net80211: adjust more VHT structures/fields

Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/length at the beginning which
we did not actually use as such (the one place doing did just as unused
extra work).

Using the non-"ie" versions allows us to re-use them on shared code.
Using an enum helps us to not accidentally get unsuppored or unhandled
values tough we cannot use it in the struct as we need to ensure the
field width.

ieee80211_vht_operation is guarded by _KERNEL/WANT_NET80211. While the
header is supposed to be exported to user land historically, software
such as wpa bring their own structure definitions. For in-tree usage
it is only ifconfig which really cares (at least for now).

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: adrian (earlier), cc
Differential Revision: https://reviews.freebsd.org/D42901

net80211: move net_epoch into net80211

Move the net_epoch into net80211 around the if_input calls and out of
the driver (in this first case LinuxKPI). This reduces coverage but
also allows us to alloc in calls like (*ampdu_rx_start) which do not
actually pass data up the stack.

The follow-up commits will revert b65f813c1ab99448278961c5ca80dc422b1eae29,
21c4082de9e2cf9a0fd81a9a981ab06022956847,
17c328b6aebfa03cd1c2cbfbbc617e3b341bf1e4,
af2441fbc7fa9e522e7f8697e5a181bdd4ff9e00,
and 6c3e93cb5a4aa4b8a2d8d4d326f2a7c34d3a4458 for ath.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Tested by: few (rtwn, ath, iwlwifi, ...)
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D42427

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

IfAPI: Explicitly include <net/if_private.h> in netstack

Summary:
In preparation of making if_t completely opaque outside of the netstack,
explicitly include the header. <net/if_var.h> will stop including the
header in the future.

Sponsored by: Juniper Networks, Inc.
Reviewed by: glebius, melifaro
Differential Revision: https://reviews.freebsd.org/D38200

net80211: consistently use the IEEE80211_M_ memory related options

Replace a malloc() by IEEE80211_MALLOC().
For malloc flags even in the local ieee80211_freebsd.c there was a mix
of both versions M_ and IEEE80211_M_.
Consistently use the IEEE80211_M_ malloc options everywhere.
If the field is changed for malloc, it'll also be changed for the
other accessor functions taking a "how" field to avoid any confusion.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D36249

net80211: improve error handling from ieee80211_parse_beacon()

Following up on fb8c87b4f3bfdfac014f9d894fe75fbad0391b24, which was
supposed to go into all supported branches, increase ieee80211_scanparams
status field from 8bit to 32bit (enum size) and add a dedicated error
code for Mesh ID.

Sponsored by: The FreeBSD Foundation

net80211: validate Mesh ID length in ieee80211_parse_beacon

Reported by: m00nbsd working with Trend Micro Zero Day Initiative

net80211: format debug functions as single line

Making use of the debug output was hard given debug lines were run in
parts through vlog (if_printf) and in (multiple) parts through printf(s).

Like some of the functions alreay have, use a local buffer to format
the string and then use a single if_printf; in addition given these
functions are debug-only, add an extra printf in case we find our
buffers still to be too small so we can adjust for the future.
We already found that 128 characters are to short for some log messages.
Bump the buffer sizes collectively to 256 characters which also is
the maximum of if_vlog() so getting longer would need further changes
elsewhere.

Sponsored by: The FreeBSD Foundation
MFC after: 3 days

net80211: mitigation against A-MSDU design flaw

Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping the complete A-MSDU frame. This mitigates known attacks,
although new (unknown) aggregation-based attacks may remain possible.

This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.

This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-24588
PR: 256119
Differential Revision: https://reviews.freebsd.org/D30664

net80211: reject mixed plaintext/encrypted fragments

ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether the fragments are encrypted or not and only accept
successive ones if they match the state of the first fragment.

This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.

Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26147
PR: 256118
Differential Revision: https://reviews.freebsd.org/D30663

net: clean up empty lines in .c and .h files

sys: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

[net80211] Initial VHT node upgrade/downgrade support and initial IE parsing.

This is the bulk of the magic to start enabling VHT channel negotiation.
It is absolutely, positively not yet even a complete VHT wave-1 implementation.

* parse IEs in scan, assoc req/resp, probe req/resp;
* break apart the channel upgrade from the HT IE parsing - do it after the
VHT IEs are parsed;
* (dirty! sigh) add channel width decision making in ieee80211_ht.c htinfo_update_chw().
This is the main bit where negotiated channel promotion through IEs occur.
* Shoehorn in VHT node init ,teardown, rate control, etc calls like the HT
versions;
* Do VHT channel adjustment where appropriate

Tested:

* monitor mode, ath10k port
* STA mode, ath10k port - VHT20, VHT40, VHT80 modes

TODO:

* IBSS;
* hostap;
* (ignore mesh, wds for now);
* finish 11n state engine - channel width change, opmode notifications, SMPS, etc;
* VHT basic rate negotiation and acceptance criteria when scanning, associating, etc;
* VHT control/management frame handling (group managment and operating mode being
the two big ones);
* Verify TX/RX VHT rate negotiation is actually working correctly.

Whilst here, add some comments about seqno allocation and locking. To achieve
the full VHT rates I need to push seqno allocation into the drivers and
finally remove the IEEE80211_TX_LOCK() I added years ago to fix issues. :/

net80211: convert all ieee80211_input_mimo*() consumers
to ieee80211_add_rx_params() + drop last (ieee80211_rx_stats) parameter

Note: there is an additional check for ieee80211_get_rx_params()
return value (which does not exist in the original diff).

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D8207

[net80211] extend the ieee80211_rx_stats struct to include more information.

There are a variety of more interesting RX statistics that we should
keep track of but we don't. This is a starting point for adding more
information.

Specifically:

* now the RX rate information and some of the packet status is
passed up;
* The 32 bit or 64 bit TSF is passed up;
* the PHY mode is passed up;
* the "I'm decap'ed AMSDU!" state is passed up;
* number of RX chains is bumped to 4.

This is all mostly a placeholder for getting the data into the RX status
before we pass it up to net80211 - unfortunately we don't yet enforce
that drivers provide it, nor do we pass the provided info back up the
stack so anyone can use the data.

We're going to need to use some of this data moving forward.
Notably, now that some hardware can do AMSDU decap for us (the intel iwm
driver can do it when we flip it on; the ath10k port I'm doing does
it for us) then we need to pass it up through the stack so the duplicate
RX sequence numbers and crypto/IV details don't cause the packet to
be dropped and/or counted against a replay counter.

It's also the beginning of being able to do more interesting node
accounting in net80211. Specifically, once drivers start populating
per-packet rate information, AMPDU information, timestamps, etc,
we can start providing histograms of rate-versus-RSSI, account
for receive time spent per node and other such interesting things.

(Note: I'm also hoping to include ranging and RTT information for
future chipset support; and it's likely going to include it in
this kind of fashion.)

Extract out the various local definitions of ETHER_IS_BROADCAST() and
turn them into a shared definition.

Set M_MCAST/M_BCAST appropriately upon packet reception in net80211, just
before they are delivered up to the ethernet stack.

Submitted by: rstone

net80211: fix use-after-free in frame defragmentation procedure.

- Assign frame sequence/fragment number before frame concatenation;
otherwise, frame header pointer (wh) will be invalid.
- Move this code block upper and eliminate duplicate 'lwh = mtod()'
assignment.

Tested with wpi(4) (transmitter) (STA mode) and urtwn(4) (receiver)
(HOSTAP mode).

net80211: hide subtype mask & shift in function call.

Hide subtype mask/shift (which is used for index calculation
in ieee80211_mgt_subtype_name[] array) in function call.

Tested with RTL8188CUS, STA mode.

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D5369

net80211: replace internal LE_READ_*/LE_WRITE_* macro with system
le*dec / le*enc functions.

Replace net80211 specific macros with system-wide bytestream
encoding/decoding functions:
- LE_READ_2 -> le16dec
- LE_READ_4 -> le32dec
- LE_WRITE_2 -> le16enc
- LE_WRITE_4 -> le32enc

+ drop ieee80211_input.h include, where it was included for these
operations only.

Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D6030

[net80211] IE 127 is not MESHEXTCAP, just EXTCAP.

It's not a mesh extended capabilities; it's just extended capabilities.
This is from 802.11-2012 8.4.2.29 (Extended Capabilities element.)

[net80211] handle unlisted information elements.

This displays the IE names in ifconfig but it doesn't yet decode things.

Submitted by: Idwer Vollering <vidwer@gmail.com>
Differential Revision: https://reviews.freebsd.org/D3782

Use m_catpkt(9) to avoid a possible use-after-free in ieee80211_defrag().

m is not guaranteed to be valid after m_cat() returns. The effects of this
are most noticeable when INVARIANTS is enabled, since m's header length
field is given a value of 0xdeadc0de by the trash dtor.

Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D5497

Perform some rather amusing layering violations to add mbuf tags to the
net80211 receive path. This allows drivers (notably USB right now, but
anything/everything!) to optionally defer bulk RX of 802.11 frames until
/outside/ of the driver lock(s), rather than doing:

UNLOCK(sc);
ieee80211_input*()
LOCK(sc);

.. which is really stupid.

The existing API is maintaned - if ieee80211_input() / ieee80211_input_all()
is called then the RSSI/NF values are used. If the MIMO versions are called
with a given rx status pointer then it's used. Else, it'll use whatever
is in the RX mbuf tag.

Cleanup compat shims for FreeBSD versions that predate 10.0-RELEASE.
There are no plans to merge anything save a trivial bugfix to stable/9.

Discussed with: adrian

Convert malloc/free back to #define's, as part of OS portability work.

DragonflyBSD uses the FreeBSD wireless stack and drivers. Their malloc()
API is named differently, so they don't have userland/kernel symbol
clashes like we do (think libuinet.)

So, to make it easier for them and to port to other BSDs/other operating
systems, start hiding the malloc specific bits behind defines in
ieee80211_freebsd.h.

DragonflyBSD can now put these portability defines in their local
ieee80211_dragonflybsd.h.

This should be a great big no-op for everyone running wifi.

TODO:

* kill M_WAITOK - some platforms just don't want you to use it
* .. and/or handle it returning NULL rather than waiting forever.
* MALLOC_DEFINE() ?
* Migrate the well-known malloc names (eg M_TEMP) to net80211
namespace defines.

Begin plumbing ieee80211_rx_stats through the receive path.

Smart NICs with firmware (eg wpi, iwn, the new atheros parts, the intel 7260
series, etc) support doing a lot of things in firmware. This includes but
isn't limited to things like scanning, sending probe requests and receiving
probe responses. However, net80211 doesn't know about any of this - it still
drives the whole scan/probe infrastructure itself.

In order to move towards suppoting smart NICs, the receive path needs to
know about the channel/details for each received packet. In at least
the iwn and 7260 firmware (and I believe wpi, but I haven't tried it yet)
it will do the scanning, power-save and off-channel buffering for you -
all you need to do is handle receiving beacons and probe responses on
channels that aren't what you're currently on. However the whole receive
path is peppered with ic->ic_curchan and manual scan/powersave handling.
The beacon parsing code also checks ic->ic_curchan to determine if the
received beacon is on the correct channel or not.[1]

So:

* add freq/ieee values to ieee80211_rx_stats;
* change ieee80211_parse_beacon() to accept the 'current' channel
as an argument;
* modify the iv_input() and iv_recv_mgmt() methods to include the rx_stats;
* add a new method - ieee80211_lookup_channel_rxstats() - that looks up
a channel based on the contents of ieee80211_rx_stats;
* if it exists, use it in the mgmt path to switch the current channel
(which still defaults to ic->ic_curchan) over to something determined
by rx_stats.

This is enough to kick-start scan offload support in the Intel 7260
driver that Rui/I are working on. It also is a good start for scan
offload support for a handful of existing NICs (wpi, iwn, some USB
parts) and it'll very likely dramatically improve stability/performance
there. It's not the whole thing - notably, we don't need to do powersave,
we should not scan all channels, and we should leave probe request sending
to the firmware and not do it ourselves. But, this allows for continued
development on the above features whilst actually having a somewhat
working NIC.

TODO:

* Finish tidying up how the net80211 input path works.
Right now ieee80211_input / ieee80211_input_all act as the top-level
that everything feeds into; it should change so the MIMO input routines
are those and the legacy routines are phased out.

* The band selection should be done by the driver, not by the net80211
layer.

* ieee80211_lookup_channel_rxstats() only determines 11b or 11g channels
for now - this is enough for scanning, but not 100% true in all cases.
If we ever need to handle off-channel scan support for things like
static-40MHz or static-80MHz, or turbo-G, or half/quarter rates,
then we should extend this.

[1] This is a side effect of frequency-hopping and CCK modes - you
can receive beacons when you think you're on a different channel.
In particular, CCK (which is used by the low 11b rates, eg beacons!)
is decodable from adjacent channels - just at a low SNR.
FH is a side effect of having the hardware/firmware do the frequency
hopping - it may pick up beacons transmitted from other FH networks
that are in a different phase of hopping frequencies.

Mechanically convert to if_inc_counter().

The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h

Sponsored by: Netflix
Sponsored by: Nginx, Inc.

Add in some backwards compatability hacks to make -HEAD net80211 compile
on -9.

Add m_clrprotoflags() to clear protocol specific mbuf flags at up and
downwards layer crossings.

Consistently use it within IP, IPv6 and ethernet protocols.

Discussed with: trociny, glebius

Substitute '#ifdef ALIGNED_POINTER' with '#ifndef __NO_STRICT_ALIGNMENT',
since the former is defined everywhere. This cuts off some code not
necessary on non strict aligment arches.

Reviewed by: adrian
Sponsored by: Nginx, Inc.

Start accepting IEEE80211_ACTION_MESH_GANN frames;

* Add IEEE80211_ACTION_MESH_GANN Action frame verification in
ieee80211_parse_action;

Approved by: adrian (mentor)

Mechanically substitute flags from historic mbuf allocator with
malloc(9) flags within sys.

Exceptions:

- sys/contrib not touched
- sys/mbuf.h edited manually

Added Self-protected action category (including MPM).

* Added new action category IEEE80211_ACTION_CAT_SELF_PROT which is used by 11s
for Mesh Peering Management;
* Updated Self protected enum Action codes to start from 1 instead of 0
according to the standard spec;
* Removed old and wrong action categories IEEE80211_ACTION_CAT_MESHPEERING;
* Modified ieee80211_mesh.c and ieee80211_action.c to use the new action
category code;
* Added earlier verification code in ieee80211_input;

Approved by: adrian

Fix build w/o 'options IEEE80211_SUPPORT_MESH'.

* Added IEEE80211_ACTION_CAT_MESH in ieee80211.h as specified amendment spec;
* Moved old categories as specified by D4.0 to be action fields of MESH category
as specified in amendment spec;
* Modified functions to use MESH category and its action fields:
+ ieee80211_send_action_register
+ ieee80211_send_action
+ ieee80211_recv_action_register
+ieee80211_recv_action;
* Modified ieee80211_hwmp_init and hwmp_send_action so they uses correct
action fields as specified in amendment spec;
* Modified ieee80211_parse_action so that it verifies MESH frames.
* Change Mesh Link Metric to use one information element as amendment spec.
Draft 4.0 defined two different information elements for request and response.

Submitted by: monthadar@gmail.com

Print out the bogus beacon interval.

Add 802.11h quiet time element support into net80211.

This supports both station and hostap modes:

* Station mode quiet time element support listens to quiet time
IE's and modifies the local quiet time configuration as appropriate;
* Hostap mode both obeys the locally configured quiet time period
and includes it in beacon frames so stations also can obey as needed.

Submitted by: Himali Patel <himali.patel@sibridgetech.com>
Sponsored by: Sibridge Technologies

Add initial support for MIMO statistics to net80211.

This introduces struct ieee80211_rx_stats - which stores the various kinds
of RX statistics which a MIMO and non-MIMO 802.11 device can export.

It also fleshes out the mimo export to userland (node_getmimoinfo()).

It assumes that MIMO radios (for now) export both ctl and ext channels.
Non-11n MIMO radios are possible (and I believe Atheros made at least
one), so if that chipset support is added, extra flags to the
struct ieee80211_rx_stats can be added to extend this support.

Two new input functions have been added - ieee80211_input_mimo() and
ieee80211_input_mimo_all() - which MIMO-aware devices can call with
MIMO specific statistics.

802.11 devices calling the non-MIMO input functions will still function.

Add a new mgmt subtype "ACTION NO ACK" defined in 802.11n-2009, while here
clean up parts of the *_recv_mgmt() functions.
- make sure appropriate counters are bumped and debug messages are printed
- order the unhandled subtypes by value and add a few missing ones
- fix some whitespace nits
- remove duplicate code in adhoc_recv_mgmt()
- remove a useless comment, probably left in while c&p

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

MFC r205986:
Constify vap argument of ieee80211_{note,discard}* functions.

Constify vap argument of ieee80211_{note,discard}* functions.

MFC after: 1 week

MFC r196316:
Fix a typo in ifdef mesh support. This would make mesh unworkable if
TDMA support was compiled out.

Approved by: re (kib)

Fix a typo in ifdef mesh support. This would make mesh unworkable if
TDMA support was compiled out.

Approved by: re (kib)

More mesh bits, namely:
* bridge support (sam)
* handling of errors (sam)
* deletion of inactive routing entries
* more debug msgs (sam)
* fixed some inconsistencies with the spec.
* decap is now specific to mesh (sam)
* print mesh seq. no. on ifconfig list mesh
* small perf. improvements

Reviewed by: sam
Approved by: re (kib)

Move code that does payload realigment to a new routine, ieee80211_realign,
so it can be reused. While here rewrite the logic to always use a single mbuf.

Reviewed by: rpaulo
Approved by: re (kib)

Implementation of the upcoming Wireless Mesh standard, 802.11s, on the
net80211 wireless stack. This work is based on the March 2009 D3.0 draft
standard. This standard is expected to become final next year.
This includes two main net80211 modules, ieee80211_mesh.c
which deals with peer link management, link metric calculation,
routing table control and mesh configuration and ieee80211_hwmp.c
which deals with the actually routing process on the mesh network.
HWMP is the mandatory routing protocol on by the mesh standard, but
others, such as RA-OLSR, can be implemented.

Authentication and encryption are not implemented.

There are several scripts under tools/tools/net80211/scripts that can be
used to test different mesh network topologies and they also teach you
how to setup a mesh vap (for the impatient: ifconfig wlan0 create
wlandev ... wlanmode mesh).

A new build option is available: IEEE80211_SUPPORT_MESH and it's enabled
by default on GENERIC kernels for i386, amd64, sparc64 and pc98.

Drivers that support mesh networks right now are: ath, ral and mwl.

More information at: http://wiki.freebsd.org/WifiMesh

Please note that this work is experimental. Also, please note that
bridging a mesh vap with another network interface is not yet supported.

Many thanks to the FreeBSD Foundation for sponsoring this project and to
Sam Leffler for his support.
Also, I would like to thank Gateworks Corporation for sending me a
Cambria board which was used during the development of this project.

Reviewed by: sam
Approved by: re (kensmith)
Obtained from: projects/mesh11s

iv_flags_ext is full, make room by moving HT-related flags to a new
iv_flags_ht word

o station mode channel switch support
o IEEE80211_IOC_CHANSWITCH fixups:
- restrict to hostap vaps
- return EOPNOTSUPP instead of EINVAL when applied to !hostap vap
or to a vap w/o 11h enabled
- interpret count of 0 to mean cancel the current CSA

Reviewed by: rpaulo, avatar

Fix monitor mode vaps to work as intended:
o track # bpf taps on monitor mode vaps instead of # monitor mode vaps
o spam monitor mode taps on tx/rx
o fix ieee80211_radiotap_rx_all to dispatch frames only if the vap is up
o while here print radiotap (and superg) state in show com

don't dispatch frames to vap's not running

Overhaul monitor mode handling:
o replace DLT_IEEE802_11 support in net80211 with DLT_IEEE802_11_RADIO
and remove explicit bpf support from wireless drivers; drivers now
use ieee80211_radiotap_attach to setup shared data structures that
hold the radiotap header for each packet tx/rx
o remove rx timestamp from the rx path; it was used only by the tdma support
for debugging and was mostly useless due to it being 32-bits and mostly
unavailable
o track DLT_IEEE80211_RADIO bpf attachments and maintain per-vap and
per-com state when there are active taps
o track the number of monitor mode vaps
o use bpf tap and monitor mode vap state to decide when to collect radiotap
state and dispatch frames; drivers no longer explicitly directly check
bpf state or use bpf calls to tap frames
o handle radiotap state updates on channel change in net80211; drivers
should not do this (unless they bypass net80211 which is almost always
a mistake)
o update various drivers to be more consistent/correct in handling radiotap
o update ral to include TSF in radiotap'd frames
o add promisc mode callback to wi

Reviewed by: cbzimmer, rpaulo, thompsa

split Atheros SuperG support out into it's own file that's included only
with a new IEEE80211_SUPPORT_SUPERG option

Use plural in a comment. No functional change.

TDMA support for long distance point-to-point links using ath devices:
o add net80211 support for a tdma vap that is built on top of the
existing adhoc-demo support
o add tdma scheduling of frame transmission to the ath driver; it's
conceivable other devices might be capable of this too in which case
they can make use of the 802.11 protocol additions etc.
o add minor bits to user tools that need to know: ifconfig to setup and
configure, new statistics in athstats, and new debug mask bits

While the architecture can support >2 slots in a TDMA BSS the current
design is intended (and tested) for only 2 slots.

Sponsored by: Intel

convert MALLOC/FREE to malloc/free

Fix definition of IEEE80211_CHAN_MAX; it was defined as 255 but
really was meant to be 256. Adjust usage accordingly and replace
bogus usage of this value in checking IEEE channel #'s.

NB: this causes an ABI change; ifconfig must be recompiled

ignore IEEE80211_ELEMID_PWRCNSTR when parsing beacon/probe response frames
to avoid counting it as an unknown elemid (we often beacon this so it shows
up as a "false positive")

Revert the removal of the MALLOC and FREE macros from the net80211 code.

Requested by: sam

Retire the MALLOC and FREE macros. They are an abomination unto style(9).

MFC after: 3 months

- Import the HEAD csup code which is the basis for the cvsmode work.

correct decap of of AppleTalk and IPX frames; don't strip the SNAP
header as they have one natively

Submitted by: Chris Zimmermann

Multi-bss (aka vap) support for 802.11 devices.

Note this includes changes to all drivers and moves some device firmware
loading to use firmware(9) and a separate module (e.g. ral). Also there
no longer are separate wlan_scan* modules; this functionality is now
bundled into the wlan module.

Supported by: Hobnob and Marvell
Reviewed by: many
Obtained from: Atheros (some bits)

- Correctly handle ALTQ in ieee80211_deliver_data()
- Add comment from sam that ALTQ probably does not work well with WME

PR: kern/119548
Approved by: sam (mentor)

sync 11n support with vap code base; many changes based on interop
testing with all major vendors

MFC after: 1 week

Miscellaneous fixups to 802.11 defs:
o update 11n definitions to D2.0 spec
o add IEEE80211_CAPINFO_SPECTRUM_MGMT for DFS support
o add CSA ie definition for DFS support
o purge some unused definitions
o correct 802.11 reason and status codes
o correct reason code returned when a sta tries to associate to an
ap operating with WPA/RSN but without a WPA/RSN ie

Reviewed by: thompsa, avatar
Approved by: re (blanket wireless)

o add M_WEP mbuf flag so drivers can mark frames that are decrypted by the
device and have had the crypto bits stripped from the 802.11 header
o strip mbuf flags in the rx path before passing up the stack

Reviewed by: thompsa, sephe, avatar
Approved by: re (blanket wireless)

Change the channel number in the scan results struct to be a pointer to the
operating channel and use this in the scan cache rather than directly using
ic_curchan. Some firmware cards can only do a full scan and so ic_curchan does
not have the correct value.

Also add IEEE80211_CHAN2IEEE to directly dereference ic_ieee from the channel
to be used in the fast path.

Reviewed by: sam, sephe
Approved by: re (kensmith)

Update 802.11 wireless support:
o major overhaul of the way channels are handled: channels are now
fully enumerated and uniquely identify the operating characteristics;
these changes are visible to user applications which require changes
o make scanning support independent of the state machine to enable
background scanning and roaming
o move scanning support into loadable modules based on the operating
mode to enable different policies and reduce the memory footprint
on systems w/ constrained resources
o add background scanning in station mode (no support for adhoc/ibss
mode yet)
o significantly speedup sta mode scanning with a variety of techniques
o add roaming support when background scanning is supported; for now
we use a simple algorithm to trigger a roam: we threshold the rssi
and tx rate, if either drops too low we try to roam to a new ap
o add tx fragmentation support
o add first cut at 802.11n support: this code works with forthcoming
drivers but is incomplete; it's included now to establish a baseline
for other drivers to be developed and for user applications
o adjust max_linkhdr et. al. to reflect 802.11 requirements; this eliminates
prepending mbufs for traffic generated locally
o add support for Atheros protocol extensions; mainly the fast frames
encapsulation (note this can be used with any card that can tx+rx
large frames correctly)
o add sta support for ap's that beacon both WPA1+2 support
o change all data types from bsd-style to posix-style
o propagate noise floor data from drivers to net80211 and on to user apps
o correct various issues in the sta mode state machine related to handling
authentication and association failures
o enable the addition of sta mode power save support for drivers that need
net80211 support (not in this commit)
o remove old WI compatibility ioctls (wicontrol is officially dead)
o change the data structures returned for get sta info and get scan
results so future additions will not break user apps
o fixed tx rate is now maintained internally as an ieee rate and not an
index into the rate set; this needs to be extended to deal with
multi-mode operation
o add extended channel specifications to radiotap to enable 11n sniffing

Drivers:
o ath: add support for bg scanning, tx fragmentation, fast frames,
dynamic turbo (lightly tested), 11n (sniffing only and needs
new hal)
o awi: compile tested only
o ndis: lightly tested
o ipw: lightly tested
o iwi: add support for bg scanning (well tested but may have some
rough edges)
o ral, ural, rum: add suppoort for bg scanning, calibrate rssi data
o wi: lightly tested

This work is based on contributions by Atheros, kmacy, sephe, thompsa,
mlaier, kevlo, and others. Much of the scanning work was supported by
Atheros. The 11n work was supported by Marvell.

copyright updates:
o update to include 2007
o switch back to a 2-clause bsd-only license

Reviewed by: onoe

change ieee80211_fix_rate to take a rate set instead of using
ni_rates; this lets us re-use the code to check 11n HT rates

MFC after: 2 weeks

expose IEEE80211_DISCARD, IEEE80211_DISCARD_IE, and IEEE80211_DISCARD_MAC
so they can be used within net80211 but outside ieee80211_input.c

MFC after: 2 weeks

improve debug msg for ie's that are too short

MFC after: 2 weeks

keep tx/rx seq #'s for non-QoS traffic separate from QoS; stations
aren't supposed mix traffic but if they did frames might be mis-handled

Obtained from: Atheros
MFC after: 2 weeks

split check for rate set mismatch on assoc req away from check
for pure 11g mode so we can give meaningful diagnostic msgs

MFC after: 2 weeks

disallow re-associate with a slot time mismatch

Obtained from: Atheros
MFC after: 2 weeks

move __inline before type to appease gcc 4.x

Obtained from: netbsd

discard deauth+disassoc frames that are not destined for us; these
can be received when the interface is in promisc mode

Reviewed by: sephe
Obtained from: netbsd

When dispatching frames saved on the power save queue to a
station exiting power save mode prepend them to the driver's
send q instead of appending them. This insures the packets
are not misordered wrt any packets already q'd for the station.

This corrects a problem noticed when using a VoIP phone talking
to an ath card in ap mode; the misordered packets caused noise.

Submitted by: "J.R. Oldroyd" <jr@opal.com>
MFC after: 2 weeks

clear/reclaim challenge text when switching auth mode and operating as an ap

Obtained from: Atheros

Correct several issues with rate set negotiation:
o add IEEE80211_F_JOIN flag to ieee80211_fix_rate to indicate a station
is joining a BSS; this is used to control whether or not we over-write
the basic rate bit in the calculated rate set
o fix ieee80211_fix_rate to honor IEEE80211_F_DODEL when IEEE80211_F_DONEGO
is not specified (e.g. when joining an ibss network)
o on sta join always delete unusable rates from the negotiated rate set,
this was being done only ibss networks but is also needed for 11g bss
with mixed stations
o on sta join delete unusable rates from the bss node's rate set, not the
scan table entry's rate set
o when calculating a rate set for new neighbors in an ibss caculate a
negotiated rate set so drivers are not presented with rates they should
not use

Submitted by: Sepherosa Ziehau (w/ modifications)
Obtained from: DragonFly
MFC after: 1 month

back out use of LLC_SNAPFRAMELEN now that sizeof(struct llc) isn't
padded on arm

sizeof(struct llc) includes padding on arm; use LLC_SNAPFRAMELEN for now

Submitted by: jhay
MFC after: 2 weeks

Move ethernet VLAN tags from mtags to its own mbuf packet header field
m_pkthdr.ether_vlan. The presence of the M_VLANTAG flag on the mbuf
signifies the presence and validity of its content.

Drivers that support hardware VLAN tag stripping fill in the received
VLAN tag (containing both vlan and priority information) into the
ether_vtag mbuf packet header field:

m->m_pkthdr.ether_vtag = vlan_id; /* ntohs()? */
m->m_flags |= M_VLANTAG;

to mark the packet m with the specified VLAN tag.

On output the driver should check the mbuf for the M_VLANTAG flag to
see if a VLAN tag is present and valid:

if (m->m_flags & M_VLANTAG) {
... = m->m_pkthdr.ether_vtag; /* htons()? */
... pass tag to hardware ...
}

VLAN tags are stored in host byte order. Byte swapping may be necessary.

(Note: This driver conversion was mechanic and did not add or remove any
byte swapping in the drivers.)

Remove zone_mtag_vlan UMA zone and MTAG_VLAN definition. No more tag
memory allocation have to be done.

Reviewed by: thompsa, yar
Sponsored by: TCP/IP Optimization Fundraise 2005

minor fixups:
o add some missing stats to the global stat structure
o move accounting work for data frame rx into ieee80211_deliver_data
o add per-sta stats for rx ucast/mcast frames
o set rcvif in ieee80211_deliver_data so callers don't need to

MFC after: 2 weeks

correct ie length check; need to include fixed part of ie

MFC after: 2 weeks

tighten invariant on loops used to parse ie's; this ensures we never
touch data outside the packet (previously we might touch 1 byte); it
also has the happy side effect of working around broken orinoco/agere
firmware that sends malformed association response frames

Help by: Vladimir Egorin

Fix the following bpf(4) race condition which can result in a panic:

(1) bpf peer attaches to interface netif0
(2) Packet is received by netif0
(3) ifp->if_bpf pointer is checked and handed off to bpf
(4) bpf peer detaches from netif0 resulting in ifp->if_bpf being
initialized to NULL.
(5) ifp->if_bpf is dereferenced by bpf machinery
(6) Kaboom

This race condition likely explains the various different kernel panics
reported around sending SIGINT to tcpdump or dhclient processes. But really
this race can result in kernel panics anywhere you have frequent bpf attach
and detach operations with high packet per second load.

Summary of changes:

- Remove the bpf interface's "driverp" member
- When we attach bpf interfaces, we now set the ifp->if_bpf member to the
bpf interface structure. Once this is done, ifp->if_bpf should never be
NULL. [1]
- Introduce bpf_peers_present function, an inline operation which will do
a lockless read bpf peer list associated with the interface. It should
be noted that the bpf code will pickup the bpf_interface lock before adding
or removing bpf peers. This should serialize the access to the bpf descriptor
list, removing the race.
- Expose the bpf_if structure in bpf.h so that the bpf_peers_present function
can use it. This also removes the struct bpf_if; hack that was there.
- Adjust all consumers of the raw if_bpf structure to use bpf_peers_present

Now what happens is:

(1) Packet is received by netif0
(2) Check to see if bpf descriptor list is empty
(3) Pickup the bpf interface lock
(4) Hand packet off to process

From the attach/detach side:

(1) Pickup the bpf interface lock
(2) Add/remove from bpf descriptor list

Now that we are storing the bpf interface structure with the ifnet, there is
is no need to walk the bpf interface list to locate the correct bpf interface.
We now simply look up the interface, and initialize the pointer. This has a
nice side effect of changing a bpf interface attach operation from O(N) (where
N is the number of bpf interfaces), to O(1).

[1] From now on, we can no longer check ifp->if_bpf to tell us whether or
not we have any bpf peers that might be interested in receiving packets.

In collaboration with: sam@
MFC after: 1 month

use m_dup instead of m_copypacket when doing internal bridging
in case packets are modified (e.g. encrypted)

MFC after: 1 week

deliver an l2uf frame on sta join to prime the bridge

Obtained from: madwifi
MFC after: 1 week

when scanning channels marked passive defer probe request until
802.11 traffic is seen; fixes problems with ap's hiding their ssid

Obtained from: atheros
MFC after: 1 week

s/w beacon miss facility; need to add knobs to fiddle with the settings

MFC after: 2 weeks

bounds check each ie's length when parsing

Obtained from: madwifi
MFC after: 1 week

- Fix VLAN_INPUT_TAG() macro, so that it doesn't touch mtag in
case if memory allocation failed.
- Remove fourth argument from VLAN_INPUT_TAG(), that was used
incorrectly in almost all drivers. Indicate failure with
mbuf value of NULL.

In collaboration with: yongari, ru, sam

Add ieee80211_beacon_miss for processing sta mode beacon miss events
in the 802.11 layer: we send a directed probe request frame to the
current ap bmiss_max times (w/o answer) before scanning for a new ap.

MFC after: 2 weeks

Adhoc mode fixups:
o plug memory leak in adhoc mode: on rx the sender may be the
current master so simply checking against ic_bss is not enough
to identify if the packet comes from an unknown sender; must
also check the mac address
o split neighbor node creation into two routines and fillin state
of nodes faked up on xmit when a beacon or probe response frame
is later received; this ensures important state like the rate set
and advertised capabilities are correct

Obtained from: netbsd
MFC after: 1 week

fix dynamic changes in short slottime for 11g sta mode: set the
slot time based on the rcvd capabilities, not the existing ones

Obtained from: atheros
MFC after: 1 week

Clarify/fix handling of the current channel:
o add ic_curchan and use it uniformly for specifying the current
channel instead of overloading ic->ic_bss->ni_chan (or in some
drivers ic_ibss_chan)
o add ieee80211_scanparams structure to encapsulate scanning-related
state captured for rx frames
o move rx beacon+probe response frame handling into separate routines
o change beacon+probe response handling to treat the scan table
more like a scan cache--look for an existing entry before adding
a new one; this combined with ic_curchan use corrects handling of
stations that were previously found at a different channel
o move adhoc neighbor discovery by beacon+probe response frames to
a new ieee80211_add_neighbor routine

Reviewed by: avatar
Tested by: avatar, Michal Mertl
MFC after: 2 weeks

Cleanup beacon/listen interval handling:
o separate configured beacon interval from listen interval; this
avoids potential use of one value for the other (e.g. setting
powersavesleep to 0 clobbers the beacon interval used in hostap
or ibss mode)
o bounds check the beacon interval received in probe response and
beacon frames and drop frames with bogus settings; not clear
if we should instead clamp the value as any alteration would
result in mismatched sta+ap configuration and probably be more
confusing (don't want to log to the console but perhaps ok with
rate limiting)
o while here up max beacon interval to reflect WiFi standard

Noticed by: Martin <nakal@nurfuerspam.de>
MFC after: 1 week

fix debug msg typo

MFC after: 3 days

Fix handling of frames sent prior to a station being authorized
when operating in ap mode. Previously we allocated a node from the
station table, sent the frame (using the node), then released the
reference that "held the frame in the table". But while the frame
was in flight the node might be reclaimed which could lead to
problems. The solution is to add an ieee80211_tmp_node routine
that crafts a node that does exist in a table and so isn't ever
reclaimed; it exists only so long as the associated frame is in flight.

MFC after: 5 days

close a race between reclaiming a node when a station is inactive
and sending the null data frame used to probe inactive stations

MFC after: 5 days

when bridging internally bypass the bss node as traffic to it
must follow the normal input path

Submitted by: Michal Mertl
MFC after: 5 days

simplify tim callback api

MFC after: 3 days

simplify ieee80211_node_authorize and ieee80211_node_unauthorize api's

MFC after: 3 days

simplifiy ieee80211_send_nulldata api

MFC after: 3 days

simplify rate set api's by removing ic parameter (implicit in node reference)

MFC after: 3 days

reject association requests with a wpa/rsn ie when wpa/rsn is not
configured on the ap; previously we either ignored the ie or (possibly)
failed an assertion

Obtained from: Atheros
MFC after: 3 days

missed one in last commit; add device name to discard msgs

include device name in discard msgs

add diag msgs for frames discarded because the direction field is wrong

split data frame delivery out to a new function ieee80211_deliver_data

Diff reduction against p4:
o add ic_flags_ext for eventual extention of ic_flags
o define/reserve flag+capabilities bits for superg,
bg scan, and roaming support
o refactor debug msg macros

MFC after: 3 days

send a response when an auth request is denied due to an acl;
might be better to silently ignore the frame but this way we
give stations a chance of figuring out what's wrong

remove excess whitespace

use IF_HANDOFF when bridging frames internally so if_start gets
called; fixes communication between associated sta's

MFC after: 3 days

nuke assert that duplicates real check

Reviewed by: avatar
Approved by: re (scottl)

correct check for high priority wme traffic

Noticed by: Ralf Assmann
Reviewed by: apatti
Approved by: re (scottl)

fix another instance of the MORE_DATA bit handling for frames on the
power save queue (missed in previous commit)

Submitted by: Bruno Randolf
Approved by: re (scottl)

add "pureg" mode for ap operation: reject association requests from
11b-only stations when operating in 11g

Reviewed by: avatar
Approved by: re (scottl)

Fix handling of data frames queued for a station in power save mode:
don't mark the MORE_DATA bit when taking it off the ps queue, there's
no 802.11 header then; we must wait to do this at encap time so
mark the mbuf instead.

Reviewed by: avatar
Approved by: re (scottl)
Obtained from: Atheros

Fix race condition in handling node reference counts for authenticating
stations in ap mode. Track when a node's first auth frame is
received and use this to decide whether or not to bump the refcnt.
This insures we only ever bump the refcnt once.

Reviewed by: avatar
Approved by: re (scottl)

Only update the scan entry state based on newly received frames.
This fixes duplicative BSS entries(memory leaks as well) listed in
"ifconfig dev list scan" when a station fails to associate with an AP.

Reviewed by: sam
Approved by: re (scottl)

revert 1.53; it breaks ibss merge

Noticed by: Bruno Randolf
Approved by: re (dwhite)

don't look at the wme ie in a beacon unless we negotiated use

validate the bssid for non-data frames too when operating in
adhoc/ahdemo/hostap modes

o fix wpa w/ wme: don't strip the QoS header on recv as tkip requires
it; instead pass the space occupied by the header down into the
crypto modules (except in the demic case which needs it only when
doing int in s/w)
o while here fix defrag to strip the header from 2nd and later frames
o teach decap code how to handle 4-address frames

mark stations authorized during recv processing instead of doing it
as a side effect of sending an auth success frame; sending mgmt
frames should not have side effects

accept diassoc frame in ASSOC state

pull some debug msgs up so they're seen more often

kick the state machine when we receive failure notice from an ap (when
operating in sta mode); this speeds up the state machine, previously
we were acting on a timeout

discard open auth requests in adhoc mode

reject open auth requests when shared key auth is configured

Obtained from: Atheros

add ieee80211_send_error to encapsulate an idiom

o always check if ic_set_tim is !NULL before using it
o add missing call to clear tim after flushing ps q

mark state for protection only when operating in 11g

don't reject station based on the PRIVACY bit in the capabilities;
the 802.11 spec says not to

Obtained from: Atheros

correct checks for rate set compatibility

record tstamp from beacons received in station mode when associated;
this is needed by drivers that want to resync their timers based on
the tsf of the last recv'd beacon frame

o collect dtim period+count from beacons in station mode so drivers
can better program beacon timers
o leave placeholder in com structure for future ap/adhoc mode tim support

Reviewed by: avatar

add force flag to enmic/demic crypto api for use in xmit fragmentation
and h/w mic verification

Reviewed by: avatar

change ieee80211_input to return the frame type or -1

when WPA is enabled discard association requests w/o a WPA ie

Submitted by: Divy Le Ray

eliminate use after free in debug code

Noticed by: Coverity Prevent analysis tool

kill dead code

Noticed by: Coverity Prevent analysis tool

mark timestamp for pending fragments

Noticed by: Jeffrey D. Chung

statically allocate the station/neighbor node table; the deferred
allocation scheme introduced a race condition during device state
transitions

when ssid suppression is enabled don't respond to probe requests
unless our ssid is specified

correct logic that caused beacon frames received in ibss mode to be
discarded when not scanning

move beacon/probe response counting down to after we've decided whether or
not we're going to process the frame; this makes the counters reflect frames
actually processes instead of received (discarded frames were already counted)

bump copyright for 2005

fixup inactivity timers:
o ic_inact_auth is a bad name, it's the inactivity threshold
for being associated but not authorized; use it that way
o reset ni_inact when switching inactivity thresholds to
minimize the race against the timer (don't want to lock
for this stuff)
o change the inactivity probe threshold from a one-shot to
cover a range: when below this threshold but not expired
send a probe each inactivity interval; should probably
guard against the interval being turned way down as this
could cause us to spam the net with probes

don't return prematurely from processing a beacon or probe response frame
when associated; this corrects a problem where doing a scan while associated
caused the associated ap to sometimes not be included in the scan set

change ieee80211_parse_wmeparams to return a unique value when the ie
is invalid so we can distinguish this from needing a parameter update;
fixes dynamic update of wme parameters

remove stray \n from debug msg

clear wep bit in 802.11 header after crypto decap so packet
capture doesn't see it

Update 802.11 support; too much new functionality to fully describe
here but it includes completed 802.11g, WPA, 802.11i, 802.1x, WME/WMM,
AP-side power-save, crypto plugin framework, authenticator plugin framework,
and access control plugin frameowrk.

Link ALTQ to the build and break with ABI for struct ifnet. Please recompile
your (network) modules as well as any userland that might make sense of
sizeof(struct ifnet).
This does not change the queueing yet. These changes will follow in a
seperate commit. Same with the driver changes, which need case by case
evaluation.

__FreeBSD_version bump will follow.

Tested-by: (i386)LINT

Change handling of probe response frames. Previously we always dropped the
refcnt on the node but left it in the node table. This allows the node table
to hold the results of scanned ap's but for ibss scans left nodes w/o any
driver-private state setup and/or a bad refcnt (when the nodes were timed
out they were prematurely discarded). Now we treat nodes identified for ap
scanning as before but force nodes discovered when scanning for ibss neighbors
to have complete/proper state and hold the refcnt on the node. Any other
nodes created because of these frames are discarded directly (need to optimize
this case to eliminate various work that's immediately discarded).

always free node reference when processing a probe request frame; was
conditionally doing an unref if operating in adhoc mode which turns
out to be wrong

track node allocation failure stats in ieee80211_alloc_node instead
of each caller

Obtained from: madwifi

when processing beacon/probe response frames capture "is probe" in a
variable to improve code legibility since we're going to use it more
in forthcoming mods

Obtained from: madwifi

add a case of IEEE80211_ELEMID_IBSSPARMS so the statistic on unknown
elements is more meaningful (will add more with WPA merge)

Obtained from: madwifi

when doing internal bridging free the node instead of just dropping the
reference for consistency (explicit refcounting is discouraged)

Obtained from: madwifi

when receiving a frame w/ a bad version number don't unref the node; the
driver is responsible for that

Obtained from: madwifi

Add support for FH phy, which will be used by awi driver.
Also some if_media constants to indicate operational mode are changed
to bitmasks to reduce diffs from NetBSD.

fix station mode breakage (repeat after me: "test every change, no
matter how small...")

add statistics for all failures and/or abnormal events; still need
to add per-node statistics

fixup debug msgs

Change input handling to not expect drivers to filter short frames.
In particular, let drivers send up control frames so we can dispatch
them to bpf in monitor mode.

This is the first (small) step to adding more functionality such as
power save mode.

MFp4 changes to fix locking issues and correct reference
count handling of station entries in hostap mode:

Input path:

o driver is now expected to find the node associated with the
sender of a received frame; use ic_bss if none is located
o driver passes the (referenced) node into ieee80211_input for
use within the wlan module and is responsible for cleaning up
on return
o the antenna state is no longer passed up with each frame; this
is now considered driver-private state and drivers are responsible
for keeping it in the driver-private part of a node

Output path:

Revamp output path for management frames to eliminate redundant
locking that causes problems and to correct reference counting
bogosity that occurs when stations are timed out due to inactivity
(in AP mode). On output the refcnt'd node is stashed in the pkthdr's
recvif field (yech) and retrieved by the driver. This eliminates
an unref/ref scenario and related node table unlock/lock due to the
driver looking up the node. This is particularly important when
stations are timed out as this causes a lock order reversal that
can result in a deadlock. As a byproduct we also reduce the overhead
for sending management frames (minimal). Additional fallout from
this is a change to ieee80211_encap to return a refcn't node for
tieing to the outbound frame. Node refcnts are not reclaimed until
after a frame is completely processed (e.g. in the tx interrupt
handler). This is especially important for timed out stations as
this deref will be the final one causing the node entry to be
reclaimed.

Additional semi-related changes:
o replace m_copym use with m_copypacket (optimization)
o add assert to verify ic_bss is never free'd during normal operation
o add comments explaining calling conventions by drivers for frames
going in each direction
o remove extraneous code that "cannot be executed" (e.g. because
pointers may never be null)

Use IEEE80211_RATE_MAXSIZE instead of IEEE80211_RATE_SIZE to validate the
rate set element id from an AP. This allows stations to associate with
AP's that violate the 802.11 spec by sending >8 rates. This corrects a
recent regression; older code did likewise.

add monitor mode

o change ieee80211_new_state handling to use a proper method that drivers
override in their sub-class; this eliminates the hack of interpreting the
EINPROGRESS return value to mean "don't do any of the normal work"
o correct active scanning so the first channel is only scanned once and so
per-channel passive mode is properly honored
o expose 802.11 FSM state names so every driver doesn't keep a private copy
o eliminate node parameter to ieee80211_begin_scan; it was not being used

revise copyright notices per discussion with Atsushi Onoe <onoe@sm.sony.co.jp>

add comment

fix tcpdump -y IEEE802_11; NBPFILTER was a holdover from netbsd compatibility

new 802.11 layer:

o code reorg (relative to old netbsd-derived code) for future growth
o drivers now specify available channels and rates and 802.11 layer handles
almost all ifmedia actions
o multi-mode support for 11a/b/g devices
o 11g protocol additions (incomplete)
o new element id additions (for other than 11g)
o node/station table redone for proper locking and to eliminate driver
incestuousness
o split device flags and capabilities to reduce confusion and provide room
for expansion
o incomplete power management infrastructure (need to revisit)
o incomplete hooks for software retry
o more...