From d590fbd255cecd4c3a4c267e7ca377772574cf72 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Fri, 27 Aug 2021 12:15:07 +0200
Subject: [PATCH] wireless: always enable bpdu filter for AP interfaces and
 VLANs

Regular AP/VLAN interfaces using 3-address modes should transmit any
STP packets, since devices behind them can not be part of any working bridge
topology. Enable a feature that drops any incoming or outgoing STP packets.
This does not apply to WDS AP VLAN or client mode interfaces, since they
could act as a proper bridge link

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 device.h       | 1 +
 system-linux.c | 8 ++++++++
 wireless.c     | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/device.h b/device.h
index 4f80caa..88cce9a 100644
--- a/device.h
+++ b/device.h
@@ -244,6 +244,7 @@ struct device {
 	bool wireless;
 	bool wireless_ap;
 	bool wireless_isolate;
+	bool bpdu_filter;
 
 	struct interface *config_iface;
 
diff --git a/system-linux.c b/system-linux.c
index 85942a5..355bf69 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -404,6 +404,11 @@ static void system_bridge_set_hairpin_mode(struct device *dev, const char *val)
 	system_set_dev_sysctl("/sys/class/net/%s/brport/hairpin_mode", dev->ifname, val);
 }
 
+static void system_bridge_set_bpdu_filter(struct device *dev, const char *val)
+{
+	system_set_dev_sysctl("/sys/class/net/%s/brport/bpdu_filter", dev->ifname, val);
+}
+
 static void system_bridge_set_isolated(struct device *dev, const char *val)
 {
 	system_set_dev_sysctl("/sys/class/net/%s/brport/isolated", dev->ifname, val);
@@ -893,6 +898,9 @@ retry:
 	    dev->settings.isolate)
 		system_bridge_set_isolated(dev, "1");
 
+	if (dev->bpdu_filter)
+		system_bridge_set_bpdu_filter(dev, dev->bpdu_filter ? "1" : "0");
+
 	return ret;
 }
 
diff --git a/wireless.c b/wireless.c
index a8fd9dd..61125a4 100644
--- a/wireless.c
+++ b/wireless.c
@@ -332,6 +332,7 @@ static void wireless_interface_handle_link(struct wireless_interface *vif, const
 			dev->wireless_isolate = vif->isolate;
 			dev->wireless = true;
 			dev->wireless_ap = vif->ap_mode;
+			dev->bpdu_filter = dev->wireless_ap && ifname == vif->ifname;
 		}
 	}
 
@@ -362,6 +363,7 @@ static void wireless_vlan_handle_link(struct wireless_vlan *vlan, bool up)
 			dev->wireless_isolate = vlan->isolate;
 			dev->wireless = true;
 			dev->wireless_ap = true;
+			dev->bpdu_filter = true;
 		}
 	}
 
-- 
2.30.2