hostapd: fix MAC filter related log spam

Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.

Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
master
Jo-Philipp Wich 2018-10-16 12:11:20 +02:00
parent 583466bb5b
commit 3e633bb370
4 changed files with 78 additions and 11 deletions

View File

@ -7,7 +7,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git

View File

@ -0,0 +1,39 @@
From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 14 Oct 2018 19:57:22 +0300
Subject: Reduce undesired logging of ACL rejection events from AP mode
When Probe Request frame handling was extended to use MAC ACL through
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
<addr> not allowed to authenticate") from that function ended up getting
printed even for Probe Request frames. That was not by design and it can
result in excessive logging and MSG_INFO level if MAC ACL is used.
Fix this by printing this log entry only for authentication and
association frames. In addition, drop the priority of that log entry to
MSG_DEBUG since this is not really an unexpected behavior in most MAC
ACL use cases.
Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/ieee802_11.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
is_probe_req);
if (res == HOSTAPD_ACL_REJECT) {
- wpa_printf(MSG_INFO,
- "Station " MACSTR " not allowed to authenticate",
- MAC2STR(addr));
+ if (!is_probe_req)
+ wpa_printf(MSG_DEBUG,
+ "Station " MACSTR
+ " not allowed to authenticate",
+ MAC2STR(addr));
return HOSTAPD_ACL_REJECT;
}

View File

@ -0,0 +1,28 @@
From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 14 Oct 2018 20:03:55 +0300
Subject: Drop logging priority for handle_auth_cb no-STA-match messages
This message was printed and MSG_INFO level which would be more
reasonable for error cases where hostapd has accepted authentication.
However, this is not really an error case for the cases where
authentication was rejected (e.g., due to MAC ACL). Drop this to use
MSG_DEBUG level.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/ieee802_11.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
sta = ap_get_sta(hapd, mgmt->da);
if (!sta) {
- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
+ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
+ " not found",
MAC2STR(mgmt->da));
return;
}

View File

@ -92,7 +92,7 @@
__func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap
@@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap
static void handle_auth(struct hostapd_data *hapd,
@ -108,7 +108,7 @@
u16 fc;
const u8 *challenge = NULL;
u32 session_timeout, acct_interim_interval;
@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d
@@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL;
char *radius_cui = NULL;
u16 seq_ctrl;
@ -120,7 +120,7 @@
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d
@@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail;
}
@ -134,7 +134,7 @@
if (res == HOSTAPD_ACL_PENDING)
return;
@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
@@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
@ -149,7 +149,7 @@
struct sta_info *sta;
u8 *tmp = NULL;
struct hostapd_sta_wpa_psk_short *psk = NULL;
@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_
@@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_
#ifdef CONFIG_FILS
int delay_assoc = 0;
#endif /* CONFIG_FILS */
@ -161,7 +161,7 @@
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_
@@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_
}
#endif /* CONFIG_MBO */
@ -176,7 +176,7 @@
/*
* sta->capability is used in check_assoc_ies() for RRM enabled
* capability element.
@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta
@@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
MAC2STR(mgmt->sa),
le_to_host16(mgmt->u.disassoc.reason_code));
@ -184,7 +184,7 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd
@@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd
" reason_code=%d",
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
@ -193,7 +193,7 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@ -202,7 +202,7 @@
return 1;
}
@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data
@@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");