net80211: adjust more VHT structures/fields

Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/length at the beginning which
we did not actually use as such (the one place doing did just as unused
extra work).

Using the non-"ie" versions allows us to re-use them on shared code.
Using an enum helps us to not accidentally get unsuppored or unhandled
values tough we cannot use it in the struct as we need to ensure the
field width.

ieee80211_vht_operation is guarded by _KERNEL/WANT_NET80211. While the
header is supposed to be exported to user land historically, software
such as wpa bring their own structure definitions. For in-tree usage
it is only ifconfig which really cares (at least for now).

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian (earlier), cc
Differential Revision: https://reviews.freebsd.org/D42901

net80211: rename iv_flags_vht to iv_vht_flags

While the flag field is internal start naming it as well as "iv_vht*"
so we keep all "VHT" fields together. This breaks with what was done
done for HT but with HE, EHT, .. coming one day seems the more logic
choice.

No functional changes intended.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian, cc
Differential Revision: https://reviews.freebsd.org/D42419

net80211: remove ieee80211_unref_node()

ieee80211_unref_node() was only used in two error cases in
ieee80211_send_nulldata(). There we do not need to guard against
ni pointer reuse after decrementing the refcount of the ni as we
only update the stats and return.

Update the man page and remove the link for the now gone function.

Sponsored by: The FreeBSD Foundation
X-MFC: never
Reviewed by: adrian, emaste
Differential Revision: https://reviews.freebsd.org/D42035

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

net80211: move IEEE80211_F_WME check to vap for consistency

The IEEE80211_F_WME checks done on the ic were changed to be per-vap
back in the time when multi-bss was introduced or earlier in 2008.
This one was left out but given it is a (re-)accos-req case I see
no reason not to use the vap value here for consistency too.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36733

net80211 / drivers: rename to IEEE80211_FC0_SUBTYPE_QOS_DATA

Going through the Frame (Sub)types the "QOS Data" being called "QOS"
scheme leads to a naming conflict for QOS_CFPOLL and QOS_CFACKPOLL
(if added). Rename QOS* to QOS_DATA* to avoid the conflict and
to also better match the standards name.

No functional changes intended.

Sponsored by: The FreeBSD Foundation
MFC after: 5 days
Reviewed by: hselasky
Differential Revision: https://reviews.freebsd.org/D36409

net80211: simplify an #ifdef INET/INET6 block

I got lost in the #ifdef #endif here so I changed the code to a
switch block with two non-overlapping #ifdef parts and a default
which makes it a lot easier to read.

No functional changes.

Sponsored by: The FreeBSD Foundation
Reviewed by: (zlei.huang gmail.com)
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D36411

net80211: consistently use the IEEE80211_M_ memory related options

Replace a malloc() by IEEE80211_MALLOC().
For malloc flags even in the local ieee80211_freebsd.c there was a mix
of both versions M_ and IEEE80211_M_.
Consistently use the IEEE80211_M_ malloc options everywhere.
If the field is changed for malloc, it'll also be changed for the
other accessor functions taking a "how" field to avoid any confusion.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36249

net80211: add an IEEE80211_IS_PROTECTED() macro

Summary: This returns whether the given 802.11 frame has the protected bit set.

Test Plan:
* tested in AP/STA mode
* STA mode - local athp/ath10k driver
* AP mode - in tree ath driver

Subscribers: imp, melifaro, glebius
Reviewed by: bz
Approved by: bz

Differential Revision: https://reviews.freebsd.org/D36183

net80211: Remove tautological state display

When printing the current state name and the old state numeric value,
both are always the same. Remove the redundant ostate. It is always
the same as iv_state.

Reviewed by: bz
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35849

net80211: remove (optional) RSN from preobereq

802.11i-2004 did not specify that RSN can be added to the probereq,
only to the proberesp (and others) yet it was added in what seems was
b032f27c365b992e9d8e42214183b39acfb8c6ac (multi-BSS support).
802.11-2020 does not list the IE either for probereq so remove it.

Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Okayed by: adrian
Differential Revision: https://reviews.freebsd.org/D34893

net80211: adjust a printf to toeee80211_note

Throughout net80211 there are multiple ways to log (debugging)
information. Start to clenaup one as I kept hitting it to harmonize
the output. The more we get away from printfs into either wrapper
functions or macros the more likely we can use holistic systematic
tracing in the future.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

net80211: add debugging information

Add more STATE / DEBUG probes and enhance the output of one in order
to track state changes triggered by "ack" (or not).
This helped to narrow down causes from drivers or the LinuxKPI 802.11
compat framework which kept us in a scan -> auth -> scan loop.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

net80211: fix -Wunused-but-set-variable warnings

Put the offending variables under the appropriate #ifdefs
(mostly IEEE80211_DEBUG, in one case IEEE80211_SUPPORT_SUPERG, and
in two cases under __notyet__ to revisit why these had been left
there but not used).

Sponsored by: The FreeBSD Foundation
MFC after: 10 days

net80211: comments and whitespace

Add a missing '.', fix spelling of "failed" and unwrap a closing );
No functional changes.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

net80211: ieee80211_probereq_ie fix length calculation for hw scans

c338cf2c6d5eacdee813191d5976aa531d450ee7 split up ieee80211_probereq_ie().
For HW scans we usually do not want to add a SSID to the IEs.
During that split we allocate memory based on the length which will
always include the length of the SSID and only later we reduced the
length but never updated the value passed back to the caller.
Split the SSID handling up and reduce the length before malloc().
This not only makes us not over-allocate in these situatoins but also
fixes the length returned to the caller and with that usually directly
passed to firmware.

Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D30813

net80211: split up ieee80211_probereq()

Factor out ieee80211_probereq_ie() and ieee80211_probereq_ie_len()
and make the length dynamic rather than static max. The latter is
needed as our current fixed length was longer than some "hw scan",
e.g. that of ath10k, will take. This way we can pass what we have.
Should this not be sufficient in the future we might have to deal
with filtering and much more error handling.

This also removes a duplicate calculation for ieee80211_ie_wpa [1].

Repoprted-by: Martin Husemann <martin NetBSD.org> [1]
Sponsored-by: Rubicon Communications, LLC ("Netgate")
Sponsored-by: The FreeBSD Foundation (update for alloc)
Reviewed-by: adrian, martin NetBSD.org (earlier version)
Reviewed-by: philip
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D26545

Provide MS() and SM() macros for 80211 and wireless drivers.

We have (two versions) of MS() and SM() macros which we use throughout
the wireless code. Change all but three places (ath_hal, rtwn, and rsu)
to the newly provided _IEEE80211_MASKSHIFT() and _IEEE80211_SHIFTMASK()
macros. Also change one internal case using both _S and _M instead of
just _S away from _M (one of the reasons rtwn and rsu were not changed).

This was done semi-mechanically. No functional changes intended.

Requested by: gnn (D26091)
Reviewed by: adrian (pre line wrap)
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate")
Differential Revision: https://reviews.freebsd.org/D26539

net: clean up empty lines in .c and .h files

[net80211] Migrate HT/legacy protection mode and preamble calculation to per-VAP flags

The later firmware devices (including iwn!) support multiple configuration
contexts for a lot of things, leaving it up to the firmware to decide
which channel and vap is active. This allows for things like off-channel
p2p sta/ap operation and other weird things.

However, net80211 is still focused on a "net80211 drives all" when it comes to driving
the NIC, and as part of this history a lot of these options are global and not per-VAP.
This is fine when net80211 drives things and all VAPs share a single channel - these
parameters importantly really reflect the state of the channel! - but it will increasingly
be not fine when we start supporting more weird configurations and more recent NICs.
Yeah, recent like iwn/iwm.

Anyway - so, migrate all of the HT protection, legacy protection and preamble
stuff to be per-VAP. The global flags are still there; they're now calculated
in a deferred taskqueue that mirrors the old behaviour. Firmware based drivers
which have per-VAP configuration of these parameters can now just listen to the
per-VAP options.

What do I mean by per-channel? Well, the above configuration parameters really
are about interoperation with other devices on the same channel. Eg, HT protection
mode will flip to legacy/mixed if it hears ANY BSS that supports non-HT stations or
indicates it has non-HT stations associated. So, these flags really should be
per-channel rather than per-VAP, and then for things like "do i need short preamble
or long preamble?" turn into a "do I need it for this current operating channel".
Then any VAP using it can query the channel that it's on, reflecting the real
required state.

This patch does none of the above paragraph just yet.

I'm also cheating a bit - I'm currently not using separate taskqueues for
the beacon updates and the per-VAP configuration updates. I can always further
split it later if I need to but I didn't think it was SUPER important here.

So:

* Create vap taskqueue entries for ERP/protection, HT protection and short/long
preamble;
* Migrate the HT station count, short/long slot station count, etc - into per-VAP
variables rather than global;
* Fix a bug with my WME work from a while ago which made it per-VAP - do the WME
beacon update /after/ the WME update taskqueue runs, not before;
* Any time the HT protmode configuration changes or the ERP protection mode
config changes - schedule the task, which will call the driver without the
net80211 lock held and all correctly serialised;
* Use the global flags for beacon IEs and VAP flags for probe responses and
other IE situations.

The primary consumer of this is ath10k. iwn could use it when sending RXON,
but we don't support IBSS or AP modes on it yet, and I'm not yet sure whether
it's required in STA mode (ie whether the firmware parses beacons to change
protection mode or whether we need to.)

Tested:

* AR9280, STA/AP
* AR9380, DWDS STA+STA/AP
* ath10k work, STA/AP
* Intel 6235, STA
* Various rtwn / run NICs, DWDS STA and STA configurations

[net80211] Add initial U-APSD negotiation support.

U-APSD (unscheduled automatic power save delivery) is a power save method
that's a bit better than legacy PS-POLL - stations can mark frames with
an extra flag that tells the AP to leak out more frames after it sends
its own frames rather than needing to send a PS-POLL to get another frame
from the AP.

Now, this code just handles the negotiation bits; it doesn't actually
implement U-APSD. That's up to drivers, and nothing in the tree yet
implements this. I /may/ implement this for ath(4) if I eventually care
enough but right now I plan on just implementing it for firmware offload
based NICs that handle this in the NIC.

I'll commit the ifconfig bit after this and I may have some follow-up
commits as this gets used more by me in local testing.

This should be a glorious no-op for everyone else. If things change
for anyone that isn't fixed by a complete recompile then please reach out
to me.

[net80211] Flip on A-MPDU, A-MSDU, A-MPDU+A-MSDU and Fast frames options.

This updates the logic to allow:

* A-MPDU if available;
* A-MSDU if available and A-MPDU is off/NACKed;
* A-MPDU+A-MSDU if it's available and negotiated;
* Fast frames if the node is 11abg (and not HT/VHT.)

This allows for things to fail back to A-MSDU or fast frames
if A-MPDU isn't available rather than needing to be non-HT/non-VHT.
It also allows A-MPDU+A-MSDU to work if it's negotiated.

Tested:

* AR9380, STA + AP mode (A-MPDU, A-MSDU, FF, A-MPDU+A-MSDU)
* RT5350, STA mode (A-MSDU, FF)
* AR9170, STA mode (A-MSDU, FF)

[net80211] Migrate short slot time configuration into per-vap and deferred taskqueue updates.

The 11b/11g ERP and slot time update handling are two things which weren't
migrated into the per-VAP state when Sam did the initial VAP work.
That makes sense for a lot of setups where net80211 is driving radio state
and the radio only cares about the shared state.

However, as noted by a now deleted comment, the ERP and slot time updates
aren't EXACTLY correct/accurate - they only take into account the most
RECENTLY created VAP, and the state updates when one creates/destroys
VAPs isn't exactly great.

So:

* track the short slot logic per VAP;
* whenever the slot time configuration changes, just push it into a deferred
task queue update so drivers don't have to serialise it themselves;
* if a driver registers a per-VAP slot time handler then it'll just get the
per VAP one;
* .. if a driver registers a global one then the legacy behaviour is maintained -
a single slot time is calculated and pushed out.

Note that the calculated slot time is better than the existing logic - if ANY
of the VAPs require long slot then it's disabled for all VAPs rather than
whatever the last configured VAP did.

Now, this isn't entirely complete - the rest of ERP tracking around short/long
slot capable station tracking needs to be converted into per-VAP, as well
as the preamble/barker flags. Luckily those also can be done in a similar
fashion - keep per-VAP counters/flags and unify them before doing the driver
update. I'll defer that work until later.

All the existing drivers can keep doing what they're doing with the global
slot time flags as that is maintained. One driver (iwi) used the per-VAP
flags instead of the ic flags, so now that driver will work properly.

This unblocks some ath10k porting work as the firmware takes the slot time
configuration per-VAP rather than globally, and some firmware handles
STA+AP and STA+STA (on same/different channels) configurations where
the firmware will switch slot time as appropriate.

Tested:

* AR9380, STA/AP mode
* AR9880 (ath10k), STA mode

[net80211] Use the unicast key when transmitting DWDS AP multicast frames.

I'm still not sure whether this is the full solution, but here goes.

I have a two node DWDS setup - a main AP with the ethernet bridge uplink
and a satellite AP in the back of the house. They're both AR9344+AR9580
dual band 11n APs.

The problem was that multicast frames was not going from the DWDS AP to
the DWDS STA. Unicast frames are fine, and multicast frames from the
DWDS STA to AP are fine.

Now, multicast and unicast frames from the STA -> AP are just transmitted
using the unicast key. That's fine. However, the AP -> STA multicast
frames by default are transmitted using the current default / multicast
key, the shared one between all STAs in a BSS. Now, the DWDS implementation
ignores non WDS frames - it only allows about 4 address frames outside
of management / EAPOL frames! - so the STA side ignores the normal multicast
frames.

Instead, the AP side uses ieee80211_dwds_mcast() to send multicast frames
to each WDS VAP that was created as part of the "dynamic" part of DWDS.
This should be queuing them individually to each node instead of using
the normal multicast send path; and this is how they should get turned into
4-addr WDS frames.

HOWEVER, ieee80211_encap() was trying to use the default TX key to queue
them rather than the unicast key that's already setup. Since this synthetic
node doesn't have the default TX key setup, transmission fails. Things
would be fine in WEP and in open mode because in both cases you would
have static keys (or no keys) setup. It just fails in WPA mode.

This resolves the issue. AP DWDS multicast is now sent using the unicast
key just like in STA mode and I'm pretty sure the STA mode side will stil
work fine (as it's a STA VAP with a DWDS flag..)

Tested:

* TL-WDR3600/4300 APs

Fix -Wvoid-pointer-to-enum-cast warnings.

This pattern is used in callbacks with void * data arguments and seems
both relatively uncommon and relatively harmless. Silence the warning
by casting through uintptr_t.

This warning is on by default in Clang 11.

Reviewed by: arichardson
Obtained from: CheriBSD (partial)
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24425

Restructure mbuf send tags to provide stronger guarantees.

- Perform ifp mismatch checks (to determine if a send tag is allocated
for a different ifp than the one the packet is being output on), in
ip_output() and ip6_output(). This avoids sending packets with send
tags to ifnet drivers that don't support send tags.

Since we are now checking for ifp mismatches before invoking
if_output, we can now try to allocate a new tag before invoking
if_output sending the original packet on the new tag if allocation
succeeds.

To avoid code duplication for the fragment and unfragmented cases,
add ip_output_send() and ip6_output_send() as wrappers around
if_output and nd6_output_ifp, respectively. All of the logic for
setting send tags and dealing with send tag-related errors is done
in these wrapper functions.

For pseudo interfaces that wrap other network interfaces (vlan and
lagg), wrapper send tags are now allocated so that ip*_output see
the wrapper ifp as the ifp in the send tag. The if_transmit
routines rewrite the send tags after performing an ifp mismatch
check. If an ifp mismatch is detected, the transmit routines fail
with EAGAIN.

- To provide clearer life cycle management of send tags, especially
in the presence of vlan and lagg wrapper tags, add a reference count
to send tags managed via m_snd_tag_ref() and m_snd_tag_rele().
Provide a helper function (m_snd_tag_init()) for use by drivers
supporting send tags. m_snd_tag_init() takes care of the if_ref
on the ifp meaning that code alloating send tags via if_snd_tag_alloc
no longer has to manage that manually. Similarly, m_snd_tag_rele
drops the refcount on the ifp after invoking if_snd_tag_free when
the last reference to a send tag is dropped.

This also closes use after free races if there are pending packets in
driver tx rings after the socket is closed (e.g. from tcpdrop).

In order for m_free to work reliably, add a new CSUM_SND_TAG flag in
csum_flags to indicate 'snd_tag' is set (rather than 'rcvif').
Drivers now also check this flag instead of checking snd_tag against
NULL. This avoids false positive matches when a forwarded packet
has a non-NULL rcvif that was treated as a send tag.

- cxgbe was relying on snd_tag_free being called when the inp was
detached so that it could kick the firmware to flush any pending
work on the flow. This is because the driver doesn't require ACK
messages from the firmware for every request, but instead does a
kind of manual interrupt coalescing by only setting a flag to
request a completion on a subset of requests. If all of the
in-flight requests don't have the flag when the tag is detached from
the inp, the flow might never return the credits. The current
snd_tag_free command issues a flush command to force the credits to
return. However, the credit return is what also frees the mbufs,
and since those mbufs now hold references on the tag, this meant
that snd_tag_free would never be called.

To fix, explicitly drop the mbuf's reference on the snd tag when the
mbuf is queued in the firmware work queue. This means that once the
inp's reference on the tag goes away and all in-flight mbufs have
been queued to the firmware, tag's refcount will drop to zero and
snd_tag_free will kick in and send the flush request. Note that we
need to avoid doing this in the middle of ethofld_tx(), so the
driver grabs a temporary reference on the tag around that loop to
defer the free to the end of the function in case it sends the last
mbuf to the queue after the inp has dropped its reference on the
tag.

- mlx5 preallocates send tags and was using the ifp pointer even when
the send tag wasn't in use. Explicitly use the ifp from other data
structures instead.

- Sprinkle some assertions in various places to assert that received
packets don't have a send tag, and that other places that overwrite
rcvif (e.g. 802.11 transmit) don't clobber a send tag pointer.

Reviewed by: gallatin, hselasky, rgrimes, ae
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D20117

net80211(4): hide casts for 'i_seq' field offset calculation inside
ieee80211_getqos() and reuse it in various places.

Checked with RTL8188EE, HOSTAP mode + RTL8188CUS, STA mode.

MFC after: 2 weeks

net80211: provide rate validation for injected frames.

There may be various side effects (device timeout, firmware and / or
kernel panic) when an invalid (or inapplicable - e.g., an MCS rate
for 11g-only device) is set; check rates before sending the frame to
the driver.

How-to-reproduce:
Set an MCS (real or bogus - with 0x80 bit set) rate in ibp_rate0 field
for any device that uses ieee80211_isratevalid() for rate checks -
rum(4), run(4), ural(4), bwi(4) or ral(4); if kernel is compiled
with INVARIANTS the check will result in "rate %d is basic/mcs?" panic.

Tested with WUSB54GC (rum(4)), AP mode.

MFC after: 1 week

net80211: fix duplicate sequence number bump for non-AMPDU QoS frames.

This should be a part of r312972.

MFC after: 4 days

net80211: wrap protection frame allocation into ieee80211_alloc_prot()

Move copy-pasted code for RTS/CTS frame allocation into net80211.
While here, add stat / debug message for allocation failures
(copied from run(4)) + return error here in bwn(4).

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D14628

net80211: sanitize input for ieee80211_output()

- Add some basic checks for i_fc* bits (ToDS, FromDS, MoreFrag, Protected);
those are used / checked across various places in Tx path.
- Mark injected 802.11 frame as encapsulated (just as it should be).
- Classify 802.11 frame in a proper way (extract ether_type from LLC header
for Data frames, use AC_BE queue for others (NoData / Management / Control).
- Subtract header length from tx_bytes statistics (so it will correspond
to the comment).

Was checked with RTL8188EU (AP) + Intel 6205 (STA).

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D13161

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

net80211: fix a typo (premable -> preamble).

net80211: initialize i_seq for A-MPDU frames.

Fragment number field (part of i_seq) is used for AAD calculation;
as a result, without this patch every driver without h/w crypto support
need to clear it before ieee80211_crypto_encap().

Also fixes rtwn(4) A-MPDU Tx with dev.rtwn.%d.hwcrypto tunable
set to 0 (h/w crypto is disabled).

Tested with:
* Intel 6205, STA mode.
* RTL8188EU, STA mode.

Differential Revision: https://reviews.freebsd.org/D10753

[net80211] teach the probe response routine to add VHT IEs as appropriate.

[net80211] don't bother doing fragmentation if the driver supports fragmentation offload.

Tested:

* ath10k, which does its own fragmentation in firmware.

[net80211] quiet IE handling improvements

* on the station side, only call the quiet time IE method if we have a
quiet IE - otherwise call the NULL method once, and then don't waste
time calling NULL

* on the beacon generation side - force a beacon regeneration each time
quiet time is enabled/disabled. Without this, enabling/disabling quiet
time IE would cause the beacon contents to be corrupted since none of
the "move contents around" logic (like for CSA and TIM handling) is implemented.

This changes the size of ieee80211_node so it requires a kernel recompile,
but no userland recompile.

Tested:

* AR9380, AP mode, enabling/disabling quiet time IE
* AR9380, STA mode, with upcoming driver changes.

[net80211] don't update quiet time counter values every probe request.

The quiet time counter update is happening each time the IE is added,
which also means it happens for each quiet time IE addition to the probe
response.

Only update the countdown if we request ie (ie, beacon updates.)

[net80211] address seqno allocation for group addressed frames

After some digging and looking at packet traces, it looks like the
sequence number allocation being done by net80211 doesn't meet
802.11-2012.

Specifically, group addressed frames (broadcast, multicast) have
sequence numbers allocated from a separate pool, even if they're
QoS frames.

This patch starts to try and address this, both on transmit and
receive.

* When receiving, don't throw away multicast frames for now.
It's sub-optimal, but until we correctly track group addressed
frames via another TID counter, this is the best we can do.

* When doing A-MPDU checks, don't include group addressed frames
in the sequence number checks.

* When transmitting, don't allocate group frame sequence numbers
from the TID, instead use the NONQOS TID for allocation.

This may fix iwn(4) 11n because I /think/ this was one of the
handful of places where ni_txseqs[] was being assigned /outside/
of the driver itself.

This however doesn't completely fix things - notably the way that
TID assignment versus WME assignment for driver hardware queues
will mess up multicast ordering. For example, if all multicast
QoS frames come from one sequence number space but they're
expected to obey the QoS value assigned, they'll end up in
different queues in the hardware and go out in different
orders.

I can't fix that right now and indeed fixing it will require some
pretty heavy lifting of both the WME<->TID QoS assignment, as well
as figuring out what the correct way for drivers to behave.

For example, both iwn(4) and ath(4) shouldn't put QoS multicast
traffic into the same output queue as aggregate traffic, because
the sequence numbers are all wrong. So perhaps the correct thing
to do there is ignore the WME/TID for QoS traffic and map it all
to the best effort queue or something, and ensure it doesn't
muck up the TID/blockack window tracking. However, I'm /pretty/
sure that is still going to happen.

.. maybe I should disable multicast QoS frames in general as well,
but I don't know what that'll do for whatever the current state
of 802.11s mesh support is.

Tested:

* STA mode, ath10k NIC
* AP mode, AR9344/AR9580 AP
* iperf tcp/udp tests with concurrent multicast QoS traffic.

Before this, iperfs would fail pretty quickly because the sending
AP would start sending out QoS multicast frames that would be
out of order from the rest of the TID traffic, causing the blockack
window to get way, way out of sync.

This now doesn't occur.

TODO:

* verify which QoS frames SHOULD be tagged as M_AMPDU_MPDU.
For example, QoS NULL frames shouldn't be tagged!

Reviewed by: avos
Differential Revision: https://reviews.freebsd.org/D9357

[net80211] Initial VHT node upgrade/downgrade support and initial IE parsing.

This is the bulk of the magic to start enabling VHT channel negotiation.
It is absolutely, positively not yet even a complete VHT wave-1 implementation.

* parse IEs in scan, assoc req/resp, probe req/resp;
* break apart the channel upgrade from the HT IE parsing - do it after the
VHT IEs are parsed;
* (dirty! sigh) add channel width decision making in ieee80211_ht.c htinfo_update_chw().
This is the main bit where negotiated channel promotion through IEs occur.
* Shoehorn in VHT node init ,teardown, rate control, etc calls like the HT
versions;
* Do VHT channel adjustment where appropriate

Tested:

* monitor mode, ath10k port
* STA mode, ath10k port - VHT20, VHT40, VHT80 modes

TODO:

* IBSS;
* hostap;
* (ignore mesh, wds for now);
* finish 11n state engine - channel width change, opmode notifications, SMPS, etc;
* VHT basic rate negotiation and acceptance criteria when scanning, associating, etc;
* VHT control/management frame handling (group managment and operating mode being
the two big ones);
* Verify TX/RX VHT rate negotiation is actually working correctly.

Whilst here, add some comments about seqno allocation and locking. To achieve
the full VHT rates I need to push seqno allocation into the drivers and
finally remove the IEEE80211_TX_LOCK() I added years ago to fix issues. :/

[net80211] announce 11n capabilities in probe requests in IBSS mode.

The 802.11-2012 specification notes that a subset of IEs should be present
in IBSS probe requests. This is what (initially) allows nodes to discover
that other nodes are 11n capable. Notably - HTCAP, but not HTINFO.

This isn't everything required to reliably enable 11n between net80211
peers; there's more work to come.

Tested:

* AR9380, IBSS+11n mode

net80211: discard an injected frame if it is smaller than header length.

Do not try to pass such frames; a correct frame cannot be smaller than
(the corresponding) header size.
(for wpi(4) an additional check was added in r289012).

PR: 144987

net80211: fix duplicate packet counter incrementation.

Remove 'if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);' from raw xmit
and apbridge path; it will be incremented by ieee80211_tx_complete()
after packet transmission.

Noticed by: Imre Vadasz <imre@vdsz.com>

net80211: replace m_getcl/m_gethdr pair with m_get2 in ieee80211_fragment()

- Switch to m_get2() for mbuf allocation instead of manual mbuf size
determination.
- Reuse MIN() macro for mbuf size selection.

Revert parts of r299575 in order to make more MIPS kernels build
again hopefully.
Rather than blindly removing a supposedly unused variable as reported by
the Clang Static Analyzer, inspect the code and hide them with proper
#ifdefs as they are used in certain conditional parts of the code.

net80211: drop some unused variables / local macros

Most of them left after some commits (r178354, r191544, r287197 etc.);
some were never used.

Found by: Clang Static Analyzer

sys/net*: minor spelling fixes.

No functional change.

net80211: hide subtype mask & shift in function call.

Hide subtype mask/shift (which is used for index calculation
in ieee80211_mgt_subtype_name[] array) in function call.

Tested with RTL8188CUS, STA mode.

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D5369

net80211: provide descriptions for reason codes

Add text description for deauth/disassoc/etc reason codes
in addition to 'reason: <number>' string.

Reviewed by: adrian
Obtained from: IEEE Std 802.11-2012, 8.4.1.7 "Reason Code field"
Differential Revision: https://reviews.freebsd.org/D5367

net80211: replace internal LE_READ_*/LE_WRITE_* macro with system
le*dec / le*enc functions.

Replace net80211 specific macros with system-wide bytestream
encoding/decoding functions:
- LE_READ_2 -> le16dec
- LE_READ_4 -> le32dec
- LE_WRITE_2 -> le16enc
- LE_WRITE_4 -> le32enc

+ drop ieee80211_input.h include, where it was included for these
operations only.

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D6030

[net80211] Initial A-MSDU support for testing / evaluation

A-MSDU is another 11n aggregation mechanism where multiple ethernet
frames get LLC encapsulated (so they have a length field), padded,
and put in a single MPDU (802.11 MAC frame.) This means it gets sent
out as a single frame, with a single seqno, it's acked as one frame, etc.

It turns out that, hah, atheros fast frames is almost but not quite
like this, so I'm reusing all of the current superg/fast-frames stuff
in order to actually transmit A-MSDU. Yes, this means that A-MSDU
frames are also only aggregated two at a time, so it's not necessarily
a huge win, but it's better than nothing.

This doesn't do anything by default - the driver needs to say it does
A-MSDU as well as set the AMSDU software TX capability so this code path
gets exercised.

For now, the only driver that enables this is urtwn. I'll enable it
for rsu at some point soon.
Tested:

* Add an amsdu encap path to aggregate two frames, same as the
fast-frames path.

* Always do the superg init/teardown and node init/teardown stuff,
regardless of whether the nodes are doing fast-frames (the ATH
capability stuff.) That way we can reuse it for amsdu.

* Don't do AMSDU for multicast/broadcast and EAPOL frames.

* If we're doing A-MPDU, then don't bother doing FF/A-MSDU.
We can likely do both together, but I don't want to change
behaviour.

* Teach the fast frames approx txtime logic to support the 11n
rates. But, since we don't currently have a full "current rate"
support, assume it's HT20, long-gi, etc. That way we overshoot
on the TX time estimation, so we're always inside the requirements.
(And we only aggregate two frames for now, so we're not really
going to exceed that.)

* Drop the maximum FF age default down to 2ms, otherwise we end up
with some very annoyingly large latencies.

TODO:

* We only aggregate two ethernet frames, so I'm not checking the max
A-MSDU size. But when it comes time to support >2 frames, we should
obey that.

Tested:

* urtwn(4)

net80211: wakeup scan_start() task when null data frame was actually
transmitted

- Use M_TXCB mechanism to report about null data frame transmission.
- Increase timeout from 1 to 10 ms (the previous one may be not enough
for non-empty queue).

Tested with:
* Intel 3945BG, STA mode.
* RTL8188CUS, STA mode.

Approved by: adrian (mentor)
Differential Revision: https://reviews.freebsd.org/D5147

These files were getting sys/malloc.h and vm/uma.h with header pollution
via sys/mbuf.h

net80211: move ieee80211_free_node() call on error from ic_raw_xmit() to ieee80211_raw_output().

This doesn't free the mbuf upon error; the driver ic_raw_xmit method is still
doing that.

Submitted by: <s3erios@gmail.com>
Differential Revision: https://reviews.freebsd.org/D3774

net80211: free node reference in the ieee80211_parent_xmitpkt() when error happened.

Move error handling into ieee80211_parent_xmitpkt() instead of spreading it
between functions.

Submitted by: <s3erios@gmail.com>
Differential Revision: https://reviews.freebsd.org/D3772

net80211: separate mbuf cleanup from ieee80211_fragment()

* Create ieee80211_free_mbuf() which frees a list of mbufs.
* Use it in the fragment transmit path and ath / uath transmit paths.
* Call it in xmit_pkt() if the transmission fails; otherwise fragments
may be leaked.

This should be a big no-op.

Submitted by: <s3erios@gmail.com>
Differential Revision: https://reviews.freebsd.org/D3769

net80211: drop ieee80211_beacon_offsets parameter from ieee80211_beacon_alloc() and ieee80211_beacon_update()

Submitted by: <s3erios@gmail.com>
Differential Revision: https://reviews.freebsd.org/D3659

Comments, mostly to remind myself of what's going on and why.

Expose the wme_info IE method.

Replay r286410. Change KPI of how device drivers that provide wireless
connectivity interact with the net80211 stack.

Historical background: originally wireless devices created an interface,
just like Ethernet devices do. Name of an interface matched the name of
the driver that created. Later, wlan(4) layer was introduced, and the
wlanX interfaces become the actual interface, leaving original ones as
"a parent interface" of wlanX. Kernelwise, the KPI between net80211 layer
and a driver became a mix of methods that pass a pointer to struct ifnet
as identifier and methods that pass pointer to struct ieee80211com. From
user point of view, the parent interface just hangs on in the ifconfig
list, and user can't do anything useful with it.

Now, the struct ifnet goes away. The struct ieee80211com is the only
KPI between a device driver and net80211. Details:

- The struct ieee80211com is embedded into drivers softc.
- Packets are sent via new ic_transmit method, which is very much like
the previous if_transmit.
- Bringing parent up/down is done via new ic_parent method, which notifies
driver about any changes: number of wlan(4) interfaces, number of them
in promisc or allmulti state.
- Device specific ioctls (if any) are received on new ic_ioctl method.
- Packets/errors accounting are done by the stack. In certain cases, when
driver experiences errors and can not attribute them to any specific
interface, driver updates ic_oerrors or ic_ierrors counters.

Details on interface configuration with new world order:
- A sequence of commands needed to bring up wireless DOESN"T change.
- /etc/rc.conf parameters DON'T change.
- List of devices that can be used to create wlan(4) interfaces is
now provided by net.wlan.devices sysctl.

Most drivers in this change were converted by me, except of wpi(4),
that was done by Andriy Voskoboinyk. Big thanks to Kevin Lo for testing
changes to at least 8 drivers. Thanks to pluknet@, Oliver Hartmann,
Olivier Cochard, gjb@, mmoll@, op@ and lev@, who also participated in
testing.

Reviewed by: adrian
Sponsored by: Netflix
Sponsored by: Nginx, Inc.

Revert the wifi ifnet changes until things are more baked and tested.

* 286410
* 286413
* 286416

The initial commit broke a variety of debug and features that aren't
in the GENERIC kernels but are enabled in other platforms.

Change KPI of how device drivers that provide wireless connectivity interact
with the net80211 stack.

Historical background: originally wireless devices created an interface,
just like Ethernet devices do. Name of an interface matched the name of
the driver that created. Later, wlan(4) layer was introduced, and the
wlanX interfaces become the actual interface, leaving original ones as
"a parent interface" of wlanX. Kernelwise, the KPI between net80211 layer
and a driver became a mix of methods that pass a pointer to struct ifnet
as identifier and methods that pass pointer to struct ieee80211com. From
user point of view, the parent interface just hangs on in the ifconfig
list, and user can't do anything useful with it.

Now, the struct ifnet goes away. The struct ieee80211com is the only
KPI between a device driver and net80211. Details:

- The struct ieee80211com is embedded into drivers softc.
- Packets are sent via new ic_transmit method, which is very much like
the previous if_transmit.
- Bringing parent up/down is done via new ic_parent method, which notifies
driver about any changes: number of wlan(4) interfaces, number of them
in promisc or allmulti state.
- Device specific ioctls (if any) are received on new ic_ioctl method.
- Packets/errors accounting are done by the stack. In certain cases, when
driver experiences errors and can not attribute them to any specific
interface, driver updates ic_oerrors or ic_ierrors counters.

Details on interface configuration with new world order:
- A sequence of commands needed to bring up wireless DOESN"T change.
- /etc/rc.conf parameters DON'T change.
- List of devices that can be used to create wlan(4) interfaces is
now provided by net.wlan.devices sysctl.

Most drivers in this change were converted by me, except of wpi(4),
that was done by Andriy Voskoboinyk. Big thanks to Kevin Lo for testing
changes to at least 8 drivers. Thanks to Olivier Cochard, gjb@, mmoll@,
op@ and lev@, who also participated in testing. Details here:

https://wiki.freebsd.org/projects/ifnet/net80211

Still, drivers: ndis, wtap, mwl, ipw, bwn, wi, upgt, uath were not
tested. Changes to mwl, ipw, bwn, wi, upgt are trivial and chances
of problems are low. The wtap wasn't compilable even before this change.
But the ndis driver is complex, and it is likely to be broken with this
commit. Help with testing and debugging it is appreciated.

Differential Revision: D2655, D2740
Sponsored by: Nginx, Inc.
Sponsored by: Netflix

Some hostap setups may result in raw frames being transmitted with
no parameters set. So, don't unconditionally call things.

Thanks to jkim@ for pointing this out!

MFC after: 2 weeks
Sponsored by: Norse Corp, Inc.

Tag outbound raw 802.11 frames with both the node and an mbuf tag
with the transmit params.

This allows raw 802.11 frames to be queued in the driver if necessary,
rather than requiring it to be direct-dispatched into the hardware.

Tested:

* ath(4), STA mode
* iwn(4), STA mode

MFC after: 2 weeks
Sponsored by: Norse Corp, Inc.

Cleanup compat shims for FreeBSD versions that predate 10.0-RELEASE.
There are no plans to merge anything save a trivial bugfix to stable/9.

Discussed with: adrian

Convert malloc/free back to #define's, as part of OS portability work.

DragonflyBSD uses the FreeBSD wireless stack and drivers. Their malloc()
API is named differently, so they don't have userland/kernel symbol
clashes like we do (think libuinet.)

So, to make it easier for them and to port to other BSDs/other operating
systems, start hiding the malloc specific bits behind defines in
ieee80211_freebsd.h.

DragonflyBSD can now put these portability defines in their local
ieee80211_dragonflybsd.h.

This should be a great big no-op for everyone running wifi.

TODO:

* kill M_WAITOK - some platforms just don't want you to use it
* .. and/or handle it returning NULL rather than waiting forever.
* MALLOC_DEFINE() ?
* Migrate the well-known malloc names (eg M_TEMP) to net80211
namespace defines.

Properly update TX statistics for wlan(4).
ieee80211_pwrsave() can fail due to queue overflow, check its return code
and increment oerrors counter when it fails. Also handle more error cases
and update oerrors counter when we don't send mbuf due to some errors.
Return ENETDOWN when parent interface isn't ready. Update obytes and omcasts
counters in corresponding places.

PR: 184626
Differential Revision: https://reviews.freebsd.org/D2621
Reviewed by: adrian
MFC after: 1 week

Do not check sequence number for QoS Null frames; set it for generated QoS Null
frames to 0

From IEEE Std. 802.11-2012, 8.3.2.1 "Data frame format", p. 415 (513):
"The Sequence Control field for QoS (+)Null frames is ignored by the receiver
upon reception."

At this moment, any <mode>_input() function interprets them as regular QoS data
frames with TID = 0. As a result, stations, that use another TX sequence for
QoS Null frames (e.g. wpi(4), where (QoS) Null frames are generated by the
firmware), may experience significant packet loss with any other NIC in hostap
mode.

Tested:

* wpi(4) (author)
* iwn(4) - Intel 5100, STA mode (me)

PR: kern/200128
Submitted by: Andriy Voskoboinyk <s3erios@gmail.com>

Fix kern/196290 - don't announce 11n HTINFO rates if the channel is
configured as 11b.

This came up when debugging other issues surrounding scanning and
channel modes.

What's going on:

* The VAP comes up as an 11b VAP, but on an 11n capable NIC;
* .. it announces HTINFO and MCS rates;
* The AP thinks it's an 11n capable device and transmits 11n frames
to the STA;
* But the STA is in 11b mode, and thus doesn't receive/ACK the frames.

It didn't happen for the ath(4) devices as the AR5416/AR9300 HALs
unconditionally enable MCS frame reception, even if the channel
mode is not 11n. But the Intel NICs are configured in 11b/11a/11g
modes when doing those, even if 11n is enabled and available.

So, don't announce 11n capabilities if the VAP isn't on an 11n
channel when sending management assocation request / reassociation
request frames.

TODO:

* Lots more testing - 11n should be "upgraded" after association,
and I just want to make sure I haven't broken 11n upgrade.
I shouldn't have - this is only happening for /sending/ association
requests, which APs aren't doing.

Tested:

* ath(4) APs (AR9331, AR7161+AR9280, AR934x)
* AR5416, STA mode
* Intel 5100, STA mode

PR: kern/196290

Make ieee80211_add_ssid() public.

Some drivers use private copies of this.

PR: kern/196116
Submitted by: Andriy Voskoboinyk <s3erios@gmail.com>

Replace 'struct route *' if_output() argument with 'struct nhop_info *'.
Leave 'struct route' as is for legacy routing api users.
Remove most of rtalloc_ign*-derived functions.

Mechanically convert to if_inc_counter().

Allow frames to be transmitted in either RUN or SLEEP state

Frames transmitted during SLEEP state should be queued in the
power save queue before waking the unit up. Otherwise DHCP
requests and such will be dropped if the NIC is asleep - the
NIC will wake up but not transmit the frame.

Rename definition of IEEE80211_FC1_WEP to IEEE80211_FC1_PROTECTED.

The origin of WEP comes from IEEE Std 802.11-1997 where it defines
whether the frame body of MAC frame has been encrypted using WEP
algorithm or not.
IEEE Std. 802.11-2007 changes WEP to Protected Frame, indicates
whether the frame is protected by a cryptographic encapsulation
algorithm.

Reviewed by: adrian, rpaulo

Don't return ENOBUFS if the transmit path handles the frame but queues it (eg in power save.)

This is definitely an MFC candidate for 10.0-REL.

MFC after: 1 week

The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h

Sponsored by: Netflix
Sponsored by: Nginx, Inc.

Fix a use-after-free node reference issue when waiting for a return
from a management frame transmission.

This bug is a bit loopy, so here goes.

The underlying cause is pretty easy to understand - the node isn't
referenced before passing into the callout, so if the node is deleted
before the callout fires, it'll dereference free'd memory.

The code path however is slightly more convoluted.

The functions _say_ mgt_tx - ie management transmit - which is partially
true. Yes, that callback is attached to the mbuf for some management
frames. However, it's only for frames relating to scanning and
authentication attempts. It helpfully drives the VAP state back to
"SCAN" if the transmission fails _OR_ (as I subsequently found out!)
if the transmission succeeds but the state machine doesn't make progress
towards being authenticated and active.

Now, the code itself isn't terribly clear about this.

It _looks_ like it's just handling the transmit failure case.

However, when you look at what goes on in the transmit success case, it's
moving the VAP state back to SCAN if it hasn't changed state since
the time the callback was scheduled. Ie, if it's in ASSOC or AUTH still,
it'll go back to SCAN. But if it has transitioned to the RUN state,
the comparison will fail and it'll not transition things back to the
SCAN state.

So, to fix this, I decided to leave everything the way it is and merely
fix the locking and remove the node reference.

The _better_ fix would be to turn this callout into a "assoc/auth request"
timeout callback and make the callout locked, thus eliminating all races.
However, until all the drivers have been fixed so that transmit completions
occur outside of any locking that's going on, it's going to be impossible
to do this without introducing LORs. So, I leave some of the evilness
in there.

Tested:

* AR5212, ath(4), STA mode
* 5100 and 4965 wifi, iwn(4), STA mode

Create a new function to complete 802.11 mbuf transmission.

The aim of this function is to eventually be the completion entry point
for all 802.11 encapsulated mbufs. All the wifi drivers end up doing
what is in this function so it's an easy win to turn it into a net80211
method and abstract out this code.

Ideally the drivers will all eventually be modified to queue up completed
mbufs and call this function with all the driver locks not held.
This will allow for some much more interesting software queue handling
in the future (like net80211 based A-MSDU, fast-frames, A-MPDU aggregation
and retransmission.)

Tested:

* ath(4), iwn(4)

Migrate the ff_encap1() routine out into the normal output code.

This will eventually be used by the A-MSDU encapsulation code that
I'm writing - the sub-frame encapsulation requirement is the same.

Return the correct status if ieee80211_ff_check() consumes the mbuf.

I broke this when converting the net80211 TX path to use if_transmit.

Add in missing m_free()'s during error conditions.

Convert net80211 over to using if_transmit for the dispatch from the
upper layer(s).

This eliminates the if_snd queue from net80211. Yay!

This unfortunately has a few side effects:

* It breaks ALTQ to net80211 for now - sorry everyone, but fixing
parallelism and eliminating the if_snd queue is more important
than supporting this broken traffic scheduling model. :-)

* There's no VAP and IC flush methods just yet - I think I'll add
some NULL methods for now just as placeholders.

* It reduces throughput a little because now net80211 will drop packets
rather than buffer them if the driver doesn't do its own buffering.
This will be addressed in the future as I implement per-node software
queues.

Tested:

* ath(4) and iwn(4) in STA operation

Allow net80211 to compile on stable/9 and stable/8.

Refactor the VAP transmit path code into a utility function that both
the normal and the mesh transmit paths can use.

The API is a bit horrible because it both consumes the mbuf and frees
the node reference regardless of whether it succeeds or not.
It's a hold-over from how the code behaves; it'd be nice to have it
not free the node reference / mbuf if TX fails and let the caller
decide what to do.

Add ieee80211_add_{qos,wpa,rsn}() functions since they are needed by an
OpenBSD driver that is being ported to FreeBSD.

Reviewed by: adrian

Make kassert_printf use __printflike.

Fix associated errors/warnings while I'm here.

Requested by: avg

Fix net80211 fragment creation.

When creating fragment frames, the header length should honour the
DATAPAD flag.

This fixes the fragments that are queued to the ath(4) driver but it
doesn't yet fix fragment transmission. That requires further changes
to the ath(4) transmit path. Well, strictly speaking, it requires
further changes to _all_ wifi driver transmit paths, but this is at least
a start.

Tested:

* AR5416, STA mode, w/ fragthreshold set to 256.

Add const qualifier to the dst parameter of the ifnet if_output method.

Fix another compiler warning issue when invariants are disabled.

Bring over my initial work from the net80211 TX locking branch.

This patchset implements a new TX lock, covering both the per-VAP (and
thus per-node) TX locking and the serialisation through to the underlying
physical device.

This implements the hard requirement that frames to the underlying physical
device are scheduled to the underlying device in the same order that they
are processed at the VAP layer. This includes adding extra encapsulation
state (such as sequence numbers and CCMP IV numbers.) Any order mismatch
here will result in dropped packets at the receiver.

There are multiple transmit contexts from the upper protocol layers as well
as the "raw" interface via the management and BPF transmit paths.
All of these need to be correctly serialised or bad behaviour will result
under load.

The specifics:

* add a new TX IC lock - it will eventually just be used for serialisation
to the underlying physical device but for now it's used for both the
VAP encapsulation/serialisation and the physical device dispatch.

This lock is specifically non-recursive.

* Methodize the parent transmit, vap transmit and ic_raw_xmit function
pointers; use lock assertions in the parent/vap transmit routines.

* Add a lock assertion in ieee80211_encap() - the TX lock must be held
here to guarantee sensible behaviour.

* Refactor out the packet sending code from ieee80211_start() - now
ieee80211_start() is just a loop over the ifnet queue and it dispatches
each VAP packet send through ieee80211_start_pkt().

Yes, I will likely rename ieee80211_start_pkt() to something that
better reflects its status as a VAP packet transmit path. More on
that later.

* Add locking around the management and BAR TX sending - to ensure that
encapsulation and TX are done hand-in-hand.

* Add locking in the mesh code - again, to ensure that encapsulation
and mesh transmit are done hand-in-hand.

* Add locking around the power save queue and ageq handling, when
dispatching to the parent interface.

* Add locking around the WDS handoff.

* Add a note in the mesh dispatch code that the TX path needs to be
re-thought-out - right now it's doing a direct parent device transmit
rather than going via the vap layer. It may "work", but it's likely
incorrect (as it bypasses any possible per-node power save and
aggregation handling.)

Why not a per-VAP or per-node lock?

Because in order to ensure per-VAP ordering, we'd have to hold the
VAP lock across parent->if_transmit(). There are a few problems
with this:

* There's some state being setup during each driver transmit - specifically,
the encryption encap / CCMP IV setup. That should eventually be dragged
back into the encapsulation phase but for now it lives in the driver TX path.
This should be locked.

* Two drivers (ath, iwn) re-use the node->ni_txseqs array in order to
allocate sequence numbers when doing transmit aggregation. This should
also be locked.

* Drivers may have multiple frames queued already - so when one calls
if_transmit(), it may end up dispatching multiple frames for different
VAPs/nodes, each needing a different lock when handling that particular
end destination.

So to be "correct" locking-wise, we'd end up needing to grab a VAP or
node lock inside the driver TX path when setting up crypto / AMPDU sequence
numbers, and we may already _have_ a TX lock held - mostly for the same
destination vap/node, but sometimes it'll be for others. That could lead
to LORs and thus deadlocks.

So for now, I'm sticking with an IC TX lock. It has the advantage of
papering over the above and it also has the added advantage that I can
assert that it's being held when doing a parent device transmit.
I'll look at splitting the locks out a bit more later on.

General outstanding net80211 TX path issues / TODO:

* Look into separating out the VAP serialisation and the IC handoff.
It's going to be tricky as parent->if_transmit() doesn't give me the
opportunity to split queuing from driver dispatch. See above.

* Work with monthadar to fix up the mesh transmit path so it doesn't go via
the parent interface when retransmitting frames.

* Push the encryption handling back into the driver, if it's at all
architectually sane to do so. I know it's possible - it's what mac80211
in Linux does.

* Make ieee80211_raw_xmit() queue a frame into VAP or parent queue rather
than doing a short-cut direct into the driver. There are QoS issues
here - you do want your management frames to be encapsulated and pushed
onto the stack sooner than the (large, bursty) amount of data frames
that are queued. But there has to be a saner way to do this.

* Fragments are still broken - drivers need to be upgraded to an if_transmit()
implementation and then fragmentation handling needs to be properly fixed.

Tested:

* STA - AR5416, AR9280, Intel 5300 abgn wifi
* Hostap - AR5416, AR9160, AR9280
* Mesh - some testing by monthadar@, more to come.

Mesh bug: debug infomartion showing swapped SA and DA address.

* Fix bug for "forward frame from SA(%6D), DA(%6D)" where addresses where
swapped between SA and DA;

Approved by: adrian (mentor)

Add mesh debug for interarction between DS & MBSS.

* Add mesh debug information when frames enter or leave the MBSS;
* Set IEEE80211_MSG_OUTPUT bit to enable output;

Approved by: adrian (mentor)

Mechanically substitute flags from historic mbuf allocator with
malloc(9) flags within sys.

Exceptions:

- sys/contrib not touched
- sys/mbuf.h edited manually

Mesh mode, potential garbage in QoS subfield.

* qos[1] subfield is never assigned a value before this statement.
qos[1] can potentially be OR:ed with garbage. Make it an assignment instead;
* Remove brackets around if statement;

Approved by: adrian

Mesh forwarding with proxy support.

* Modified HWMP PREP/PREQ to contain a proxy entry and also changed PREP
frame processing according to amendment as following:
o Fixed PREP to always update/create if acceptance criteria is meet;
o PREQ processing to reply if request is for a proxy entry that is
proxied by us;
o Removed hwmp_discover call from PREQ, because sending a PREP will
build the forward path, and by receving and accepting a PREQ we
have already built the reverse path (non-proactive code);
* Disabled code for pro-active in PREP for now (will make a separate patch for
pro-active HWMP routing later)
* Added proxy information for a Mesh route, mesh gate to use and proxy seqno;
* Modified ieee80211_encap according to amendment;
* Introduced Mesh control address extension enum and removed unused struct,
also rename some structure element names.
* Modified mesh_input and added mesh_recv_* that should verify and process mesh
data frames according to 9.32 Mesh forwarding framework in amendment;
* Modified mesh_decap accordingly to changes done in mesh control AE struct;

Approved by: adrian

Migrate the net80211 TX aggregation state to be from per-AC to per-TID.

TODO:

* Test mwl(4) more thoroughly!

Reviewed by: bschmidt (for iwn)

* Introduce new flag for QoS control field;
* Change in mesh_input to validate that QoS is set and Mesh Control field
is present, also both bytes of the QoS are read;
* Moved defragmentation in mesh_input before we try to forward packet as
inferred from amendment spec, because Mesh Control field only present in first
fragment;
* Changed in ieee80211_encap to set QoS subtype and Mesh Control field present,
only first fragment have Mesh Control field present bit equal to 1;

Submitted by: monthadar@gmail.com

Hold IF_LOCK when manipulating the interface flags.

It doesn't _really_ help all that much, I'll commit something to
sys/net/if.c at some point explaining why, but the lock should be held
when checking/manipulating/branching because of said lock.

Correct comment for the IPv6 case to say "traffic class" not "TOS"
as pointed out back in 2009.

MFC after: 3 days

Add 802.11h quiet time element support into net80211.

This supports both station and hostap modes:

* Station mode quiet time element support listens to quiet time
IE's and modifies the local quiet time configuration as appropriate;
* Hostap mode both obeys the locally configured quiet time period
and includes it in beacon frames so stations also can obey as needed.

Submitted by: Himali Patel <himali.patel@sibridgetech.com>
Sponsored by: Sibridge Technologies

This patch fixes beacon frame sequence number generation. The code
didn't set a sequence number; it didn't show up earlier because the
hardware most people use for hostap (ie, AR5212 series stuff) sets the
sequence numbers up in hardware. Later hardware (AR5416, etc) which
can do 11n and aggregation require sequence numbers to be generated in
software.

Submitted by: paradyse@gmail.com
Approved by: re (kib)

Data frames sent over the mgmt path might be part of a TX aggr session
too. In that case don't fiddle with the seqno as drivers are supposed
to handle that.

Currently only the powersave feature does sent QoS-null-data frames
before and after a background scan which must be handled correctly. Due
to this being quite rare we don't fiddle around with starting of aggr
sessions.

We need in.h for both INET and INET6, as according to RFC 3493 it
defines struct in6_addr, which is needed by ip6_hdr used in here.

Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 5 days

When injecting frames a temporary node is faked, during this several
uses of ic_curchan occur. Due to the nature of a scan, switching
channels constantly and all this happening without any kind of locks
held, it might happen that ic_curchan points to nowhere leading to
panics. Fix this by not allowing frame injections while in SCAN state.

Tested by: Paul B. Mahol <onemda at gmail.com>

It is IEEE80211_SUPPORT_XXX not IEEE80211_XXX_SUPPORT.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

MFC r198230, r198242, r198260, r198346, r198369, r198384:

More mesh fixes to comply with latest draft.

The draft spec doesn't say beacon frames need to have a wildcard BSSID,
so remove the mesh code necessary for that.

MFC after: 2 days

Implement the missing support for updating the mesh conf number of
neighbors via ieee80211_beacon_notify().

MFC after: 3 days

revert OACTIVE part of r195845; instead fix the comment so it does not refer
to the old hack removed in r193312

Approved by: re (implicit)

o kill old code no longer needed after r193312
o count output packets+errors for frames sent through ieee80211_output

Approved by: re (kensmith)

More mesh bits, namely:
* bridge support (sam)
* handling of errors (sam)
* deletion of inactive routing entries
* more debug msgs (sam)
* fixed some inconsistencies with the spec.
* decap is now specific to mesh (sam)
* print mesh seq. no. on ifconfig list mesh
* small perf. improvements

Reviewed by: sam
Approved by: re (kib)

Implementation of the upcoming Wireless Mesh standard, 802.11s, on the
net80211 wireless stack. This work is based on the March 2009 D3.0 draft
standard. This standard is expected to become final next year.
This includes two main net80211 modules, ieee80211_mesh.c
which deals with peer link management, link metric calculation,
routing table control and mesh configuration and ieee80211_hwmp.c
which deals with the actually routing process on the mesh network.
HWMP is the mandatory routing protocol on by the mesh standard, but
others, such as RA-OLSR, can be implemented.

Authentication and encryption are not implemented.

There are several scripts under tools/tools/net80211/scripts that can be
used to test different mesh network topologies and they also teach you
how to setup a mesh vap (for the impatient: ifconfig wlan0 create
wlandev ... wlanmode mesh).

A new build option is available: IEEE80211_SUPPORT_MESH and it's enabled
by default on GENERIC kernels for i386, amd64, sparc64 and pc98.

Drivers that support mesh networks right now are: ath, ral and mwl.

More information at: http://wiki.freebsd.org/WifiMesh

Please note that this work is experimental. Also, please note that
bridging a mesh vap with another network interface is not yet supported.

Many thanks to the FreeBSD Foundation for sponsoring this project and to
Sam Leffler for his support.
Also, I would like to thank Gateworks Corporation for sending me a
Cambria board which was used during the development of this project.

Reviewed by: sam
Approved by: re (kensmith)
Obtained from: projects/mesh11s

do not strip M_MORE_DATA on packets coming through ieee80211_start;
frames coming out of the ps q may have this set and removing it
causes the 802.11 header to not indicate more frames follow which can
result in the sta going to sleep and missing them

teach ieee80211_classify about ipv6 packets

Reviewed by: bz, rrs

iv_flags_ext is full, make room by moving HT-related flags to a new
iv_flags_ht word

Fix spelling of MAC check for 8.x version of MAC Framework, not noticed due
to a lack of an opt_mac.h include, which I won't add for now as options MAC
will soon move to opt_global.h.

Spotted by: pjd

o station mode channel switch support
o IEEE80211_IOC_CHANSWITCH fixups:
- restrict to hostap vaps
- return EOPNOTSUPP instead of EINVAL when applied to !hostap vap
or to a vap w/o 11h enabled
- interpret count of 0 to mean cancel the current CSA

Reviewed by: rpaulo, avatar

Overhaul monitor mode handling:
o replace DLT_IEEE802_11 support in net80211 with DLT_IEEE802_11_RADIO
and remove explicit bpf support from wireless drivers; drivers now
use ieee80211_radiotap_attach to setup shared data structures that
hold the radiotap header for each packet tx/rx
o remove rx timestamp from the rx path; it was used only by the tdma support
for debugging and was mostly useless due to it being 32-bits and mostly
unavailable
o track DLT_IEEE80211_RADIO bpf attachments and maintain per-vap and
per-com state when there are active taps
o track the number of monitor mode vaps
o use bpf tap and monitor mode vap state to decide when to collect radiotap
state and dispatch frames; drivers no longer explicitly directly check
bpf state or use bpf calls to tap frames
o handle radiotap state updates on channel change in net80211; drivers
should not do this (unless they bypass net80211 which is almost always
a mistake)
o update various drivers to be more consistent/correct in handling radiotap
o update ral to include TSF in radiotap'd frames
o add promisc mode callback to wi

Reviewed by: cbzimmer, rpaulo, thompsa

Store the tx seq# of an 802.11 frame in the mbuf pkthdr; this will be
used for s/w retransmit schemes that want to access this information
w/o the overhead of decoding the raw frame. Note this also allows
drivers to record this information w/o writing the frame when the seq#
is obtained through an out-of-band mechanism (e.g. when a h/w assigned
seq# is reported in a descriptor on tx done notification).

Reviewed by: sephe, avatar

add IEEE80211_FEXT_4ADDR to indicate ieee80211_encap should do 4-address
encapsulation when relaying frames; this reduces the cost of the test and
enables use for situations other than "sta vap + dwds"

hoist ampdu tx aggregation setup from ieee80211_encap to ieee80211_start
where it was meant all along (the code was in encap because ampdu was
implemented pre vaps)

stash the node pointer in the mbuf before doing ff aggregration so this
is done in only one place

don't fragment ampdu aggregates

uniformly mark mbufs that pass through the tx path with M_MCAST; drivers
can now use this flag instead of inspecting the contents

add missing part of r191537 that should have read: hoist DLT_IEEE802_11
bpf tap from ieee80211_encap up to ieee80211_start

fix comment

add missing DLT_IEEE802_11 bpf tap in ieee80211_start

fixup ieee80211_output handling:
o correct bpf handling, send 'em to the right tap
o do accouting
o mark mbufs holding multicast frames

Change if_output to take a struct route as its fourth argument in order
to allow passing a cached struct llentry * down to L2

Reviewed by: rwatson

o add a capability for drivers that require 802.3 encapsulation of
frames passed down through the transmit path
o mark ndis requiring 802.3 encap'd frames

Reviewed by: "Paul B. Mahol" <onemda@gmail.com>, thompsa

fix whitespace

o update dwds mcast handling after hoisting ieee80211_encap: frames need
to be encapsulated before dispatching to the driver
o eliminate M_WDS now that we call ieee80211_encap directly and can supply
the wds vap to indicate a 4-address frame should be created

Hoist 802.11 encapsulation up into net80211:
o call ieee80211_encap in ieee80211_start so frames passed down to drivers
are already encapsulated
o remove ieee80211_encap calls in drivers
o fixup wi so it recreates the 802.3 head it requires from the 802.11
header contents
o move fast-frame aggregation from ath to net80211 (conditional on
IEEE80211_SUPPORT_SUPERG):
- aggregation is now done in ieee80211_start; it is enabled when the
packets/sec exceeds ieee80211_ffppsmin (net.wlan.ffppsmin) and frames
are held on a staging queue according to ieee80211_ffagemax
(net.wlan.ffagemax) to wait for a frame to combine with
- drivers must call back to age/flush the staging queue (ath does this
on tx done, at swba, and on rx according to the state of the tx queues
and/or the contents of the staging queue)
- remove fast-frame-related data structures from ath
- add ieee80211_ff_node_init and ieee80211_ff_node_cleanup to handle
per-node fast-frames state (we reuse 11n tx ampdu state)
o change ieee80211_encap calling convention to include an explicit vap
so frames coming through a WDS vap are recognized w/o setting M_WDS

With these changes any device able to tx/rx 3Kbyte+ frames can use fast-frames.

Reviewed by: thompsa, rpaulo, avatar, imp, sephe

Fix enough bits so that fast frames work again:
o include ath ie in beacon frames
o fix probe response check for including ath ie
o add ieee80211_add_athcap shorthand for ap-side ie additions

need to adjust htinfo offset when csa is inserted

adjust tdma ie offset when beacon frame contents changes

split Atheros SuperG support out into it's own file that's included only
with a new IEEE80211_SUPPORT_SUPERG option

Remove leftover comment because we now use a flag to check for associd.

Discussed with: sam

mark M_LASTFRAG at the last fragment.

Reviewed by: sam
MFC after: 3 weeks

TDMA support for long distance point-to-point links using ath devices:
o add net80211 support for a tdma vap that is built on top of the
existing adhoc-demo support
o add tdma scheduling of frame transmission to the ath driver; it's
conceivable other devices might be capable of this too in which case
they can make use of the 802.11 protocol additions etc.
o add minor bits to user tools that need to know: ifconfig to setup and
configure, new statistics in athstats, and new debug mask bits

While the architecture can support >2 slots in a TDMA BSS the current
design is intended (and tested) for only 2 slots.

Sponsored by: Intel

follow prevailing style

Replace adhoc checks in ieee80211_start with a per-node flag that
indicates if an association id is required before outbound traffic
is permitted. This cleans up the previous change that broke mcast
traffic "to the stack" in ap mode as a side effect.

Reviewed by: sephe, thompsa, weongyo

convert calls to IFQ_HANDOFF to if_transmit

New ap-side power save implementation; the main change is to allow drivers
to queue frames previously encapsulated on a separate high priority list
that is dispatched before the unencapsulated frames (to preserve order).

introduce M_ENCAP flag to mark packets encapsulated w/ an 802.11 header

fix comment that belonged w/ previous commit

change ieee80211_send_probereq to supply raw xmit parameters so it can
control how frames are handled by the driver

change ieee80211_send_nulldata to send a QoS Null Data frame to a
QoS-enabled station; this makes inactivity handling follow the spec
as previously it would probe inactive stations w/ a Null Data (no QoS)
data frame

o change ieee80211_mgmt_output to take a raw xmit parameters block so
the net80211 layer has complete control over the handling of mgt frames
(in particular, the ac, tx rate, and retry count); this also allows us
to purge the M_LINK0 flag that was attached to mbufs to mark them as
needing encryption for shared key auth
o change ieee80211_send_setup to take a tid parameter so it can be used
to setup QoS frames

fix old merge botch that causes gaps in the tx seq# space for QoS frames

fix associd check for adhoc mode

Reviewed by: jhay

- Import the HEAD csup code which is the basis for the cvsmode work.

Cleanup AMPDU handling:

For receive:
o explicitly tag rx frames w/ M_AMPDU instead of passing frames through
the reorder processing according to the node having HT and the frame
being QoS data
o relax ieee80211_ampdu_reorder asserts to allow any frame to be passed
in, unsuitable frames are returned to the caller for normal processing;
this permits drivers that cannot inspect the PLCP to mark all data
frames as potential ampdu candidates with only a small penalty
o add M_AMPDU_MPDU to identify frames resubmitted from the reorder q

For transmit:
o tag aggregation candidates with M_AMPDU_MPDU
o fix the QoS ack policy set in ampdu subframes; we only support immediate
BA streams which should be marked for "normal ack" to get implicit block
ack behaviour; interestingly certain vendor parts BA'd frames with the
11e BA ack policy set
o do not assign a sequence # to aggregation candidates; this must be done
when frames are submitted for transmit (NB: this can/will be handled
better when aggregation is pulled up to net80211)

reorder RSN/WPA2 ie in beacon and probe response frames to comply
with IEEE802.11-2007 spec

Submitted by: Chris Zimmermann

Split s/w crypt/mic attributes to allow future hackery; this change
should be a noop.

Multi-bss (aka vap) support for 802.11 devices.

Note this includes changes to all drivers and moves some device firmware
loading to use firmware(9) and a separate module (e.g. ral). Also there
no longer are separate wlan_scan* modules; this functionality is now
bundled into the wlan module.

Supported by: Hobnob and Marvell
Reviewed by: many
Obtained from: Atheros (some bits)

Add padding for anticipated functionality
- vimage
- TOE
- multiq
- host rtentry caching

Rename spare used by 80211 to if_llsoftc

Reviewed by: rwatson, gnn
MFC after: 1 day

correct WMM packet classification:
o use TID_TO_WME_AC on vlan tag priority
o ignore ECN bits in DSCP when mapping IP TOS and use TID_TO_WME_AC

MFC after: 3 days

sync 11n support with vap code base; many changes based on interop
testing with all major vendors

MFC after: 1 week

honor IEEE80211_C_TXFRAG; drivers should never get fragmented packets
unless they indicate they're able to handle them

Approved by: re (blanket wireless)

tag mgmt and null data frames w/ a WME priority so drivers can assume
only data frames require classification

Approved by: re (blanket wireless)

Update beacon handling to sync w/ vap code base:
o add driver callback to handle notification of beacon changes;
this is required for devices that manage beacon frames themselves
(devices must override the default handler which does nothing)
o move beacon update-related flags from ieee80211com to the beacon
offsets storage (or handle however a driver wants)
o expand beacon offsets structure with members needed for 11h/dfs
and appie's
o change calling convention for ieee80211_beacon_alloc and
ieee80211_beacon_update
o add overlapping bss support for 11g; requires driver to pass
beacon frames from overlapping bss up to net80211 which is not
presently done by any driver
o move HT beacon contents update to a routine in the HT code area

Reviewed by: avatar, thompsa, sephe
Approved by: re (blanket wireless)

drop frames marked for encryption when no key is available

Reviewed by: avatar
Approved by: re (kensmith)
Obtained from: madwifi

Update 802.11 wireless support:
o major overhaul of the way channels are handled: channels are now
fully enumerated and uniquely identify the operating characteristics;
these changes are visible to user applications which require changes
o make scanning support independent of the state machine to enable
background scanning and roaming
o move scanning support into loadable modules based on the operating
mode to enable different policies and reduce the memory footprint
on systems w/ constrained resources
o add background scanning in station mode (no support for adhoc/ibss
mode yet)
o significantly speedup sta mode scanning with a variety of techniques
o add roaming support when background scanning is supported; for now
we use a simple algorithm to trigger a roam: we threshold the rssi
and tx rate, if either drops too low we try to roam to a new ap
o add tx fragmentation support
o add first cut at 802.11n support: this code works with forthcoming
drivers but is incomplete; it's included now to establish a baseline
for other drivers to be developed and for user applications
o adjust max_linkhdr et. al. to reflect 802.11 requirements; this eliminates
prepending mbufs for traffic generated locally
o add support for Atheros protocol extensions; mainly the fast frames
encapsulation (note this can be used with any card that can tx+rx
large frames correctly)
o add sta support for ap's that beacon both WPA1+2 support
o change all data types from bsd-style to posix-style
o propagate noise floor data from drivers to net80211 and on to user apps
o correct various issues in the sta mode state machine related to handling
authentication and association failures
o enable the addition of sta mode power save support for drivers that need
net80211 support (not in this commit)
o remove old WI compatibility ioctls (wicontrol is officially dead)
o change the data structures returned for get sta info and get scan
results so future additions will not break user apps
o fixed tx rate is now maintained internally as an ieee rate and not an
index into the rate set; this needs to be extended to deal with
multi-mode operation
o add extended channel specifications to radiotap to enable 11n sniffing

Drivers:
o ath: add support for bg scanning, tx fragmentation, fast frames,
dynamic turbo (lightly tested), 11n (sniffing only and needs
new hal)
o awi: compile tested only
o ndis: lightly tested
o ipw: lightly tested
o iwi: add support for bg scanning (well tested but may have some
rough edges)
o ral, ural, rum: add suppoort for bg scanning, calibrate rssi data
o wi: lightly tested

This work is based on contributions by Atheros, kmacy, sephe, thompsa,
mlaier, kevlo, and others. Much of the scanning work was supported by
Atheros. The 11n work was supported by Marvell.

copyright updates:
o update to include 2007
o switch back to a 2-clause bsd-only license

Reviewed by: onoe

keep tx/rx seq #'s for non-QoS traffic separate from QoS; stations
aren't supposed mix traffic but if they did frames might be mis-handled

Obtained from: Atheros
MFC after: 2 weeks

add IEEE80211_KEY_UNDEFINED and use it instead of local defs

Obtained from: netbsd

First cut at half/quarter-rate 11a channel support (e.g. for use
in the Public Safety Band):
o add channel flags to identify half/quarter-rate operation
o add rate sets (need to check spec on 4Mb/s in 1/4 rate)
o add if_media definitions for new rates
o split net80211 channel setup out into ieee80211_chan_init
o fixup ieee80211_mhz2ieee and ieee80211_ieee2mhz to understand half/quarter
rate channels: note we temporarily use a nonstandard/hack numbering that
avoids overlap with 2.4G channels because we don't (yet) have enough
state to identify and/or map overlapping channel sets
o fixup ieee80211_ifmedia_init so it can be called post attach and will
recalculate the channel list and associated state; this enables changing
channel-related state like the regulatory domain after attach (will be
needed for 802.11d support too)
o add ieee80211_get_suprates to return a reference to the supported rate
set for a given channel
o add 3, 4.5, and 27 MB/s tx rates to rate <-> media conversion routines
o const-poison channel arg to ieee80211_chan2mode

back out use of LLC_SNAPFRAMELEN now that sizeof(struct llc) isn't
padded on arm

sizeof(struct llc) includes padding on arm; use LLC_SNAPFRAMELEN for now

Submitted by: jhay
MFC after: 2 weeks

Move ethernet VLAN tags from mtags to its own mbuf packet header field
m_pkthdr.ether_vlan. The presence of the M_VLANTAG flag on the mbuf
signifies the presence and validity of its content.

Drivers that support hardware VLAN tag stripping fill in the received
VLAN tag (containing both vlan and priority information) into the
ether_vtag mbuf packet header field:

m->m_pkthdr.ether_vtag = vlan_id; /* ntohs()? */
m->m_flags |= M_VLANTAG;

to mark the packet m with the specified VLAN tag.

On output the driver should check the mbuf for the M_VLANTAG flag to
see if a VLAN tag is present and valid:

if (m->m_flags & M_VLANTAG) {
... = m->m_pkthdr.ether_vtag; /* htons()? */
... pass tag to hardware ...
}

VLAN tags are stored in host byte order. Byte swapping may be necessary.

(Note: This driver conversion was mechanic and did not add or remove any
byte swapping in the drivers.)

Remove zone_mtag_vlan UMA zone and MTAG_VLAN definition. No more tag
memory allocation have to be done.

Reviewed by: thompsa, yar
Sponsored by: TCP/IP Optimization Fundraise 2005

add per-sta ucast/mcast stats

MFC after: 1 week

add support for 802.11 packet injection via bpf

Together with: Andrea Bittau <a.bittau@cs.ucl.ac.uk>
Reviewed by: arch@
MFC after: 1 month

when doing s/w crypto make sure work is done w/ a writable mbuf chain;
this corrects problems with drivers that rely on the host to do
crypto (iwi, ipw, ral, ural, wi (hostap), awi)

Hard work by: luigi, mlaier
Reviewed by: luigi, mlaier
MFC after: 1 week

consolidate calculation of capabilities ie

Reviewed by: avatar
MFC after: 2 weeks

set the mgt frame tx timer before dispatching the frame to the
driver; this closes a race where a response could be processed
before the timer was started and cause a RUN->SCAN state change
when operating in station mode

Reviewed by: avatar, dyoung
MFC after: 1 week

update erp information element in the beacon frame to reflect
changes in the bss

Reviewed by: avatar
Obtained from: atheros
MFC after: 2 weeks

correct handling of dtim for periods > 1

Obtained from: madwifi

Retire MT_HEADER mbuf type and change its users to use MT_DATA.

Having an additional MT_HEADER mbuf type is superfluous and redundant
as nothing depends on it. It only adds a layer of confusion. The
distinction between header mbuf's and data mbuf's is solely done
through the m->m_flags M_PKTHDR flag.

Non-native code is not changed in this commit. For compatibility
MT_HEADER is mapped to MT_DATA.

Sponsored by: TCP/IP Optimization Fundraise 2005

Clarify/fix handling of the current channel:
o add ic_curchan and use it uniformly for specifying the current
channel instead of overloading ic->ic_bss->ni_chan (or in some
drivers ic_ibss_chan)
o add ieee80211_scanparams structure to encapsulate scanning-related
state captured for rx frames
o move rx beacon+probe response frame handling into separate routines
o change beacon+probe response handling to treat the scan table
more like a scan cache--look for an existing entry before adding
a new one; this combined with ic_curchan use corrects handling of
stations that were previously found at a different channel
o move adhoc neighbor discovery by beacon+probe response frames to
a new ieee80211_add_neighbor routine

Reviewed by: avatar
Tested by: avatar, Michal Mertl
MFC after: 2 weeks

Cleanup beacon/listen interval handling:
o separate configured beacon interval from listen interval; this
avoids potential use of one value for the other (e.g. setting
powersavesleep to 0 clobbers the beacon interval used in hostap
or ibss mode)
o bounds check the beacon interval received in probe response and
beacon frames and drop frames with bogus settings; not clear
if we should instead clamp the value as any alteration would
result in mismatched sta+ap configuration and probably be more
confusing (don't want to log to the console but perhaps ok with
rate limiting)
o while here up max beacon interval to reflect WiFi standard

Noticed by: Martin <nakal@nurfuerspam.de>
MFC after: 1 week

close a race between reclaiming a node when a station is inactive
and sending the null data frame used to probe inactive stations

MFC after: 5 days

split xmit of probe request frame out into a separate routine that
takes explicit parameters; this will be needed when scanning is
decoupled from the state machine to do bg scanning

MFC after: 3 days

split 802.11 frame xmit setup code into ieee80211_send_setup

MFC after: 3 days

simplify tim callback api

MFC after: 3 days

simplify ieee80211_node_authorize and ieee80211_node_unauthorize api's

MFC after: 3 days

simplifiy ieee80211_send_nulldata api

MFC after: 3 days

Fix handling of data frames queued for a station in power save mode:
don't mark the MORE_DATA bit when taking it off the ps queue, there's
no 802.11 header then; we must wait to do this at encap time so
mark the mbuf instead.

Reviewed by: avatar
Approved by: re (scottl)
Obtained from: Atheros

mark stations authorized during recv processing instead of doing it
as a side effect of sending an auth success frame; sending mgmt
frames should not have side effects

WPA/802.11i interoperability fixes:
o only include capabilities word in the WPA ie when non-zero and
not preauth
o always include the capabilities in the RSN ie

Obtained from: Atheros

add force flag to enmic/demic crypto api for use in xmit fragmentation
and h/w mic verification

Reviewed by: avatar

don't include wme ie in probe request frames; it was meant for probe response
frames--move it there

Noticed by: Ghislain Mary
Submitted by: Michael Wong

correct comparison for null ptr

Noticed by: Coverity Prevent analysis tool

rev 1.19 fixed wpa supplicant but broke wpa authenticator; when operating
as an authenticator need to always check for the unicast key in the node
(as was the case before)

Submitted by: Divy Le Ray

correct check for unicast key being setup; wpa_supplicant in particular
uses only the global key state so looking in the per-node key slot is wrong

Submitted by: Tai-hwa Liang

update node reference count debug msgs to include the node address
since the mac address may not be sufficient to uniquely identify a node

clear IEEE80211_F_WMEUPDATE when building the initial beacon frame so we
don't do an update on the first beacon

handle potential stale values of bssid in neighbor nodes that
can occur after an ibss merge

Submitted by: David Young

bump copyright for 2005

Relearn how WPA keying is supposed to work and fix WPA+WME while
we're at it:
o WPA/802.11i has a unicast key and a group key; in station mode
everything is sent with the unicast key--we were consulting the
destination mac address and incorrectly using the group key
o (perpetuate fallback use of the default tx key to maintain
compatibility with the way wpa_supplicant works)
o correct EAPOL encryption logic to check unicast key instead
of assuming other state implies this
o move QoS encapsulation up to before enmic work so TKIP has the
information required to calculate the pseudo-header
o do not do QoS-encapsulation of EAPOL frames as some ap's do the
wrong thing with such frames (may need to revisit this if ap's
start dropping non-QoS frames from stations assoc'd with QoS)
o move ieee80211_mbuf_adjust closer to its caller

fixup printf arguments for 64-bit machines

Update 802.11 support; too much new functionality to fully describe
here but it includes completed 802.11g, WPA, 802.11i, 802.1x, WME/WMM,
AP-side power-save, crypto plugin framework, authenticator plugin framework,
and access control plugin frameowrk.

Add a new network interface flag, IFF_NEEDSGIANT, which will allow
device drivers to declare that the ifp->if_start() method implemented
by the driver requires Giant in order to operate correctly.

Add a 'struct task' to 'struct ifnet' that can be used to execute a
deferred ifp->if_start() in the event that if_start needs to be called
in a Giant-free environment. To do this, introduce if_start(), a
wrapper function for ifp->if_start(). If the interface can run MPSAFE,
it directly dispatches into the interface start routine. If it can't
run MPSAFE, we're running with debug.mpsafenet != 0, and Giant isn't
currently held, the task is queued to execute in a swi holding Giant
via if_start_deferred().

Modify if_handoff() to use if_start() instead of direct dispatch.
Modify 802.11 to use if_start() instead of direct dispatch.

This is intended to provide increased compatibility for non-MPSAFE
network device drivers in the presence of Giant-free operation via
asynchronous dispatch. However, this commit does not mark any network
interfaces as IFF_NEEDSGIANT.

fix adhoc/ibss operation for drivers that require host support (e.g. ath):

o remove IEEE80211_C_RCVMGT capability
o on transmit craft new nodes as needed using new ieee80211_find_txnode routine
o add ieee80211_find_txnode routine to lookup a node by mac address and
if not present create one when operating in ibss/ahdemo mode; new nodes
are dup'd from bss and the driver is told to treat the node as if a new
association has been created so driver-private state (e.g. rate control
handling) is setup

Obtained from: netbsd (basic idea)

add statistics for all failures and/or abnormal events; still need
to add per-node statistics

include FH/DS parameters element in probe response frames

o add capability to indicate if device receives all management frames
o use recv mgmt capability to decide if outbound frames should be
discarded if no node table entry is present

Honor the short preamble capability/state flag when calculating the
capabilities for outbound management frames. But beware of sending
this when operating on 5GHz channels; some 11a AP's reject association
requests if this bit is set in the capabilities listed.

Obtained from: MADWIFI (with modifications)

o correct logic that checks frame size to decide if a cluaster is needed
o add an assertion to check the max possible packet size

Noticed by: David Young <dyoung@pobox.com>

MFp4 changes to fix locking issues and correct reference
count handling of station entries in hostap mode:

Input path:

o driver is now expected to find the node associated with the
sender of a received frame; use ic_bss if none is located
o driver passes the (referenced) node into ieee80211_input for
use within the wlan module and is responsible for cleaning up
on return
o the antenna state is no longer passed up with each frame; this
is now considered driver-private state and drivers are responsible
for keeping it in the driver-private part of a node

Output path:

Revamp output path for management frames to eliminate redundant
locking that causes problems and to correct reference counting
bogosity that occurs when stations are timed out due to inactivity
(in AP mode). On output the refcnt'd node is stashed in the pkthdr's
recvif field (yech) and retrieved by the driver. This eliminates
an unref/ref scenario and related node table unlock/lock due to the
driver looking up the node. This is particularly important when
stations are timed out as this causes a lock order reversal that
can result in a deadlock. As a byproduct we also reduce the overhead
for sending management frames (minimal). Additional fallout from
this is a change to ieee80211_encap to return a refcn't node for
tieing to the outbound frame. Node refcnts are not reclaimed until
after a frame is completely processed (e.g. in the tx interrupt
handler). This is especially important for timed out stations as
this deref will be the final one causing the node entry to be
reclaimed.

Additional semi-related changes:
o replace m_copym use with m_copypacket (optimization)
o add assert to verify ic_bss is never free'd during normal operation
o add comments explaining calling conventions by drivers for frames
going in each direction
o remove extraneous code that "cannot be executed" (e.g. because
pointers may never be null)

add monitor mode

revise copyright notices per discussion with Atsushi Onoe <onoe@sm.sony.co.jp>

new 802.11 layer:

o code reorg (relative to old netbsd-derived code) for future growth
o drivers now specify available channels and rates and 802.11 layer handles
almost all ifmedia actions
o multi-mode support for 11a/b/g devices
o 11g protocol additions (incomplete)
o new element id additions (for other than 11g)
o node/station table redone for proper locking and to eliminate driver
incestuousness
o split device flags and capabilities to reduce confusion and provide room
for expansion
o incomplete power management infrastructure (need to revisit)
o incomplete hooks for software retry
o more...