Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #278 (new enhancement)

Opened 16 years ago

Last modified 15 years ago

[patch] Allow filtering of traffic between AP clients

Reported by: Matt Brown <> Assigned to:
Priority: minor Milestone:
Component: madwifi: 802.11 stack Version: trunk
Keywords: Cc:
Patch is attached: 1 Pending:


The following patch integrates madwifi with ebtables (if ebtables is available in your kernel) to allow filtering of traffic passing between clients on an AP.

The patch creates a new table called madwifi that can be manipulated via the standard ebtables tools. The more natural method would be to create a different chain in the existing filter ebtable, however that is not possible as it would require the intra-AP packets to pass through the linux net stack.

One possible use of this patch is to prevent certain types of traffic (eg, ARP/DHCP replies) from being generated on the wireless network.

Signed off by: Matt Brown <>


madwifi-ebtables.diff (4.4 kB) - added by Matt Brown on 01/03/06 07:38:56.
madwifi ebtables integration
ebtables-2.0.6-madwifi-table.patch (1.4 kB) - added by Steve Bennett <> on 02/02/07 01:28:56.
Patch to ebtables userspace tools to allow use of madwifi table
madwifi-ebtables- (4.7 kB) - added by Steve Bennett <> on 02/02/07 01:43:49.
Updated patch for

Change History

01/03/06 07:38:56 changed by Matt Brown

  • attachment madwifi-ebtables.diff added.

madwifi ebtables integration

01/27/06 13:55:25 changed by

Could you write a little howto, how to use this patch? I successfully aplly this patch on revision 1412, and make the drivers. I use kernel 2.6.14 with ebtables enabled as a module. But i cannot find any bridge table named "madwifi", so how can i get this working? thanks for answer.

I offer ethernet layer to my clients, they connect to AP. I use pppoe-server with radius plugin to authenticate them, this works good. But if they address their cards with their own IPs, they can use ethernet layer to communicate with each other. I want to prevent this communication.

01/28/06 00:20:05 changed by Matt Brown

The patch creates a table called madwifi with a chain called FORWARD. I haven't (yet) written a userspace ebtables module so the ebtables tool doesn't yet display these.

However you can still manipulate them:

ebtables -t madiwifi -A FORWARD -p arp -j DROP (to drop all ARP packets for example)

ebtables -t madwifi -L

Hope that helps

01/30/06 08:42:33 changed by

I don't know, where i make mistake. While inserting wlan module, it also loads ebtables module, but ebtables -t madwifi -L command returns "Bad table name."

Could you help?

01/30/06 08:45:53 changed by

I use only your .diff file to patch the drivers. I DIDN'T use ieee80211_input.c (66.8 kB) - added by anonymous on 01/13/06 11:54:47. ??????

01/30/06 08:55:53 changed by Matt Brown

I've got no idea who added the ieee80211_input.c file or why. Just ignore it. I'll try and get someone to remove it.

With regards to the error you are getting can you check a couple of things:

1) Did the ebtables -t madwifi -A FORWARD ... command work for you? 2) When you load the driver does it print a message like ("AP traffic firewalling support initialised") ?


01/30/06 09:12:38 changed by kelmo

Spurious attachment removed Matt.

01/30/06 09:16:00 changed by

All commands with -t madwifi options returns - Bad table name. Ebtables with filter table works. Driver reports:

ath_hal: module license 'Proprietary' taints kernel. ath_hal: (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413, DFS) # wlan: AP traffic firewalling support initialised # wlan: (Atheros/multi-bss) ath_rate_sample: 1.2 ath_pci: (Atheros/multi-bss)

I use ebtables v2.0.6

01/30/06 09:27:05 changed by Matt Brown

I'll have to look into this further, it works for me :P

I'm going to be away on Holiday until the 7th Feb so there will be a slight delay before my reply. Sorry.

02/01/06 06:48:34 changed by kelmo

  • patch_attached set to 1.

02/08/06 08:57:37 changed by kinlus

It works for you, what version of ebtables, kernel and madwifi-ng you are using pls?

02/08/06 10:07:27 changed by Matt Brown


I'm back from Holiday now so I'll try and get to this in the next week, for reference the versions I'm using are:

ebtables: 2.0.6-4 (Debian package) kernel: madwifi-ng: r1372 + this patch

Hope that helps.

02/21/06 09:12:34 changed by kinlus


where you get ebtables: 2.0.6-4 debian package? I'm using debian too, but the latest version I found is 2.0.6-3. Is it possible, that my configuration isn't work because of this version difference.

02/21/06 09:26:37 changed by Matt Brown

Sorry, I am using 2.0.6-3, I had mistakenly inflated the version number in our private repository and hence was confused.

02/21/06 09:41:28 changed by kinlus

Never mind, could you help me get this feature working? :)

02/21/06 10:12:54 changed by Matt Brown

It's on my todo list to look into this, but as I said it currently works for me, so I haven't got a lot of time to devote to user support sorry.

I'm also without a laptop at the moment, which makes testing somewhat hard.

03/10/06 11:38:34 changed by anonymous

Hi, are you sure that the version of patch you uploaded here works? I downloaded/compiled exact the same version of kernel as you have - , madwifi-ng rev.1372 + this patch + ebtables: 2.0.6-3, but "ebtables -t madwifi -L" command still returns "Bad table name." ://

03/10/06 14:44:05 changed by

Oh, I forget to enter username, it's me =- kinlus :)

03/21/06 11:25:50 changed by Malakoudis Panagiotia

Not actually related to the ebtables patch for madwifi, but isn't the functionality kinlus wants already available with the ap_bridge ioctl? In the source code it is described as "AP inter-sta bridging" and defaults to 1 (bridging enabled). Does setting this to 0 with "iwpriv athXX ap_bridge 0" has the result kinlus wants? I am also interested for this feature but cannot try it right now.

03/22/06 15:16:02 changed by

Hi, yes . . iwpriv athXX ap_bridge 0 solves my problem. The result is that the AP clients don't see each other. Thank you very much and thanks to Matt too.

03/23/06 12:03:20 changed by Panagiotis Malakoudis

Nice to hear that kinlus. I tried to email you but your email seems to be blocked from some SMTP servers. If you want please update the "client isolation" ticket (#310) you have opened with this information and close it.

05/16/06 05:30:29 changed by dyqith

This may be a good patch to have, been can it be updated to the latest svn ?

Also, maybe fix the bad table name thing...


05/28/06 18:36:35 changed by Mister_X

  • patch_attached set to 1.

fixed patch_attached

02/02/07 01:14:28 changed by Steve Bennett <>

I came across the same problem as kinlus about "Bad table name" It turns out the problem is that the ebtables userspace tools complaining about this. I'm using ebtables-2.0.6 I will attach a patch for this problem, as well as a few other issues shortly.

02/02/07 01:28:56 changed by Steve Bennett <>

  • attachment ebtables-2.0.6-madwifi-table.patch added.

Patch to ebtables userspace tools to allow use of madwifi table

02/02/07 01:42:52 changed by Steve Bennett <>

Matt's patch no longer applied cleanly to version I have a attached a new version which does. This patch also registers the madwifi table with a FORWARD hook so that the ebtables userspace tools can apply appropriate filtering such as accepting the '--out-if' match.

02/02/07 01:43:49 changed by Steve Bennett <>

  • attachment madwifi-ebtables- added.

Updated patch for

02/02/07 06:41:59 changed by mrenzmann

Thanks for the updated patch, please sign it off so that we can eventually commit it to the repository.

02/02/07 06:47:30 changed by Steve Bennett <>


Both ebtables-2.0.6-madwifi-table.patch and madwifi-ebtables-

Signed-Off-By: Steve Bennett <>