├── README.md
├── README
├── patches
    └── 610-drop_low_rssi.patch
└── files
    └── hostapd.sh


/README.md:
--------------------------------------------------------------------------------
1 | # lede-modhostapd
2 | 
3 | Modification to hostapd / wpad that supports restricting AP clients to
4 | only those which have a dBm signal above a settable threshold.
5 | 
6 | Patches apply to LEDE 17.01.4; obtain it from git.lede-project.org
7 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
  1 | lede-modhostapd
  2 | 
  3 | Modified version of hostapd / wpad that supports restricting AP clients to
  4 | only those which have a dBm signal above a settable threshold.
  5 | 
  6 | Use with LEDE 17.01.4.  (This version of LEDE includes KRACK attack
  7 |                          countermeasures.)
  8 |                          
  9 | At a public wifi hotspot, you will often find users (STAs) trying to use
 10 | the AP from the fringe area of coverage.  
 11 | This is not desirable for several reasons:
 12 | 
 13 | 1 They must be served at a low data rate and excessive retries, reducing 
 14 |    the usable bandwidth of the AP.
 15 | 2 They create a "hidden node" problem since STA's far on one side of the AP 
 16 |    cannot detect when those far on the other side are transmitting.  This
 17 |    results in packet collisions at the AP, requiring both STAs to retry.
 18 | 3 Users may be outside the intended geographic coverage, such as a cafe.  This
 19 |    is a disadvantage to the owner who established the hotspot to encourage
 20 |    customers to stay inside the business.
 21 |    
 22 | Drawbacks 2 and 3 can be addressed by reducing the transmitter power of 
 23 | the AP.  But that also reduces the signal delivered to all desired users,
 24 | reducing system performance.
 25 | 
 26 | This modification causes hostapd to monitor the signal strength from the 
 27 | STA's.  If they are above a (settable) threshold, operation of the AP 
 28 | proceeds normally.  If a STA's signal is below the threshold, that STA is
 29 | not allowed to connect, or dropped if it is already connected.  Probe requests
 30 | from weak STAs are also dropped.  This may have some usefulness by limiting
 31 | the AP's transmission of Probe Responses in a crowded area.  
 32 | 
 33 | This was tested with LEDE 17.01.4 on ar71xx hardware, specifically a Netgear
 34 | R6100.  The MediaTek driver is known not to work (no signal report on 
 35 | management packets).  Other drivers may or may not work.
 36 | 
 37 | BUILD: 
 38 | Install the LEDE buildroot. (git.lede-project.org/source.git)
 39 | Check out stable version 17.01.4 (git checkout v17.01.4)
 40 | Follow LEDE instructions to build a default config for your router.  Be
 41 | sure one of the variants of wpad is selected (usually wpad-mini or wpad,
 42 | the full version supports 802.1X)
 43 | Copy the files and patches from this git to the buildroot at
 44 |    packages/network/services/hostapd
 45 | Rebuild the hostapd package:
 46 | make package/hostapd/{clean,compile}
 47 | Find the wpad-mini .ipk file in bin/packages/<target>/base
 48 | 
 49 | INSTALL:
 50 | At this point it is ready to install on your router.  Use either your built
 51 | binary or the 17.01.4 release binary from LEDE server.  The official binary
 52 | is preferable because it is compatible with online installation of pre-built
 53 | packages from the official server.
 54 | 
 55 | scp the just built wpad .ipk file your router's /tmp
 56 | also send the hostapd-common ipk (the configuration script)
 57 | ssh to the router
 58 | root@LEDE:~# opkg --force-reinstall install /tmp/hostapd-common<version>.ipk
 59 | root@LEDE:~# opkg --force-reinstall install /tmp/wpad-mini<version>.ipk
 60 | root@LEDE:~# reboot
 61 | A reboot seems to be necessary to get the UCI configuration system working
 62 | properly.
 63 | hostapd should now have restarted with the new version.  Confirm you are 
 64 | running the mod version by checking if the set_required_signal ubus call
 65 | exists:
 66 | root@LEDE:~# ubus -v list | grep set_required_signal
 67 |      "set_required_signal":{"connect":"Integer","stay":"Integer","strikes":
 68 |        "Integer","poll_time":"Integer","reason":"Integer"}
 69 | 
 70 | Important:  For routers with only 4 MB flash, it will not be possible to
 71 | do as shown above and remove the original wpad-mini to install a new one. 
 72 | A complete image must be built and flashed with the new wpad-mini in the squashfs.
 73 | 
 74 | USAGE:
 75 | The threshold signal levels and other parameters can be set through UCI
 76 | in /etc/config/wireless, or through ubus calls.  ubus calls do not require
 77 | restarting the wifi system.
 78 | 
 79 | Configuration is on a per AP basis.  This means that one of your APs can
 80 | have signal limits, while another one on the same radio can have different
 81 | or no limits.
 82 | 
 83 | The following 5 keys are defined:
 84 | 	option signal_connect "-60"  # dBm requred to connect
 85 | 	option signal_stay "-75" # dBm required to stay connected
 86 | 	option signal_strikes "3" # Number of polls below stay threshold before disconnection
 87 | 	option signal_poll_time "10" # Seconds between polls (min. 3, default 10)
 88 | 	option signal_drop_reason "3" # IEEE802.11 reason sent to the STA when it is dropped.
 89 | 	
 90 | The settings above of -60 and -75 are reasonable starting points.  A dBm
 91 | value that is more negative means a weaker signal.  Observing the log with
 92 | typical users will show if the levels should be changed for your application.
 93 | Setting log_level '0' in the per-radio configuration will show more details,
 94 | including the signal measurements of each connected STA at each poll.	
 95 | 
 96 | When running with a "signal_stay" above -128 dBm you should see signal reports: 
 97 | daemon.debug hostapd: wlan0: STA f8:e0:79:XX:XX:XX IAPP: -35 -38 (0)
 98 | daemon.info hostapd: wlan0: IAPP signal poll: 1 STAs, 0 dropped
 99 | The report is instantaneous signal, average signal and (number of strikes)
100 | 
101 | Settable parameters are:
102 | "connect": signal (dBm) required for a received Probe, Auth Request, or 
103 |            Assoc Request to be acted upon.
104 | "stay"   : signal (dBm) required to stay connected.
105 | "strikes" : Number of consecutive bad signal polls allowed before disconnection.
106 |             Default 3.
107 | "poll_time" : Time in seconds between signal polls.  Default 10.
108 | "reason"  : IEEE 802.11 reason that will be transmitted to the STA upon
109 |             disconnection.  Default 3 (Local Choice).  5 (AP too busy) is a
110 |             reasonable alternative.  This does not affect the operation of
111 |             hostapd at all.  It may (or may not) affect what the STA does
112 |             after it has been disconnected.
113 |             
114 | By default, signal_connect and signal_stay are -128 dBm.  This means that
115 | all connections will be accepted and no polling will be done, the same as
116 | with an unmodified hostapd.            
117 | 
118 | The options may be set with a ubus call.  This will not disconnect all the clients
119 | like re-reading the config file does.
120 | 
121 | root@LEDE:~# ubus call hostapd.wlan0 set_required_signal '{"connect":-50,"stay":-50}'
122 | 
123 | Code details:
124 | This project is based mostly on extending the ubus feature which allows dynamically
125 | "banning" a STA based on MAC address.  A hook from the main part of hostapd
126 | calls into the OpenWrt/LEDE-specific ubus.c module whenever a STA sends a
127 | Probe, Authentication Request, or Association Request.  If the STA is not 
128 | on the "banned" list, hostapd_ubus_handle_event will return 0 and hostapd
129 | will respond to the request normally.  If the station is banned, the module
130 | returns -2, which causes hostapd to drop (ignore) the request.
131 | 
132 | So it is straightforward to extend this logic by examining the signal level
133 | metadata accompaining the packet and either accept or deny based on that.
134 | 
135 | Once allowed to connect, it is desirable to monitor the signal level of the
136 | STA and drop them if they move away from the AP.  This is done by the 
137 | hostapd_bss_signal_check() routine.  Once a station is fully connected, 
138 | hostapd offloads the handling of data packets to the kernel driver.  Thus
139 | hostapd is not aware of all packets received from the STA.  It is necessary
140 | to call the driver to take a snapshot of the signal level.  These are the
141 | same level numbers reported by for example iw station dump.
142 | 
143 | Since snapshot signal checks can be momentarilly low, signal_check has several
144 | provisions to discourage the unwarranted dropping of a STA.  First if the 
145 | instantaneous signal is more than 5 dB below the "average", the signal report
146 | is ignored completely.  The higher of the instantaneous and average is
147 | compared to the "stay" threshold.  If it is below threshold, a "strike" is 
148 | recorded for that STA.  When the strikeout count is reached, the STA is de-
149 | authenticated (dropped).  If the signal is above threshold, the strike count
150 | is reset to 0.
151 | 
152 | 


--------------------------------------------------------------------------------
/patches/610-drop_low_rssi.patch:
--------------------------------------------------------------------------------
  1 | --- a/hostapd/config_file.c
  2 | +++ b/hostapd/config_file.c
  3 | @@ -2809,6 +2809,26 @@ static int hostapd_config_fill(struct ho
  4 |  			return 1;
  5 |  		}
  6 |  		conf->send_probe_response = val;
  7 | +#ifdef UBUS_SUPPORT		
  8 | +	} else if (os_strcmp(buf, "signal_connect") == 0) {
  9 | +		bss->signal_auth_min = atoi(pos);
 10 | +	} else if (os_strcmp(buf, "signal_stay") == 0) {
 11 | +		bss->signal_stay_min = atoi(pos);
 12 | +	} else if (os_strcmp(buf, "signal_poll_time") == 0) {
 13 | +		bss->signal_poll_time = atoi(pos);
 14 | +		if (bss->signal_poll_time < 2) {
 15 | +			wpa_printf(MSG_ERROR, "Line %d: invalid signal poll time", line);
 16 | +			return 1;
 17 | +		}
 18 | +	} else if (os_strcmp(buf, "signal_strikes") == 0) {
 19 | +		bss->signal_strikes = atoi(pos);
 20 | +	} else if (os_strcmp(buf, "signal_drop_reason") == 0) {
 21 | +		bss->signal_drop_reason = atoi(pos);
 22 | +		if (bss->signal_drop_reason < 1 || bss->signal_drop_reason > 54) {
 23 | +			wpa_printf(MSG_ERROR, "Line %d: invalid signal drop reason", line);
 24 | +			return 1;
 25 | +		}
 26 | +#endif /* UBUS_SUPPORT */	
 27 |  	} else if (os_strcmp(buf, "supported_rates") == 0) {
 28 |  		if (hostapd_parse_intlist(&conf->supported_rates, pos)) {
 29 |  			wpa_printf(MSG_ERROR, "Line %d: invalid rate list",
 30 | --- a/src/drivers/driver_nl80211.c
 31 | +++ b/src/drivers/driver_nl80211.c
 32 | @@ -5875,6 +5875,8 @@ static int get_sta_handler(struct nl_msg
 33 |  		[NL80211_STA_INFO_TX_FAILED] = { .type = NLA_U32 },
 34 |  		[NL80211_STA_INFO_RX_BYTES64] = { .type = NLA_U64 },
 35 |  		[NL80211_STA_INFO_TX_BYTES64] = { .type = NLA_U64 },
 36 | +		[NL80211_STA_INFO_SIGNAL] = { .type = NLA_U8 },
 37 | +		[NL80211_STA_INFO_SIGNAL_AVG] = { .type = NLA_U8 },
 38 |  	};
 39 |  
 40 |  	nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
 41 | @@ -5926,6 +5928,12 @@ static int get_sta_handler(struct nl_msg
 42 |  	if (stats[NL80211_STA_INFO_TX_FAILED])
 43 |  		data->tx_retry_failed =
 44 |  			nla_get_u32(stats[NL80211_STA_INFO_TX_FAILED]);
 45 | +	if (stats[NL80211_STA_INFO_SIGNAL])
 46 | +	    data->last_rssi =
 47 | +	        (int) (s8) nla_get_u8(stats[NL80211_STA_INFO_SIGNAL]);
 48 | +	if (stats[NL80211_STA_INFO_SIGNAL_AVG])
 49 | +	    data->last_ack_rssi =
 50 | +	        (int) (s8) nla_get_u8(stats[NL80211_STA_INFO_SIGNAL_AVG]);
 51 |  
 52 |  	return NL_SKIP;
 53 |  }
 54 | --- a/src/ap/ap_config.c
 55 | +++ b/src/ap/ap_config.c
 56 | @@ -78,6 +78,13 @@ void hostapd_config_defaults_bss(struct
 57 |  	bss->eapol_version = EAPOL_VERSION;
 58 |  
 59 |  	bss->max_listen_interval = 65535;
 60 | +#ifdef UBUS_SUPPORT
 61 | +	bss->signal_auth_min = -128;  /* this is lower than any real signal, so all stations will be accepted */
 62 | +	bss->signal_stay_min = -128;
 63 | +	bss->signal_strikes = 3;
 64 | +	bss->signal_poll_time = 10;
 65 | +    bss->signal_drop_reason = 3; /* "Local choice" */
 66 | +#endif /* UBUS_SUPPORT */
 67 |  
 68 |  	bss->pwd_group = 19; /* ECC: GF(p=256) */
 69 |  
 70 | --- a/src/ap/ap_config.h
 71 | +++ b/src/ap/ap_config.h
 72 | @@ -305,6 +305,12 @@ struct hostapd_bss_config {
 73 |  	int wds_sta;
 74 |  	int isolate;
 75 |  	int start_disabled;
 76 | +	int	signal_auth_min;    /* Minimum signal a STA needs to authenticate */
 77 | +	int signal_stay_min;    /* Minimum signal needed to stay connected. */
 78 | +	int signal_poll_time;   /* Time in seconds between checks of connected STAs */
 79 | +	int signal_strikes;     /* Number of consecutive times signal can be low
 80 | +								before dropping the STA.  */
 81 | +	int signal_drop_reason; /* IEEE802.11 reason code transmitted when dropping a STA.  */
 82 |  
 83 |  	int auth_algs; /* bitfield of allowed IEEE 802.11 authentication
 84 |  			* algorithms, WPA_AUTH_ALG_{OPEN,SHARED,LEAP} */
 85 | --- a/src/ap/sta_info.c
 86 | +++ b/src/ap/sta_info.c
 87 | @@ -673,7 +673,9 @@ struct sta_info * ap_sta_add(struct host
 88 |  	sta_track_claim_taxonomy_info(hapd->iface, addr,
 89 |  				      &sta->probe_ie_taxonomy);
 90 |  #endif /* CONFIG_TAXONOMY */
 91 | -
 92 | +#ifdef UBUS_SUPPORT
 93 | +    sta->sig_drop_strikes = 0;
 94 | +#endif /* UBUS_SUPPORT */
 95 |  	return sta;
 96 |  }
 97 |  
 98 | --- a/src/ap/sta_info.h
 99 | +++ b/src/ap/sta_info.h
100 | @@ -226,6 +226,9 @@ struct sta_info {
101 |  	u8 fils_snonce[FILS_NONCE_LEN];
102 |  	u8 fils_session[FILS_SESSION_LEN];
103 |  #endif /* CONFIG_FILS */
104 | +#ifdef UBUS_SUPPORT
105 | +	int sig_drop_strikes;  /* Number of times signal was below threshold. */
106 | +#endif /* UBUS_SUPPORT */
107 |  };
108 |  
109 |  
110 | --- a/src/ap/ubus.c
111 | +++ b/src/ap/ubus.c
112 | @@ -137,6 +137,58 @@ hostapd_bss_ban_client(struct hostapd_da
113 |  	eloop_register_timeout(0, time * 1000, hostapd_bss_del_ban, ban, hapd);
114 |  }
115 |  
116 | +static void
117 | +hostapd_bss_signal_check(void *eloop_data, void *user_ctx)
118 | +/* This is called by an eloop timeout.  All stations in the list are checked
119 | + * for signal level.  This requires calling the driver, since hostapd doesn't
120 | + * see packets from a station once it is fully authorized.
121 | + * Stations with signal level below the threshold will be dropped.
122 | + * Cases where the last RSSI is significantly less than the average are usually
123 | + * a bad reading and should not lead to a drop.
124 | + */
125 | + {   struct hostapd_data *hapd = user_ctx;
126 | +	 struct hostap_sta_driver_data data;
127 | +	 struct sta_info *sta, *sta_next;
128 | +	 u8 addr[ETH_ALEN];  // Buffer the address for logging purposes, in case it is destroyed while dropping
129 | +	 int strikes;        //    same with strike count on this station.
130 | +	 int num_sta = 0;
131 | +	 int num_drop = 0;
132 | +	 int signal_inst;
133 | +	 int signal_avg;
134 | +	
135 | +	 
136 | +	 for (sta = hapd->sta_list; sta; sta = sta_next) {
137 | +		 sta_next = sta->next;
138 | +		 memcpy(addr, sta->addr, ETH_ALEN);
139 | +		 if (!hostapd_drv_read_sta_data(hapd, &data, addr)) { 
140 | +			signal_inst = data.last_rssi;
141 | +			signal_avg = data.last_ack_rssi;
142 | +			num_sta++;
143 | +			strikes = sta->sig_drop_strikes;
144 | +			if (signal_inst > signal_avg) 
145 | +				signal_avg = signal_inst;
146 | +			if (signal_inst > (signal_avg - 5)) {  // ignore unusually low instantaneous signal.
147 | +				if (signal_avg < hapd->conf->signal_stay_min) { // signal bad.
148 | +					strikes = ++sta->sig_drop_strikes;
149 | +				    if (strikes >= hapd->conf->signal_strikes) {  // Struck out--, drop.
150 | +						ap_sta_deauthenticate(hapd, sta, hapd->conf->signal_drop_reason); 
151 | +						num_drop++;
152 | +					}
153 | +				}
154 | +				else {
155 | +					sta->sig_drop_strikes = 0;  // signal OK, reset the strike counter.
156 | +					strikes = 0;
157 | +					}				
158 | +			}
159 | +			hostapd_logger(hapd, addr, HOSTAPD_MODULE_IAPP, HOSTAPD_LEVEL_DEBUG, "%i %i (%i)",
160 | +		        data.last_rssi, data.last_ack_rssi, strikes);
161 | +		 }
162 | +	 }
163 | +	 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IAPP, HOSTAPD_LEVEL_INFO, "signal poll: %i STAs, %i dropped", num_sta, num_drop); 
164 | +	 
165 | +	 eloop_register_timeout(hapd->conf->signal_poll_time, 0, hostapd_bss_signal_check, eloop_data, hapd); 
166 | + }
167 | + 
168 |  static int
169 |  hostapd_bss_get_clients(struct ubus_context *ctx, struct ubus_object *obj,
170 |  			struct ubus_request_data *req, const char *method,
171 | @@ -416,6 +468,73 @@ hostapd_vendor_elements(struct ubus_cont
172 |  	return UBUS_STATUS_OK;
173 |  }
174 |  
175 | +enum {
176 | +	SIGNAL_CONNECT,
177 | +	SIGNAL_STAY,
178 | +	SIGNAL_STRIKES,
179 | +	SIGNAL_POLL,
180 | +	SIGNAL_DROP_REASON,
181 | +	__SIGNAL_SETTINGS_MAX
182 | +};
183 | +
184 | +static const struct blobmsg_policy sig_policy[__SIGNAL_SETTINGS_MAX] = {
185 | +	[SIGNAL_CONNECT] = {"connect", BLOBMSG_TYPE_INT32},
186 | +	[SIGNAL_STAY] = {"stay", BLOBMSG_TYPE_INT32},
187 | +	[SIGNAL_STRIKES] = {"strikes", BLOBMSG_TYPE_INT32},
188 | +	[SIGNAL_POLL] = {"poll_time", BLOBMSG_TYPE_INT32},
189 | +	[SIGNAL_DROP_REASON] = {"reason", BLOBMSG_TYPE_INT32}
190 | +};
191 | +
192 | +static int
193 | +hostapd_bss_set_signal(struct ubus_context *ctx, struct ubus_object *obj,
194 | +			struct ubus_request_data *req, const char *method,
195 | +			struct blob_attr *msg)
196 | +{
197 | +	struct blob_attr *tb[__SIGNAL_SETTINGS_MAX];
198 | +	struct hostapd_data *hapd = get_hapd_from_object(obj);
199 | +	int sig_stay;
200 | +
201 | +	blobmsg_parse(sig_policy, __SIGNAL_SETTINGS_MAX, tb, blob_data(msg), blob_len(msg));
202 | +
203 | +	if (!tb[SIGNAL_CONNECT])
204 | +		return UBUS_STATUS_INVALID_ARGUMENT;
205 | +	hapd->conf->signal_auth_min = blobmsg_get_u32(tb[SIGNAL_CONNECT]);
206 | +	if (tb[SIGNAL_STAY]) { 
207 | +	    sig_stay = blobmsg_get_u32(tb[SIGNAL_STAY]);
208 | +
209 | +	} 
210 | +	else
211 | +		sig_stay = hapd->conf->signal_auth_min - 5;  // Default is 5 dB lower to stay. 
212 | +	hapd->conf->signal_stay_min = sig_stay;
213 | +	if (tb[SIGNAL_STRIKES]) {
214 | +		hapd->conf->signal_strikes = blobmsg_get_u32(tb[SIGNAL_STRIKES]);
215 | +		if (hapd->conf->signal_strikes < 1)
216 | +		    return UBUS_STATUS_INVALID_ARGUMENT;
217 | +	}
218 | +	else 
219 | +		hapd->conf->signal_strikes = 3;
220 | +	if (tb[SIGNAL_POLL]) {
221 | +		hapd->conf->signal_poll_time = blobmsg_get_u32(tb[SIGNAL_POLL]);
222 | +		if (hapd->conf->signal_poll_time < 3)
223 | +		    return UBUS_STATUS_INVALID_ARGUMENT;
224 | +    }
225 | +    else
226 | +        hapd->conf->signal_poll_time = 10;
227 | +	if (tb[SIGNAL_DROP_REASON]) {
228 | +		hapd->conf->signal_drop_reason = blobmsg_get_u32(tb[SIGNAL_DROP_REASON]);
229 | +		if ((hapd->conf->signal_drop_reason < 1) || (hapd->conf->signal_drop_reason > 35)) // XXX -- look up real limit 
230 | +		    return UBUS_STATUS_INVALID_ARGUMENT;
231 | +    }
232 | +    else
233 | +        hapd->conf->signal_drop_reason = 3;  // Local choice. 5 (AP too busy) is also a good one.
234 | +    		    	
235 | +	eloop_cancel_timeout(hostapd_bss_signal_check, ELOOP_ALL_CTX, ELOOP_ALL_CTX);
236 | +    eloop_register_timeout(3, 0, hostapd_bss_signal_check, NULL, hapd);  // Start up the poll timer.
237 | +	
238 | +	return UBUS_STATUS_OK;
239 | +}
240 | +
241 | +
242 |  static const struct ubus_method bss_methods[] = {
243 |  	UBUS_METHOD_NOARG("get_clients", hostapd_bss_get_clients),
244 |  	UBUS_METHOD("del_client", hostapd_bss_del_client, del_policy),
245 | @@ -427,6 +546,7 @@ static const struct ubus_method bss_meth
246 |  	UBUS_METHOD("switch_chan", hostapd_switch_chan, csa_policy),
247 |  #endif
248 |  	UBUS_METHOD("set_vendor_elements", hostapd_vendor_elements, ve_policy),
249 | +	UBUS_METHOD("set_required_signal", hostapd_bss_set_signal, sig_policy),
250 |  };
251 |  
252 |  static struct ubus_object_type bss_object_type =
253 | @@ -456,6 +576,10 @@ void hostapd_ubus_add_bss(struct hostapd
254 |  	obj->n_methods = bss_object_type.n_methods;
255 |  	ret = ubus_add_object(ctx, obj);
256 |  	hostapd_ubus_ref_inc();
257 | +	/* This should run after the config file has been read, I hope. */
258 | +	if (hapd->conf->signal_stay_min > -128)
259 | +	   eloop_register_timeout(3, 0, hostapd_bss_signal_check, NULL, hapd);  // Start up the poll timer.
260 | + 
261 |  }
262 |  
263 |  void hostapd_ubus_free_bss(struct hostapd_data *hapd)
264 | @@ -504,16 +628,26 @@ int hostapd_ubus_handle_event(struct hos
265 |  		addr = req->mgmt_frame->sa;
266 |  	else
267 |  		addr = req->addr;
268 | -
269 | +		
270 | +	if (req->type < ARRAY_SIZE(types))
271 | +		type = types[req->type];
272 | +		
273 | +    if (req->frame_info && req->type != HOSTAPD_UBUS_PROBE_REQ)  // don't clutter the log with probes.
274 | +        hostapd_logger(hapd, addr, HOSTAPD_MODULE_MLME, HOSTAPD_LEVEL_INFO, "%s request, signal %i %s", 
275 | +                type, req->frame_info->ssi_signal,
276 | +                (req->frame_info->ssi_signal >= hapd->conf->signal_auth_min) ? "(Accepted)" : "(DENIED)");
277 | +// reject weak signals.   
278 | +    if (req->frame_info && req->frame_info->ssi_signal < hapd->conf->signal_auth_min) 
279 | +        return -2;   
280 | +    
281 | +// reject banned MACs.    
282 |  	ban = avl_find_element(&hapd->ubus.banned, addr, ban, avl);
283 | -	if (ban)
284 | -		return -2;
285 | +	if (ban)         
286 | +		return -2;  
287 |  
288 |  	if (!hapd->ubus.obj.has_subscribers)
289 |  		return 0;
290 |  
291 | -	if (req->type < ARRAY_SIZE(types))
292 | -		type = types[req->type];
293 |  
294 |  	blob_buf_init(&b, 0);
295 |  	blobmsg_add_macaddr(&b, "address", addr);
296 | 


--------------------------------------------------------------------------------
/files/hostapd.sh:
--------------------------------------------------------------------------------
  1 | . /lib/functions/network.sh
  2 | 
  3 | wpa_supplicant_add_rate() {
  4 | 	local var="$1"
  5 | 	local val="$(($2 / 1000))"
  6 | 	local sub="$((($2 / 100) % 10))"
  7 | 	append $var "$val" ","
  8 | 	[ $sub -gt 0 ] && append $var "."
  9 | }
 10 | 
 11 | hostapd_add_rate() {
 12 | 	local var="$1"
 13 | 	local val="$(($2 / 100))"
 14 | 	append $var "$val" " "
 15 | }
 16 | 
 17 | hostapd_append_wep_key() {
 18 | 	local var="$1"
 19 | 
 20 | 	wep_keyidx=0
 21 | 	set_default key 1
 22 | 	case "$key" in
 23 | 		[1234])
 24 | 			for idx in 1 2 3 4; do
 25 | 				local zidx
 26 | 				zidx=$(($idx - 1))
 27 | 				json_get_var ckey "key${idx}"
 28 | 				[ -n "$ckey" ] && \
 29 | 					append $var "wep_key${zidx}=$(prepare_key_wep "$ckey")" "$N$T"
 30 | 			done
 31 | 			wep_keyidx=$((key - 1))
 32 | 		;;
 33 | 		*)
 34 | 			append $var "wep_key0=$(prepare_key_wep "$key")" "$N$T"
 35 | 		;;
 36 | 	esac
 37 | }
 38 | 
 39 | hostapd_append_wpa_key_mgmt() {
 40 | 	local auth_type="$(echo $auth_type | tr 'a-z' 'A-Z')"
 41 | 
 42 | 	append wpa_key_mgmt "WPA-$auth_type"
 43 | 	[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type}"
 44 | 	[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type}-SHA256"
 45 | }
 46 | 
 47 | hostapd_add_log_config() {
 48 | 	config_add_boolean \
 49 | 		log_80211 \
 50 | 		log_8021x \
 51 | 		log_radius \
 52 | 		log_wpa \
 53 | 		log_driver \
 54 | 		log_iapp \
 55 | 		log_mlme
 56 | 
 57 | 	config_add_int log_level
 58 | }
 59 | 
 60 | hostapd_common_add_device_config() {
 61 | 	config_add_array basic_rate
 62 | 	config_add_array supported_rates
 63 | 
 64 | 	config_add_string country
 65 | 	config_add_boolean country_ie doth
 66 | 	config_add_string require_mode
 67 | 	config_add_boolean legacy_rates
 68 | 
 69 | 	hostapd_add_log_config
 70 | }
 71 | 
 72 | hostapd_prepare_device_config() {
 73 | 	local config="$1"
 74 | 	local driver="$2"
 75 | 
 76 | 	local base="${config%%.conf}"
 77 | 	local base_cfg=
 78 | 
 79 | 	json_get_vars country country_ie beacon_int:100 doth require_mode legacy_rates
 80 | 
 81 | 	hostapd_set_log_options base_cfg
 82 | 
 83 | 	set_default country_ie 1
 84 | 	set_default doth 1
 85 | 	set_default legacy_rates 1
 86 | 
 87 | 	[ "$hwmode" = "b" ] && legacy_rates=1
 88 | 
 89 | 	[ -n "$country" ] && {
 90 | 		append base_cfg "country_code=$country" "$N"
 91 | 
 92 | 		[ "$country_ie" -gt 0 ] && append base_cfg "ieee80211d=1" "$N"
 93 | 		[ "$hwmode" = "a" -a "$doth" -gt 0 ] && append base_cfg "ieee80211h=1" "$N"
 94 | 	}
 95 | 
 96 | 	local brlist= br
 97 | 	json_get_values basic_rate_list basic_rate
 98 | 	local rlist= r
 99 | 	json_get_values rate_list supported_rates
100 | 
101 | 	[ -n "$hwmode" ] && append base_cfg "hw_mode=$hwmode" "$N"
102 | 	[ "$legacy_rates" -eq 0 ] && set_default require_mode g
103 | 
104 | 	[ "$hwmode" = "g" ] && {
105 | 		[ "$legacy_rates" -eq 0 ] && set_default rate_list "6000 9000 12000 18000 24000 36000 48000 54000"
106 | 		[ -n "$require_mode" ] && set_default basic_rate_list "6000 12000 24000"
107 | 	}
108 | 
109 | 	case "$require_mode" in
110 | 		n) append base_cfg "require_ht=1" "$N";;
111 | 		ac) append base_cfg "require_vht=1" "$N";;
112 | 	esac
113 | 
114 | 	for r in $rate_list; do
115 | 		hostapd_add_rate rlist "$r"
116 | 	done
117 | 
118 | 	for br in $basic_rate_list; do
119 | 		hostapd_add_rate brlist "$br"
120 | 	done
121 | 
122 | 	[ -n "$rlist" ] && append base_cfg "supported_rates=$rlist" "$N"
123 | 	[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
124 | 	append base_cfg "beacon_int=$beacon_int" "$N"
125 | 
126 | 	cat > "$config" <<EOF
127 | driver=$driver
128 | $base_cfg
129 | EOF
130 | }
131 | 
132 | hostapd_common_add_bss_config() {
133 | 	config_add_string 'bssid:macaddr' 'ssid:string'
134 | 	config_add_boolean wds wmm uapsd hidden
135 | 
136 | 	config_add_int maxassoc max_inactivity
137 | 	config_add_boolean disassoc_low_ack isolate short_preamble
138 | 	
139 | 	config_add_int signal_connect signal_stay signal_poll_time \
140 | 		signal_drop_reason signal_strikes
141 | 
142 | 	config_add_int \
143 | 		wep_rekey eap_reauth_period \
144 | 		wpa_group_rekey wpa_pair_rekey wpa_master_rekey
145 | 	config_add_boolean wpa_disable_eapol_key_retries
146 | 
147 | 	config_add_boolean rsn_preauth auth_cache
148 | 	config_add_int ieee80211w
149 | 	config_add_int eapol_version
150 | 
151 | 	config_add_string 'auth_server:host' 'server:host'
152 | 	config_add_string auth_secret
153 | 	config_add_int 'auth_port:port' 'port:port'
154 | 
155 | 	config_add_string acct_server
156 | 	config_add_string acct_secret
157 | 	config_add_int acct_port
158 | 
159 | 	config_add_string dae_client
160 | 	config_add_string dae_secret
161 | 	config_add_int dae_port
162 | 
163 | 	config_add_string nasid
164 | 	config_add_string ownip
165 | 	config_add_string iapp_interface
166 | 	config_add_string eap_type ca_cert client_cert identity anonymous_identity auth priv_key priv_key_pwd
167 | 
168 | 	config_add_int dynamic_vlan vlan_naming
169 | 	config_add_string vlan_tagged_interface vlan_bridge
170 | 	config_add_string vlan_file
171 | 
172 | 	config_add_string 'key1:wepkey' 'key2:wepkey' 'key3:wepkey' 'key4:wepkey' 'password:wpakey'
173 | 
174 | 	config_add_string wpa_psk_file
175 | 
176 | 	config_add_boolean wps_pushbutton wps_label ext_registrar wps_pbc_in_m1
177 | 	config_add_int wps_ap_setup_locked wps_independent
178 | 	config_add_string wps_device_type wps_device_name wps_manufacturer wps_pin
179 | 
180 | 	config_add_boolean ieee80211r pmk_r1_push
181 | 	config_add_int r0_key_lifetime reassociation_deadline
182 | 	config_add_string mobility_domain r1_key_holder
183 | 	config_add_array r0kh r1kh
184 | 
185 | 	config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
186 | 
187 | 	config_add_string macfilter 'macfile:file'
188 | 	config_add_array 'maclist:list(macaddr)'
189 | 
190 | 	config_add_array bssid_blacklist
191 | 	config_add_array bssid_whitelist
192 | 
193 | 	config_add_int mcast_rate
194 | 	config_add_array basic_rate
195 | 	config_add_array supported_rates
196 | }
197 | 
198 | hostapd_set_bss_options() {
199 | 	local var="$1"
200 | 	local phy="$2"
201 | 	local vif="$3"
202 | 
203 | 	wireless_vif_parse_encryption
204 | 
205 | 	local bss_conf
206 | 	local wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_key_mgmt
207 | 
208 | 	json_get_vars \
209 | 		signal_connect signal_stay signal_poll_time signal_drop_reason signal_strikes \
210 | 		wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
211 | 		wpa_disable_eapol_key_retries \
212 | 		maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
213 | 		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
214 | 		wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
215 | 		macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
216 | 		iapp_interface eapol_version acct_server acct_secret acct_port \
217 | 		dynamic_vlan ieee80211w
218 | 
219 | 	set_default isolate 0
220 | 	set_default maxassoc 0
221 | 	set_default max_inactivity 0
222 | 	set_default short_preamble 1
223 | 	set_default disassoc_low_ack 1
224 | 	set_default hidden 0
225 | 	set_default wmm 1
226 | 	set_default uapsd 1
227 | 	set_default wpa_disable_eapol_key_retries 0
228 | 	set_default eapol_version 0
229 | 	set_default acct_port 1813
230 | 	set_default signal_connect -128
231 | 	set_default signal_stay -128
232 | 	set_default signal_poll_time 10
233 | 	set_default signal_drop_reason 3
234 | 	set_default signal_strikes 3
235 | 	
236 | 	append bss_conf "ctrl_interface=/var/run/hostapd"
237 | 	if [ "$isolate" -gt 0 ]; then
238 | 		append bss_conf "ap_isolate=$isolate" "$N"
239 | 	fi
240 | 	if [ "$maxassoc" -gt 0 ]; then
241 | 		append bss_conf "max_num_sta=$maxassoc" "$N"
242 | 	fi
243 | 	if [ "$max_inactivity" -gt 0 ]; then
244 | 		append bss_conf "ap_max_inactivity=$max_inactivity" "$N"
245 | 	fi
246 | 
247 | 	append bss_conf "disassoc_low_ack=$disassoc_low_ack" "$N"
248 | 	append bss_conf "preamble=$short_preamble" "$N"
249 | 	append bss_conf "wmm_enabled=$wmm" "$N"
250 | 	append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
251 | 	append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
252 | 	if [ "$signal_connect" -gt -128 ]; then
253 | 		append bss_conf "signal_connect=$signal_connect" "$N"
254 | 		append bss_conf "signal_stay=$signal_stay" "$N"
255 | 		append bss_conf "signal_poll_time=$signal_poll_time" "$N"
256 | 		append bss_conf "signal_strikes=$signal_strikes" "$N"
257 | 		append bss_conf "signal_drop_reason=$signal_drop_reason" "$N"
258 | 	fi
259 | 
260 | 	[ "$wpa" -gt 0 ] && {
261 | 		[ -n "$wpa_group_rekey"  ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
262 | 		[ -n "$wpa_pair_rekey"   ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"
263 | 		[ -n "$wpa_master_rekey" ] && append bss_conf "wpa_gmk_rekey=$wpa_master_rekey"  "$N"
264 | 	}
265 | 
266 | 	[ -n "$acct_server" ] && {
267 | 		append bss_conf "acct_server_addr=$acct_server" "$N"
268 | 		append bss_conf "acct_server_port=$acct_port" "$N"
269 | 		[ -n "$acct_secret" ] && \
270 | 			append bss_conf "acct_server_shared_secret=$acct_secret" "$N"
271 | 	}
272 | 
273 | 	local vlan_possible=""
274 | 
275 | 	case "$auth_type" in
276 | 		none)
277 | 			wps_possible=1
278 | 			# Here we make the assumption that if we're in open mode
279 | 			# with WPS enabled, we got to be in unconfigured state.
280 | 			wps_not_configured=1
281 | 		;;
282 | 		psk)
283 | 			json_get_vars key wpa_psk_file
284 | 			if [ ${#key} -lt 8 ]; then
285 | 				wireless_setup_vif_failed INVALID_WPA_PSK
286 | 				return 1
287 | 			elif [ ${#key} -eq 64 ]; then
288 | 				append bss_conf "wpa_psk=$key" "$N"
289 | 			else
290 | 				append bss_conf "wpa_passphrase=$key" "$N"
291 | 			fi
292 | 			[ -n "$wpa_psk_file" ] && {
293 | 				[ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
294 | 				append bss_conf "wpa_psk_file=$wpa_psk_file" "$N"
295 | 			}
296 | 			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
297 | 
298 | 			wps_possible=1
299 | 		;;
300 | 		eap)
301 | 			json_get_vars \
302 | 				auth_server auth_secret auth_port \
303 | 				dae_client dae_secret dae_port \
304 | 				ownip \
305 | 				eap_reauth_period
306 | 
307 | 			# radius can provide VLAN ID for clients
308 | 			vlan_possible=1
309 | 
310 | 			# legacy compatibility
311 | 			[ -n "$auth_server" ] || json_get_var auth_server server
312 | 			[ -n "$auth_port" ] || json_get_var auth_port port
313 | 			[ -n "$auth_secret" ] || json_get_var auth_secret key
314 | 
315 | 			set_default auth_port 1812
316 | 			set_default dae_port 3799
317 | 
318 | 
319 | 			append bss_conf "auth_server_addr=$auth_server" "$N"
320 | 			append bss_conf "auth_server_port=$auth_port" "$N"
321 | 			append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
322 | 
323 | 			[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
324 | 
325 | 			[ -n "$dae_client" -a -n "$dae_secret" ] && {
326 | 				append bss_conf "radius_das_port=$dae_port" "$N"
327 | 				append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
328 | 			}
329 | 
330 | 			[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
331 | 			append bss_conf "eapol_key_index_workaround=1" "$N"
332 | 			append bss_conf "ieee8021x=1" "$N"
333 | 
334 | 			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
335 | 		;;
336 | 		wep)
337 | 			local wep_keyidx=0
338 | 			json_get_vars key
339 | 			hostapd_append_wep_key bss_conf
340 | 			append bss_conf "wep_default_key=$wep_keyidx" "$N"
341 | 			[ -n "$wep_rekey" ] && append bss_conf "wep_rekey_period=$wep_rekey" "$N"
342 | 		;;
343 | 	esac
344 | 
345 | 	local auth_algs=$((($auth_mode_shared << 1) | $auth_mode_open))
346 | 	append bss_conf "auth_algs=${auth_algs:-1}" "$N"
347 | 	append bss_conf "wpa=$wpa" "$N"
348 | 	[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
349 | 
350 | 	set_default wps_pushbutton 0
351 | 	set_default wps_label 0
352 | 	set_default wps_pbc_in_m1 0
353 | 
354 | 	config_methods=
355 | 	[ "$wps_pushbutton" -gt 0 ] && append config_methods push_button
356 | 	[ "$wps_label" -gt 0 ] && append config_methods label
357 | 
358 | 	[ -n "$wps_possible" -a -n "$config_methods" ] && {
359 | 		set_default ext_registrar 0
360 | 		set_default wps_device_type "6-0050F204-1"
361 | 		set_default wps_device_name "Lede AP"
362 | 		set_default wps_manufacturer "www.lede-project.org"
363 | 		set_default wps_independent 1
364 | 
365 | 		wps_state=2
366 | 		[ -n "$wps_configured" ] && wps_state=1
367 | 
368 | 		[ "$ext_registrar" -gt 0 -a -n "$network_bridge" ] && append bss_conf "upnp_iface=$network_bridge" "$N"
369 | 
370 | 		append bss_conf "eap_server=1" "$N"
371 | 		[ -n "$wps_pin" ] && append bss_conf "ap_pin=$wps_pin" "$N"
372 | 		append bss_conf "wps_state=$wps_state" "$N"
373 | 		append bss_conf "device_type=$wps_device_type" "$N"
374 | 		append bss_conf "device_name=$wps_device_name" "$N"
375 | 		append bss_conf "manufacturer=$wps_manufacturer" "$N"
376 | 		append bss_conf "config_methods=$config_methods" "$N"
377 | 		append bss_conf "wps_independent=$wps_independent" "$N"
378 | 		[ -n "$wps_ap_setup_locked" ] && append bss_conf "ap_setup_locked=$wps_ap_setup_locked" "$N"
379 | 		[ "$wps_pbc_in_m1" -gt 0 ] && append bss_conf "pbc_in_m1=$wps_pbc_in_m1" "$N"
380 | 	}
381 | 
382 | 	append bss_conf "ssid=$ssid" "$N"
383 | 	[ -n "$network_bridge" ] && append bss_conf "bridge=$network_bridge" "$N"
384 | 	[ -n "$iapp_interface" ] && {
385 | 		local ifname
386 | 		network_get_device ifname "$iapp_interface" || ifname="$iapp_interface"
387 | 		append bss_conf "iapp_interface=$ifname" "$N"
388 | 	}
389 | 
390 | 	if [ "$wpa" -ge "1" ]; then
391 | 		json_get_vars nasid ieee80211r
392 | 		set_default ieee80211r 0
393 | 		[ -n "$nasid" ] && append bss_conf "nas_identifier=$nasid" "$N"
394 | 
395 | 		if [ "$ieee80211r" -gt "0" ]; then
396 | 			json_get_vars mobility_domain r0_key_lifetime r1_key_holder \
397 | 			reassociation_deadline pmk_r1_push
398 | 			json_get_values r0kh r0kh
399 | 			json_get_values r1kh r1kh
400 | 
401 | 			set_default mobility_domain "4f57"
402 | 			set_default r0_key_lifetime 10000
403 | 			set_default r1_key_holder "00004f577274"
404 | 			set_default reassociation_deadline 1000
405 | 			set_default pmk_r1_push 0
406 | 
407 | 			append bss_conf "mobility_domain=$mobility_domain" "$N"
408 | 			append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N"
409 | 			append bss_conf "r1_key_holder=$r1_key_holder" "$N"
410 | 			append bss_conf "reassociation_deadline=$reassociation_deadline" "$N"
411 | 			append bss_conf "pmk_r1_push=$pmk_r1_push" "$N"
412 | 
413 | 			for kh in $r0kh; do
414 | 				append bss_conf "r0kh=${kh//,/ }" "$N"
415 | 			done
416 | 			for kh in $r1kh; do
417 | 				append bss_conf "r1kh=${kh//,/ }" "$N"
418 | 			done
419 | 		fi
420 | 
421 | 		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
422 | 
423 | 		hostapd_append_wpa_key_mgmt
424 | 		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
425 | 	fi
426 | 
427 | 	if [ "$wpa" -ge "2" ]; then
428 | 		if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
429 | 			set_default auth_cache 1
430 | 			append bss_conf "rsn_preauth=1" "$N"
431 | 			append bss_conf "rsn_preauth_interfaces=$network_bridge" "$N"
432 | 		else
433 | 			set_default auth_cache 0
434 | 		fi
435 | 
436 | 		append bss_conf "okc=$auth_cache" "$N"
437 | 		[ "$auth_cache" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
438 | 
439 | 		# RSN -> allow management frame protection
440 | 		case "$ieee80211w" in
441 | 			[012])
442 | 				json_get_vars ieee80211w_max_timeout ieee80211w_retry_timeout
443 | 				append bss_conf "ieee80211w=$ieee80211w" "$N"
444 | 				[ "$ieee80211w" -gt "0" ] && {
445 | 					[ -n "$ieee80211w_max_timeout" ] && \
446 | 						append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
447 | 					[ -n "$ieee80211w_retry_timeout" ] && \
448 | 						append bss_conf "assoc_sa_query_retry_timeout=$ieee80211w_retry_timeout" "$N"
449 | 				}
450 | 			;;
451 | 		esac
452 | 	fi
453 | 
454 | 	_macfile="/var/run/hostapd-$ifname.maclist"
455 | 	case "$macfilter" in
456 | 		allow)
457 | 			append bss_conf "macaddr_acl=1" "$N"
458 | 			append bss_conf "accept_mac_file=$_macfile" "$N"
459 | 			# accept_mac_file can be used to set MAC to VLAN ID mapping
460 | 			vlan_possible=1
461 | 		;;
462 | 		deny)
463 | 			append bss_conf "macaddr_acl=0" "$N"
464 | 			append bss_conf "deny_mac_file=$_macfile" "$N"
465 | 		;;
466 | 		*)
467 | 			_macfile=""
468 | 		;;
469 | 	esac
470 | 
471 | 	[ -n "$_macfile" ] && {
472 | 		json_get_vars macfile
473 | 		json_get_values maclist maclist
474 | 
475 | 		rm -f "$_macfile"
476 | 		(
477 | 			for mac in $maclist; do
478 | 				echo "$mac"
479 | 			done
480 | 			[ -n "$macfile" -a -f "$macfile" ] && cat "$macfile"
481 | 		) > "$_macfile"
482 | 	}
483 | 
484 | 	[ -n "$vlan_possible" -a -n "$dynamic_vlan" ] && {
485 | 		json_get_vars vlan_naming vlan_tagged_interface vlan_bridge vlan_file
486 | 		set_default vlan_naming 1
487 | 		append bss_conf "dynamic_vlan=$dynamic_vlan" "$N"
488 | 		append bss_conf "vlan_naming=$vlan_naming" "$N"
489 | 		[ -n "$vlan_bridge" ] && \
490 | 			append bss_conf "vlan_bridge=$vlan_bridge" "$N"
491 | 		[ -n "$vlan_tagged_interface" ] && \
492 | 			append bss_conf "vlan_tagged_interface=$vlan_tagged_interface" "$N"
493 | 		[ -n "$vlan_file" ] && {
494 | 			[ -e "$vlan_file" ] || touch "$vlan_file"
495 | 			append bss_conf "vlan_file=$vlan_file" "$N"
496 | 		}
497 | 	}
498 | 
499 | 	append "$var" "$bss_conf" "$N"
500 | 	return 0
501 | }
502 | 
503 | hostapd_set_log_options() {
504 | 	local var="$1"
505 | 
506 | 	local log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme
507 | 	json_get_vars log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme
508 | 
509 | 	set_default log_level 2
510 | 	set_default log_80211  1
511 | 	set_default log_8021x  1
512 | 	set_default log_radius 1
513 | 	set_default log_wpa    1
514 | 	set_default log_driver 1
515 | 	set_default log_iapp   1
516 | 	set_default log_mlme   1
517 | 
518 | 	local log_mask=$(( \
519 | 		($log_80211  << 0) | \
520 | 		($log_8021x  << 1) | \
521 | 		($log_radius << 2) | \
522 | 		($log_wpa    << 3) | \
523 | 		($log_driver << 4) | \
524 | 		($log_iapp   << 5) | \
525 | 		($log_mlme   << 6)   \
526 | 	))
527 | 
528 | 	append "$var" "logger_syslog=$log_mask" "$N"
529 | 	append "$var" "logger_syslog_level=$log_level" "$N"
530 | 	append "$var" "logger_stdout=$log_mask" "$N"
531 | 	append "$var" "logger_stdout_level=$log_level" "$N"
532 | 
533 | 	return 0
534 | }
535 | 
536 | _wpa_supplicant_common() {
537 | 	local ifname="$1"
538 | 
539 | 	_rpath="/var/run/wpa_supplicant"
540 | 	_config="${_rpath}-$ifname.conf"
541 | }
542 | 
543 | wpa_supplicant_teardown_interface() {
544 | 	_wpa_supplicant_common "$1"
545 | 	rm -rf "$_rpath/$1" "$_config"
546 | }
547 | 
548 | wpa_supplicant_prepare_interface() {
549 | 	local ifname="$1"
550 | 	_w_driver="$2"
551 | 
552 | 	_wpa_supplicant_common "$1"
553 | 
554 | 	json_get_vars mode wds
555 | 
556 | 	[ -n "$network_bridge" ] && {
557 | 		fail=
558 | 		case "$mode" in
559 | 			adhoc)
560 | 				fail=1
561 | 			;;
562 | 			sta)
563 | 				[ "$wds" = 1 ] || fail=1
564 | 			;;
565 | 		esac
566 | 
567 | 		[ -n "$fail" ] && {
568 | 			wireless_setup_vif_failed BRIDGE_NOT_ALLOWED
569 | 			return 1
570 | 		}
571 | 	}
572 | 
573 | 	local ap_scan=
574 | 
575 | 	_w_mode="$mode"
576 | 	_w_modestr=
577 | 
578 | 	[[ "$mode" = adhoc ]] && {
579 | 		ap_scan="ap_scan=2"
580 | 
581 | 		_w_modestr="mode=1"
582 | 	}
583 | 
584 | 	local country_str=
585 | 	[ -n "$country" ] && {
586 | 		country_str="country=$country"
587 | 	}
588 | 
589 | 	wpa_supplicant_teardown_interface "$ifname"
590 | 	cat > "$_config" <<EOF
591 | $ap_scan
592 | $country_str
593 | EOF
594 | 	return 0
595 | }
596 | 
597 | wpa_supplicant_add_network() {
598 | 	local ifname="$1"
599 | 
600 | 	_wpa_supplicant_common "$1"
601 | 	wireless_vif_parse_encryption
602 | 
603 | 	json_get_vars \
604 | 		ssid bssid key \
605 | 		basic_rate mcast_rate \
606 | 		ieee80211w ieee80211r
607 | 
608 | 	set_default ieee80211r 0
609 | 
610 | 	local key_mgmt='NONE'
611 | 	local enc_str=
612 | 	local network_data=
613 | 	local T="	"
614 | 
615 | 	local scan_ssid="scan_ssid=1"
616 | 	local freq wpa_key_mgmt
617 | 
618 | 	[[ "$_w_mode" = "adhoc" ]] && {
619 | 		append network_data "mode=1" "$N$T"
620 | 		[ -n "$channel" ] && {
621 | 			freq="$(get_freq "$phy" "$channel")"
622 | 			append network_data "fixed_freq=1" "$N$T"
623 | 			append network_data "frequency=$freq" "$N$T"
624 | 		}
625 | 
626 | 		scan_ssid="scan_ssid=0"
627 | 
628 | 		[ "$_w_driver" = "nl80211" ] ||	append wpa_key_mgmt "WPA-NONE"
629 | 	}
630 | 
631 | 	[[ "$_w_mode" = "mesh" ]] && {
632 | 		json_get_vars mesh_id
633 | 		ssid="${mesh_id}"
634 | 
635 | 		append network_data "mode=5" "$N$T"
636 | 		[ -n "$channel" ] && {
637 | 			freq="$(get_freq "$phy" "$channel")"
638 | 			append network_data "frequency=$freq" "$N$T"
639 | 		}
640 | 		append wpa_key_mgmt "SAE"
641 | 		scan_ssid=""
642 | 	}
643 | 
644 | 	[ "$_w_mode" = "adhoc" -o "$_w_mode" = "mesh" ] && append network_data "$_w_modestr" "$N$T"
645 | 
646 | 	case "$auth_type" in
647 | 		none) ;;
648 | 		wep)
649 | 			local wep_keyidx=0
650 | 			hostapd_append_wep_key network_data
651 | 			append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
652 | 		;;
653 | 		psk)
654 | 			local passphrase
655 | 
656 | 			if [ "$_w_mode" != "mesh" ]; then
657 | 				hostapd_append_wpa_key_mgmt
658 | 			fi
659 | 
660 | 			key_mgmt="$wpa_key_mgmt"
661 | 
662 | 			if [ ${#key} -eq 64 ]; then
663 | 				passphrase="psk=${key}"
664 | 			else
665 | 				passphrase="psk=\"${key}\""
666 | 			fi
667 | 			append network_data "$passphrase" "$N$T"
668 | 		;;
669 | 		eap)
670 | 			hostapd_append_wpa_key_mgmt
671 | 			key_mgmt="$wpa_key_mgmt"
672 | 
673 | 			json_get_vars eap_type identity anonymous_identity ca_cert
674 | 			[ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
675 | 			[ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
676 | 			[ -n "$anonymous_identity" ] && append network_data "anonymous_identity=\"$anonymous_identity\"" "$N$T"
677 | 			case "$eap_type" in
678 | 				tls)
679 | 					json_get_vars client_cert priv_key priv_key_pwd
680 | 					append network_data "client_cert=\"$client_cert\"" "$N$T"
681 | 					append network_data "private_key=\"$priv_key\"" "$N$T"
682 | 					append network_data "private_key_passwd=\"$priv_key_pwd\"" "$N$T"
683 | 				;;
684 | 				fast|peap|ttls)
685 | 					json_get_vars auth password ca_cert2 client_cert2 priv_key2 priv_key2_pwd
686 | 					set_default auth MSCHAPV2
687 | 
688 | 					if [ "$auth" = "EAP-TLS" ]; then
689 | 						[ -n "$ca_cert2" ] &&
690 | 							append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
691 | 						append network_data "client_cert2=\"$client_cert2\"" "$N$T"
692 | 						append network_data "private_key2=\"$priv_key2\"" "$N$T"
693 | 						append network_data "private_key2_passwd=\"$priv_key2_pwd\"" "$N$T"
694 | 					else
695 | 						append network_data "password=\"$password\"" "$N$T"
696 | 					fi
697 | 
698 | 					phase2proto="auth="
699 | 					case "$auth" in
700 | 						"auth"*)
701 | 							phase2proto=""
702 | 						;;
703 | 						"EAP-"*)
704 | 							auth="$(echo $auth | cut -b 5- )"
705 | 							[ "$eap_type" = "ttls" ] &&
706 | 								phase2proto="autheap="
707 | 						;;
708 | 					esac
709 | 					append network_data "phase2=\"$phase2proto$auth\"" "$N$T"
710 | 				;;
711 | 			esac
712 | 			append network_data "eap=$(echo $eap_type | tr 'a-z' 'A-Z')" "$N$T"
713 | 		;;
714 | 	esac
715 | 
716 | 	[ "$mode" = mesh ] || {
717 | 		case "$wpa" in
718 | 			1)
719 | 				append network_data "proto=WPA" "$N$T"
720 | 			;;
721 | 			2)
722 | 				append network_data "proto=RSN" "$N$T"
723 | 			;;
724 | 		esac
725 | 
726 | 		case "$ieee80211w" in
727 | 			[012])
728 | 				[ "$wpa" -ge 2 ] && append network_data "ieee80211w=$ieee80211w" "$N$T"
729 | 			;;
730 | 		esac
731 | 	}
732 | 	local beacon_int brates mrate
733 | 	[ -n "$bssid" ] && append network_data "bssid=$bssid" "$N$T"
734 | 
735 | 	local bssid_blacklist bssid_whitelist
736 | 	json_get_values bssid_blacklist bssid_blacklist
737 | 	json_get_values bssid_whitelist bssid_whitelist
738 | 
739 | 	[ -n "$bssid_blacklist" ] && append network_data "bssid_blacklist=$bssid_blacklist" "$N$T"
740 | 	[ -n "$bssid_whitelist" ] && append network_data "bssid_whitelist=$bssid_whitelist" "$N$T"
741 | 
742 | 	[ -n "$basic_rate" ] && {
743 | 		local br rate_list=
744 | 		for br in $basic_rate; do
745 | 			wpa_supplicant_add_rate rate_list "$br"
746 | 		done
747 | 		[ -n "$rate_list" ] && append network_data "rates=$rate_list" "$N$T"
748 | 	}
749 | 
750 | 	[ -n "$mcast_rate" ] && {
751 | 		local mc_rate=
752 | 		wpa_supplicant_add_rate mc_rate "$mcast_rate"
753 | 		append network_data "mcast_rate=$mc_rate" "$N$T"
754 | 	}
755 | 
756 | 	local ht_str
757 | 	[[ "$_w_mode" = adhoc ]] || ibss_htmode=
758 | 	[ -n "$ibss_htmode" ] && append network_data "htmode=$ibss_htmode" "$N$T"
759 | 
760 | 	cat >> "$_config" <<EOF
761 | network={
762 | 	$scan_ssid
763 | 	ssid="$ssid"
764 | 	key_mgmt=$key_mgmt
765 | 	$network_data
766 | }
767 | EOF
768 | 	return 0
769 | }
770 | 
771 | wpa_supplicant_run() {
772 | 	local ifname="$1"; shift
773 | 
774 | 	_wpa_supplicant_common "$ifname"
775 | 
776 | 	/usr/sbin/wpa_supplicant -B \
777 | 		${network_bridge:+-b $network_bridge} \
778 | 		-P "/var/run/wpa_supplicant-${ifname}.pid" \
779 | 		-D ${_w_driver:-wext} \
780 | 		-i "$ifname" \
781 | 		-c "$_config" \
782 | 		-C "$_rpath" \
783 | 		"$@"
784 | 
785 | 	ret="$?"
786 | 	wireless_add_process "$(cat "/var/run/wpa_supplicant-${ifname}.pid")" /usr/sbin/wpa_supplicant 1
787 | 
788 | 	[ "$ret" != 0 ] && wireless_setup_vif_failed WPA_SUPPLICANT_FAILED
789 | 
790 | 	return $ret
791 | }
792 | 
793 | hostapd_common_cleanup() {
794 | 	killall hostapd wpa_supplicant meshd-nl80211
795 | }
796 | 


--------------------------------------------------------------------------------