed.

Reviewed by: bz
Obtained from: Apple, Inc. (portions)
MFC after: 6 weeks (portions)

After cleaning up rt_tables from vnet.h and cleaning up opt_route.h
a lot of files no longer need route.h either. Garbage collect them.
While here remove now unneeded vnet.h #includes as well.

ieee80211_dwds_mcast(): check the correct mbuf ptr after encap.

Rev IEEE80211_IOC_STA_INFO abi: ni_flags grew from 16 bits to 32
bits but isi_state did not follow; expand it to 32 bits and pad to
maintain alignment. Note this is an incompatible change that
requires rebuilding of user applications.

Submitted by: rpaulo, cbzimmer, avatar

make implicit pad visible

use negotiated short gi to calculate the tx rate; using the htcaps
does not take into account local state (e.g. manual disable of sgi)

When associating to an AP we don't know if HT is negotiated until
we receive the AssocResp, so we can only set ni_txparms properly
at that point. To make this possible make node_setuptxparms public
as ieee80211_node_setuptxparms.

protect callouts with the com lock

Prodded by: jhb

add missing calls to ieee80211_dfs_attach/detach

Correct ieee80211_gettid:
o don't increment extracted tid, this was a vestige of IEEE80211_NONQOS_TID
being defined as 0 (w/ real tid's +1)
o handle 4-address frames (add IEEE80211_IS_DSTODS to check if an 802.11
header is DSTODS)

Submitted by: cbzimmer
Reviewed by: avatar

purge dead code

fix big-endian machines

After r193232 rt_tables in vnet.h are no longer indirectly dependent on
the ROUTETABLES kernel option thus there is no need to include opt_route.h
anymore in all consumers of vnet.h and no longer depend on it for module
builds.

Remove the hidden include in flowtable.h as well and leave the two
explicit #includes in ip_input.c and ip_output.c.

do not strip M_MORE_DATA on packets coming through ieee80211_start;
frames coming out of the ps q may have this set and removing it
causes the 802.11 header to not indicate more frames follow which can
result in the sta going to sleep and missing them

prefer callout_schedule

use c99-style initializers

teach ieee80211_classify about ipv6 packets

Reviewed by: bz, rrs

add iv_flags_ht and ic_flags_ht

iv_flags_ext is full, make room by moving HT-related flags to a new
iv_flags_ht word

o add bits for STBC and Greenfield
o fix some comments

reserve node flag bits for a-msdu tx/rx

reserve ioc's for Greenfield and STBC

correct status code returned for ht capability mismatch on assoc/reassoc

o correct/add action frame categories
o add IEEE80211_STATUS_MISSING_HT_CAPS, added in 11n D3.0 spec

add tid param to ieee80211_notify_replay_failure to get the correct rsc

Fix spelling of MAC check for 8.x version of MAC Framework, not noticed due
to a lack of an opt_mac.h include, which I won't add for now as options MAC
will soon move to opt_global.h.

Spotted by: pjd

o station mode channel switch support
o IEEE80211_IOC_CHANSWITCH fixups:
- restrict to hostap vaps
- return EOPNOTSUPP instead of EINVAL when applied to !hostap vap
or to a vap w/o 11h enabled
- interpret count of 0 to mean cancel the current CSA

Reviewed by: rpaulo, avatar

When a channel switch is done to a channel with different operating
characteristics force the stations to re-associate so protocol state
is re-initialized. Note that for 11h/DFS this is irrelevant as channel
changes are never cross-band.

Reviewed by: ctlaw

After a channel switch mark associated stations so they will immediately
be probed as inactive; this more quickly weeds out stations that don't
follow to the new channel.

calls callout_drain(9) to un-schedule a scan timer to prevent a page
fault in softclock.

Submitted by: sam
Reviewed by: jhb, sam (original version), thompsa

remove another vestige of the null if_softc on detach hack

fix typo

partially fix mode setting; this no longer returns an error but still
needs to handle the case where the vap is up+running

Noticed by: "Paul B. Mahol" <onemda@gmail.com>

move if_detach to the top of ieee80211_ifdetach to close various races

Reviewed by: jhb

Remove hack used to deal with ifnet teardown now that if_detach and the
bridge do a better job.
o move ether_ifdetach to the top of ieee80211_detach
o do not clear if_softc at the top of ieee80211_detach; we no longer need
this because we are safeguarded against calls coming back through if_ioctl
o simplify the bpf tracker now that we don't null if_softc

This also fixes an issue where having a bpf consumer active when a vap
is destroyed would cause a crash because bpf referenced free'd memory.

Reviewed by: imp

Fix monitor mode vaps to work as intended:
o track # bpf taps on monitor mode vaps instead of # monitor mode vaps
o spam monitor mode taps on tx/rx
o fix ieee80211_radiotap_rx_all to dispatch frames only if the vap is up
o while here print radiotap (and superg) state in show com

don't dispatch frames to vap's not running

count packets

pad data structures to enable integration of future features w/o abi breakage

distribute sysctl decls so global variables can be made static

o assert TDMA_MAXSLOTS is 2 so noone tries to blindly increase it
o add safety belt in vdetach for failed state block allocation
o fix dynamic change to tdma config; ERESTART may not result in
kicking the state machine so we need to explicitly mark the
beacon for update

Sponsored by:

add ieee80211_isratevalid

Fix handling of devices w/o radiotap support:
o do not attach DLT_IEEE802_11_RADIO unless both tx and rx headers are
present; this is assumed in the capture code paths
o verify the above with asserts in ieee80211_radiotap_{rx,tx}
o add missing checks for active taps before calling ieee80211_radiotap_rx

do internal bpf tracking only for radiotap DLT's

Prepare to distribute sysctl code to reduce global definitions:
o expose net.wlan sysctl node
o expose ieee80211_sysctl_msecs_ticks

Reviewed by: rpaulo, thompsa

Overhaul monitor mode handling:
o replace DLT_IEEE802_11 support in net80211 with DLT_IEEE802_11_RADIO
and remove explicit bpf support from wireless drivers; drivers now
use ieee80211_radiotap_attach to setup shared data structures that
hold the radiotap header for each packet tx/rx
o remove rx timestamp from the rx path; it was used only by the tdma support
for debugging and was mostly useless due to it being 32-bits and mostly
unavailable
o track DLT_IEEE80211_RADIO bpf attachments and maintain per-vap and
per-com state when there are active taps
o track the number of monitor mode vaps
o use bpf tap and monitor mode vap state to decide when to collect radiotap
state and dispatch frames; drivers no longer explicitly directly check
bpf state or use bpf calls to tap frames
o handle radiotap state updates on channel change in net80211; drivers
should not do this (unless they bypass net80211 which is almost always
a mistake)
o update various drivers to be more consistent/correct in handling radiotap
o update ral to include TSF in radiotap'd frames
o add promisc mode callback to wi

Reviewed by: cbzimmer, rpaulo, thompsa

add block ack frame id

add missing type for SYSCTL_PROC items; w/o a type you can view the value
but not change it

correct handling of ctl frames: the sender's address is always i_addr2 for
frames we should expect to process (old code was trying to handle frames
we should never see--like ACK)

Reviewed by: thompsa, cbzimmer

Cancel the scan when going to INIT state. Should do this for other states here
too as once the protocol newstate handler runs the scan has always ended.

Change the curvnet variable from a global const struct vnet *,
previously always pointing to the default vnet context, to a
dynamically changing thread-local one. The currvnet context
should be set on entry to networking code via CURVNET_SET() macros,
and reverted to previous state via CURVNET_RESTORE(). Recursions
on curvnet are permitted, though strongly discuouraged.

This change should have no functional impact on nooptions VIMAGE
kernel builds, where CURVNET_* macros expand to whitespace.

The curthread->td_vnet (aka curvnet) variable's purpose is to be an
indicator of the vnet context in which the current network-related
operation takes place, in case we cannot deduce the current vnet
context from any other source, such as by looking at mbuf's
m->m_pkthdr.rcvif->if_vnet, sockets's so->so_vnet etc. Moreover, so
far curvnet has turned out to be an invaluable consistency checking
aid: it helps to catch cases when sockets, ifnets or any other
vnet-aware structures may have leaked from one vnet to another.

The exact placement of the CURVNET_SET() / CURVNET_RESTORE() macros
was a result of an empirical iterative process, whith an aim to
reduce recursions on CURVNET_SET() to a minimum, while still reducing
the scope of CURVNET_SET() to networking only operations - the
alternative would be calling CURVNET_SET() on each system call entry.
In general, curvnet has to be set in three typicall cases: when
processing socket-related requests from userspace or from within the
kernel; when processing inbound traffic flowing from device drivers
to upper layers of the networking stack, and when executing
timer-driven networking functions.

This change also introduces a DDB subcommand to show the list of all
vnet instances.

Approved by: julian (mentor)

Relax the condition for printing the lost state transition message. The new
state will be set before the EXT_STATEWAIT flag is cleared and its ok to
transition again at that point.

don't say "ac WME_AC_BE"; remove "ac"

promote ieee80211_seq typedef

o dump tx/rx seq#'s for qos tid's
o improve check for when to dump rx ampdu state

whitespace

make superg/fast-frames state dynamically-allocated (and indirect off
the com structure instead of embedded); this reduces the overhead when
not configured and reduces visibility of the contents

Create a taskqueue for each wireless interface which provides a serialised
sleepable context for net80211 driver callbacks. This removes the need for USB
and firmware based drivers to roll their own code to defer the chip programming
for state changes, scan requests, channel changes and mcast/promisc updates.
When a driver callback completes the hardware state is now guaranteed to have
been updated and is in sync with net80211 layer.

This nukes around 1300 lines of code from the wireless device drivers making
them more readable and less race prone.

The net80211 layer has been updated as follows
- all state/channel changes are serialised on the taskqueue.
- ieee80211_new_state() always queues and can now be called from any context
- scanning runs from a single taskq function and executes to completion. driver
callbacks are synchronous so the channel, phy mode and rx filters are
guaranteed to be set in hardware before probe request frames are
transmitted.

Help and contributions from Sam Leffler.

Reviewed by: sam

revert wip

Store the tx seq# of an 802.11 frame in the mbuf pkthdr; this will be
used for s/w retransmit schemes that want to access this information
w/o the overhead of decoding the raw frame. Note this also allows
drivers to record this information w/o writing the frame when the seq#
is obtained through an out-of-band mechanism (e.g. when a h/w assigned
seq# is reported in a descriptor on tx done notification).

Reviewed by: sephe, avatar

add IEEE80211_FEXT_4ADDR to indicate ieee80211_encap should do 4-address
encapsulation when relaying frames; this reduces the cost of the test and
enables use for situations other than "sta vap + dwds"

don't depend on includes to get definitions of struct ieee80211_tx_ampdu
and ieee80211_rx_ampdu; these should've been part of r191552

hoist ampdu tx aggregation setup from ieee80211_encap to ieee80211_start
where it was meant all along (the code was in encap because ampdu was
implemented pre vaps)

allow drivers to hook ampdu rx start/stop

improvements:
o formatting
o more rx ampdu state
o tdma state
o show ifnet names
o show auth policy name

stash the node pointer in the mbuf before doing ff aggregration so this
is done in only one place

whitespace

print both fc bytes when hitting a protocol version mismatch

add iv_recv_ctl method to allow hooking rx ctl frame handling

don't fragment ampdu aggregates

uniformly mark mbufs that pass through the tx path with M_MCAST; drivers
can now use this flag instead of inspecting the contents

o add missing 802.3 bpf tap
o add 802.11 bpf tap to output path now that it's removed from ieee80211_encap

add missing DLT_IEEE802_11 tap

add missing part of r191537 that should have read: hoist DLT_IEEE802_11
bpf tap from ieee80211_encap up to ieee80211_start

fix comment

add missing DLT_IEEE802_11 bpf tap in ieee80211_start

fixup ieee80211_output handling:
o correct bpf handling, send 'em to the right tap
o do accouting
o mark mbufs holding multicast frames

o use shared code to handle bpf tap and mbuf cleanup
o swap conditional order to put the cheapest first

correct bssid reporting for wds vaps

Remove spurious 'or'.

Change if_output to take a struct route as its fourth argument in order
to allow passing a cached struct llentry * down to L2

Reviewed by: rwatson

setup turboA/G fixed rate parameters too; this is needed, in particular,
for turboG operation

correct debug printf

check correct address for a bssid mtch

fix txparms setup for 108G sta's: ieee80211_iserp_rateset does not
identify a station operating in turbo-boost mode because it has a
pure ofdm rate set; add an explicit check for the channel type
instead of depending on IEEE80211_NODE_ERP being set

o add a capability for drivers that require 802.3 encapsulation of
frames passed down through the transmit path
o mark ndis requiring 802.3 encap'd frames

Reviewed by: "Paul B. Mahol" <onemda@gmail.com>, thompsa

fix whitespace

o update dwds mcast handling after hoisting ieee80211_encap: frames need
to be encapsulated before dispatching to the driver
o eliminate M_WDS now that we call ieee80211_encap directly and can supply
the wds vap to indicate a 4-address frame should be created

Hoist 802.11 encapsulation up into net80211:
o call ieee80211_encap in ieee80211_start so frames passed down to drivers
are already encapsulated
o remove ieee80211_encap calls in drivers
o fixup wi so it recreates the 802.3 head it requires from the 802.11
header contents
o move fast-frame aggregation from ath to net80211 (conditional on
IEEE80211_SUPPORT_SUPERG):
- aggregation is now done in ieee80211_start; it is enabled when the
packets/sec exceeds ieee80211_ffppsmin (net.wlan.ffppsmin) and frames
are held on a staging queue according to ieee80211_ffagemax
(net.wlan.ffagemax) to wait for a frame to combine with
- drivers must call back to age/flush the staging queue (ath does this
on tx done, at swba, and on rx according to the state of the tx queues
and/or the contents of the staging queue)
- remove fast-frame-related data structures from ath
- add ieee80211_ff_node_init and ieee80211_ff_node_cleanup to handle
per-node fast-frames state (we reuse 11n tx ampdu state)
o change ieee80211_encap calling convention to include an explicit vap
so frames coming through a WDS vap are recognized w/o setting M_WDS

With these changes any device able to tx/rx 3Kbyte+ frames can use fast-frames.

Reviewed by: thompsa, rpaulo, avatar, imp, sephe

Fix typo in comment.

MFP mesh11s:
Add mesh debugging bit replacing the now deprecated RADKEYS.

o add ic_rt to track the rate table for the current channel; this enables
calculation of packet transmit times to do things like check txop limits
o remove equivalent driver code and convert to use net80211 state

toggling fast-frames requires clocking the state machine

Eliminate ic_myaddr so changing the mac address of a device works correctly:
o remove ic_myaddr from ieee80211com
o change ieee80211_ifattach to take the mac address of the physical device
and use that to setup the lladdr.
o replace all references to ic_myaddr in drivers by IF_LLADDR
o related cleanups (e.g. kill dead code)

PR: kern/133178
Reviewed by: thompsa, rpaulo

o move tdma+superg protocol defs out of public view
o add #ifdef _KERNEL to superg+tdma include files so they can be used
by user code to get the protocol defs

Fix enough bits so that fast frames work again:
o include ath ie in beacon frames
o fix probe response check for including ath ie
o add ieee80211_add_athcap shorthand for ap-side ie additions

dynamic turbo mode is only implemented in sta mode; don't enable it
for other operating modes based on the capability

need to adjust htinfo offset when csa is inserted

adjust tdma ie offset when beacon frame contents changes

shuffle code so things build w/o INVARIANTS or IEEE80211_SUPPORT_SUPERG

Prodded by: several

hide linker set stuff from user space

split Atheros SuperG support out into it's own file that's included only
with a new IEEE80211_SUPPORT_SUPERG option

add linker sets for get/set ioctl handlers so optional net80211
code is isolated

use IEEE80211_SUPPORT_TDMA option to control whether code is
configured; this allows us to remove an #ifdef

Remove leftover comment because we now use a flag to check for associd.

Discussed with: sam

Fix typo in comment.

Use plural in a comment. No functional change.

rate limit printfs for invalid tdma ie contents; probably want this to
be less than 1/sec

Minor cleanups of tdma protocol handling:
o break out version-related code to simplify rev'ing the protocol
o add parameter validation macros so checks that appear multiple places
are consistent (and easy to change)
o add protocol version check when looking for a scan candidate
o improve scan debug output format
o rewrite beacon update handling to calculate a bitmask of changed values
and pass that down through the driver callback so drivers can optimize work
o do slot bounds check before use when parsing received beacons

add the desired channel to the scan list if not already present and
compatible with other scan controls

Add memmove() to the kernel, making the kernel compile with Clang.

When copying big structures, LLVM generates calls to memmove(), because
it may not be able to figure out whether structures overlap. This caused
linker errors to occur. memmove() is now implemented using bcopy().
Ideally it would be the other way around, but that can be solved in the
future. On ARM we don't do add anything, because it already has
memmove().

Discussed on: arch@
Reviewed by: rdivacky

For all files including net/vnet.h directly include opt_route.h and
net/route.h.

Remove the hidden include of opt_route.h and net/route.h from net/vnet.h.

We need to make sure that both opt_route.h and net/route.h are included
before net/vnet.h because of the way MRT figures out the number of FIBs
from the kernel option. If we do not, we end up with the default number
of 1 when including net/vnet.h and array sizes are wrong.

This does not change the list of files which depend on opt_route.h
but we can identify them now more easily.

change tdma slave behaviour: if the channel is locked don't do bmiss handling
(so no scanning/roaming)

Reviewed by: Chris Anderson

display min/max dwell times in msecs in debug msgs

mark nodes created by way of neighbor discovery need to be marked as ERP
so they get the correct tx parameters setup by node_settxparms

o reset aggressive mode flag; it was being left set after marking an
interface down
o only allow the first vap to initialize shared wme parameters

misc cleanup of wme parameter setting

use 1/2 and 1/4 rate phy types to simplify txtime calculation

Add modes for 1/2 and 1/4-width channels so we have separate roaming
and xmit parameters. This makes it possible to use tdma on fractional
channels.
o add IEEE80211_MODE_HALF and IEEE80211_MODE_QUARTER; note these are
band-agnostic (may need revisiting)
o setup all default rates in ic_sup_rates instead of doing it only
for active modes; we need these to calculate the default tx parameters
which are not recalculated after a regulatory update (can't just
recalculate after installing a new channel list because we might
clobber user settings)
o remove special case code in ieee80211_get_suprates; this is now
a candidate for an inline or removal
o add various entries for new modes (roaming+tx params, wme, rate
mapping, scan set setup, country ie construction, tdma, basic rates)

Note these modes are intentionally not visible through if_media.

o looseen abi dependencies on IEEE80211_MODE_MAX by accepting smaller
parameters for IEEE80211_IOC_ROAM and IEEE80211_IOC_TXPARAMS; this
lets us add more modes and still have old apps work
o consolidate loops to remote assumptions about mode ordering

use c99 initializers

o consolidate loops to eliminate assumptions about ordering of modes
o replace 0x80 by IEEE80211_RATE_MCS

Change country ie construction to simplify forthcoming changes:
o use c99 initializer for skipflags
o calculate band flags instead of statically listing them in the table

use c99 initializer

simplify setting up the roaming parameters; writing default parameters only
for active modes hasn't turned out to be useful so just define a const table
and copy it in place

check ptr against NULL

instead of special casing lookups for the 11na/g legacy rate set, just
install the rates once when creating the com structure

add phy types for 1/2 and 1/4-rate modes

remove ic_stats; it was intended to accumulate stats from vaps as they
were reaped but was never used and is inaccessible

strip M_FRAG & co mbufs coming down from ip_output, these flags are
re-used within net80211 to mark 802.11 frags so allowing them to
leak through to the driver caused packets to be dropped in ath

o replace ieee80211_node_reclaim by individual operations to release the
references to iv_bss and the sta table; this is equivalent and causes
direct reclaim of the old bss node when any references in packets inflight
are reclaimed (previously the old node would sit in the bss table until
the inactivity processing reclaimed it)
o remove ieee80211_node_reclaim now that it's only use is gone

Reviewed by: avatar, cbzimmer

Add a ieee80211_waitfor_parent() function that will wait for all deferred
parent interface tasks to complete. This had been added to the ioctl path but
it is also need elsewhere like detach so its safe to teardown.

Reported by: Hans Petter Selasky
Submitted by: sam

improve key index map reclaim debug msg

oops, fix octal escape sequence

remove bogus reference reclaim on the slave-side bss node on beacon miss

fix mis-numbering of IEEE80211_MSG_BITS

when operating as a slave, clear neighbor entries and the peer bss node
on beacon miss

while here, remove a stray pointless write of iv_bmiss_count

clean neighbor entries on beacon miss

correctly fixup iv_des_chan after installing a new channel table; if the
previous channel is now invalid we must set it to IEEE80211_CHAN_ANYC

mark M_LASTFRAG at the last fragment.

Reviewed by: sam
MFC after: 3 weeks

o change _db_show_key to always dump the contents instead of checking
IEEE80211_KEY_DEVKEY
o fix channel power printing (they are signed values)
o add show statab to dump a node table and automatically dump the sta
table of a com structure with /s

o add IEEE80211_KEY_BITS for %b printing of wk_flags
o replace hand-rolled code to print wk_flags
o add display of ni_ucastkey in show sta
o fix \n in _db_show_key

When crafting a media setting w/ an auto (non-fixed) rate mask out the
turbo option in addition to the mode bits; otherwise if the current
channel is a turbo mode channel we'll form an invalid media setting
and the ifmedia_set operation in vap_attach will panic.

While here use C99-style initialization for an array indexed by mode;
this makes it consistent w/ other usage and avoids breakage if we
should ever change the set of modes.

when promoting an 11b channel to 11g do not accept a ``pure G'' (OFDM only)
channel, only accept a real 11g channel; this fixes a problem where we were
wrongly promoting 11b to a Dynamic Turbo G channel which broke scanning on
channel 6

setup default fixed rates for static turbo and 11n;
the 11n rates are pure guess

set ni_txparms for static turbo mode

setup default rate set for static turbo mode

add an assert to verify the number of channels returned by ic_getradiocaps
correlates with the size of the channel array passed down

might want to promote this to be always present to catch for driver errors

change null_getradiocaps to return the actual count of channels instead
of the true number; otherwise the caller may use the count to do things
with the data it should not (e.g. sort the channel table)

Extend channel definition with:
o max antenna gain
o driver private opaque data

Note this grows the size of a channel to 16 bytes; which makes the
default channel table 4Kbytes (up from 3Kbytes).

fix comment

Remove assumptions about the max # channels in ioctl's:
o change ioctl's that pass channel lists in/out to handle variable-size
arrays instead of a fixed (compile-time) value; we do this in a way
that maintains binary compatibility
o change ifconfig so all channel list data structures are now allocated
to hold MAXCHAN entries (1536); this, for example, allows the kernel
to return > IEEE80211_CHAN_MAX entries for calls like IEEE80211_IOC_DEVCAPS

change ic_getradiocaps driver callback to include the max # channels
so callers know the size of the array passed down

o add country codes from Atheros regulatory; these are not listed in
the ISO tables, mark them accordingly
o add sku's for handling 900MHz cards
o add opaque struct defs and change []'s to *'s so this file can be
included w/o requiring all of net80211 to be pulled in
o make CTRY_DEBUG and CTRY_DEFAULT public

o make %b msg bit defines public (to user apps too)
o rename IEEE80211_C_CRYPTO_BITS to IEEE80211_CRYPTO_BITS

fill in ieee channel #'s and max tx power for drivers that work exclusively
with frequencies; this mimics how ieee80211_setregdomain works

add new state bit to indicate when interference is observed on the channel

change IEEE80211_IS_CHAN_OFDM and IEEE80211_IS_CHAN_CCK to return true
for 11g (dynamic CCK/OFDM)

define IEEE80211_CHAN_108A and IEEE80211_CHAN_108G in terms of their
non-turbo names to make the relationship more clear

If the parent up/down task was queued then sync with it before returning from
the vap ioctl. This means that the parent interface should hopefully be up
before we return to userland, it does not depend on the parent init succeeding,
just that it was run.

This fixes wpa_supplicant with ndis and USB where the parent interfaces can be
slow to init.

fix regulatory state check for all vaps' being down; it must be done
before calling the ic_setregdomain callback

add defines for driver-private bits to eliminate use of constants

add missing return that broke WPA1+2 support

Submitted by: "Jared Go" <jared@hobnob.com>

TDMA support for long distance point-to-point links using ath devices:
o add net80211 support for a tdma vap that is built on top of the
existing adhoc-demo support
o add tdma scheduling of frame transmission to the ath driver; it's
conceivable other devices might be capable of this too in which case
they can make use of the 802.11 protocol additions etc.
o add minor bits to user tools that need to know: ifconfig to setup and
configure, new statistics in athstats, and new debug mask bits

While the architecture can support >2 slots in a TDMA BSS the current
design is intended (and tested) for only 2 slots.

Sponsored by: Intel

only mark an infrastructure node to require an associd for xmit; fixes adhoc
mode sta's that join an existing ibss

mark discovered neighbors QoS capable if they advertise wme

follow prevailing style

convert MALLOC/FREE to malloc/free

fix comment

Submitted by: Daan Vreeken

Fix ucastkey teardown for drivers that plumb clear keys or similar
(e.g. ath): we must check the key index and not whether the key
points at a cipher other than "undef". This looks like it's been
broken for a while. Might be worth adding an explicit clear cipher
at some point though this would require changes to the usage of
IEEE80211_KEY_UNDEFINED.

PR: 125906

remove extraneous ';'

Fix definition of IEEE80211_CHAN_MAX; it was defined as 255 but
really was meant to be 256. Adjust usage accordingly and replace
bogus usage of this value in checking IEEE channel #'s.

NB: this causes an ABI change; ifconfig must be recompiled

Replace adhoc checks in ieee80211_start with a per-node flag that
indicates if an association id is required before outbound traffic
is permitted. This cleans up the previous change that broke mcast
traffic "to the stack" in ap mode as a side effect.

Reviewed by: sephe, thompsa, weongyo

Rather than using hidden includes (with cicular dependencies),
directly include only the header files needed. This reduces the
unneeded spamming of various headers into lots of files.

For now, this leaves us with very few modules including vnet.h
and thus needing to depend on opt_route.h.

Reviewed by: brooks, gnn, des, zec, imp
Sponsored by: The FreeBSD Foundation

correct sorting

convert calls to IFQ_HANDOFF to if_transmit

Fix checks for fast frames negotiation. ni_ath_flags holds the
capabilities reported by the ap. These need to be cross-checked
against the local configuration in the vap. Previously we were
only checking the ap capabilities which meant that if an ap reported
it was ff-capable but we were not setup to use them we'd try to do
ff aggregation and drop the frame.

There are a number of problems to be fixed here but applying this
fix immediately as the problem causes all traffic to stop (and has
not workaround).

Reported by: Ashish Shukla

o use the new association callback to notify the driver when joining a bss
in sta and adhoc modes; this should've been done forever ago as most all
drivers use this hook to set per-station transmit parameters such as for
tx rate control
o adjust drivers to remove explicit calls to the driver newassoc method

o re-enable a lock assert
o while here reformat a comment to sync w/ other repot's

Fix joining an 11b BSS: scanning is normally done using 11g channels
(unless explicitly locked to mode 11b) so when we join the bss the
channel attached to the scan cache entry may need to be demoted.

o demote to 11b if the ap is advertising 11b rates
o skip the ap if it's 11b but we're locked to 11g (could consider this
advisory but for now treat it as mandatory)
o handle an odd edge case, if there is a fixed transmit rate for 11g
then the rate check against the 11b ap will fail, try to demote to
11b and retry the rate check

Reviewed by: sephe, thompsa

New ap-side power save implementation; the main change is to allow drivers
to queue frames previously encapsulated on a separate high priority list
that is dispatched before the unencapsulated frames (to preserve order).

move decl up before first use

introduce M_ENCAP flag to mark packets encapsulated w/ an 802.11 header

fix comment that belonged w/ previous commit

change ieee80211_send_probereq to supply raw xmit parameters so it can
control how frames are handled by the driver

change ieee80211_send_nulldata to send a QoS Null Data frame to a
QoS-enabled station; this makes inactivity handling follow the spec
as previously it would probe inactive stations w/ a Null Data (no QoS)
data frame

o change ieee80211_mgmt_output to take a raw xmit parameters block so
the net80211 layer has complete control over the handling of mgt frames
(in particular, the ac, tx rate, and retry count); this also allows us
to purge the M_LINK0 flag that was attached to mbufs to mark them as
needing encryption for shared key auth
o change ieee80211_send_setup to take a tid parameter so it can be used
to setup QoS frames

fix old merge botch that causes gaps in the tx seq# space for QoS frames

Sync BAR frame handling with out of tree work:
o correct BAR frame construction for AMPDU
o retransmit BAR frames until ACK'd or timeout (use tunables to
control behaviour, default is very aggressive)
o defer seq# update until BAR frame is ACK'd
o add BAR response handling callback for driver to interpose and
push new state to device or push pending aggregates

While here also:
o add backpointer to node in the per-tid tx aggregation data structure
o move ampdu tx state setup/teardown work to separate functions

set erp flag and tx parameter state when joining a bss; this allows
drivers to use ni_txparms

honor IEEE80211_CLONE_NOBEACONS for type of vap, not just a sta mode vap

improve inactivity handling debug support

use a private mgt frame recv handler for ahdemo mode instead of an inline
test in the adhoc mode rx path so classes derived from ahdemo mode can
override the default behaviour

expand captured ie's before calling match_bss so they can potentially
be used in the process

change ieee80211_sta_join to take an explicit channel instead of
using the value in the scan parameters; this will be used to fix
issues with 11b operation

o add support for ifconfig wlanX mode foo
o yank useless code for setting fixed rate through media opts: this
mechanism didn't scale to HT rates and couldn't handle multiple bands;
fixed tx rates are set with the IEEE80211_IOC_TXPARAMS ioctl

add debug msgs

fix associd check for adhoc mode

Reviewed by: jhay

ignore IEEE80211_ELEMID_PWRCNSTR when parsing beacon/probe response frames
to avoid counting it as an unknown elemid (we often beacon this so it shows
up as a "false positive")

add 1/2 and 1/4 channel flags to IEEE80211_CHAN_ALL so that operations
like ieee80211_find_channel are more useful

add/improve debug msgs

Revert the removal of the MALLOC and FREE macros from the net80211 code.

Requested by: sam

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit

Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.

Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().

Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).

All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).

(*) netipsec/keysock.c did not validate depending on compile time options.

Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation

guard against adhoc_pick_channel returning a NULL channel; this can
happen after a scan cache flush (e.g. in response to ifconfig wlan bssid -)

must do a deep copy of mcast packets as they can be modified after dispatch

Submitted by: "Jared Go" <jared@hobnob.com>

Use db_printsym to lookup and print the function pointers.