mirror of https://github.com/hak5/openwrt.git
hostapd: fix MAC filter related log spam
Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io>openwrt-19.07
parent
583466bb5b
commit
3e633bb370
|
@ -7,7 +7,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=hostapd
|
||||
PKG_RELEASE:=4
|
||||
PKG_RELEASE:=5
|
||||
|
||||
PKG_SOURCE_URL:=http://w1.fi/hostap.git
|
||||
PKG_SOURCE_PROTO:=git
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 14 Oct 2018 19:57:22 +0300
|
||||
Subject: Reduce undesired logging of ACL rejection events from AP mode
|
||||
|
||||
When Probe Request frame handling was extended to use MAC ACL through
|
||||
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
|
||||
<addr> not allowed to authenticate") from that function ended up getting
|
||||
printed even for Probe Request frames. That was not by design and it can
|
||||
result in excessive logging and MSG_INFO level if MAC ACL is used.
|
||||
|
||||
Fix this by printing this log entry only for authentication and
|
||||
association frames. In addition, drop the priority of that log entry to
|
||||
MSG_DEBUG since this is not really an unexpected behavior in most MAC
|
||||
ACL use cases.
|
||||
|
||||
Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/ieee802_11.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
|
||||
is_probe_req);
|
||||
|
||||
if (res == HOSTAPD_ACL_REJECT) {
|
||||
- wpa_printf(MSG_INFO,
|
||||
- "Station " MACSTR " not allowed to authenticate",
|
||||
- MAC2STR(addr));
|
||||
+ if (!is_probe_req)
|
||||
+ wpa_printf(MSG_DEBUG,
|
||||
+ "Station " MACSTR
|
||||
+ " not allowed to authenticate",
|
||||
+ MAC2STR(addr));
|
||||
return HOSTAPD_ACL_REJECT;
|
||||
}
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sun, 14 Oct 2018 20:03:55 +0300
|
||||
Subject: Drop logging priority for handle_auth_cb no-STA-match messages
|
||||
|
||||
This message was printed and MSG_INFO level which would be more
|
||||
reasonable for error cases where hostapd has accepted authentication.
|
||||
However, this is not really an error case for the cases where
|
||||
authentication was rejected (e.g., due to MAC ACL). Drop this to use
|
||||
MSG_DEBUG level.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/ap/ieee802_11.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
|
||||
|
||||
sta = ap_get_sta(hapd, mgmt->da);
|
||||
if (!sta) {
|
||||
- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
|
||||
+ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
|
||||
+ " not found",
|
||||
MAC2STR(mgmt->da));
|
||||
return;
|
||||
}
|
|
@ -92,7 +92,7 @@
|
|||
__func__, driver, drv_priv);
|
||||
--- a/src/ap/ieee802_11.c
|
||||
+++ b/src/ap/ieee802_11.c
|
||||
@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap
|
||||
@@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap
|
||||
|
||||
|
||||
static void handle_auth(struct hostapd_data *hapd,
|
||||
|
@ -108,7 +108,7 @@
|
|||
u16 fc;
|
||||
const u8 *challenge = NULL;
|
||||
u32 session_timeout, acct_interim_interval;
|
||||
@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d
|
||||
@@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d
|
||||
char *identity = NULL;
|
||||
char *radius_cui = NULL;
|
||||
u16 seq_ctrl;
|
||||
|
@ -120,7 +120,7 @@
|
|||
|
||||
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
|
||||
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
|
||||
@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d
|
||||
@@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d
|
||||
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
goto fail;
|
||||
}
|
||||
|
@ -134,7 +134,7 @@
|
|||
if (res == HOSTAPD_ACL_PENDING)
|
||||
return;
|
||||
|
||||
@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
|
||||
@@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
|
||||
|
||||
static void handle_assoc(struct hostapd_data *hapd,
|
||||
const struct ieee80211_mgmt *mgmt, size_t len,
|
||||
|
@ -149,7 +149,7 @@
|
|||
struct sta_info *sta;
|
||||
u8 *tmp = NULL;
|
||||
struct hostapd_sta_wpa_psk_short *psk = NULL;
|
||||
@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_
|
||||
@@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_
|
||||
#ifdef CONFIG_FILS
|
||||
int delay_assoc = 0;
|
||||
#endif /* CONFIG_FILS */
|
||||
|
@ -161,7 +161,7 @@
|
|||
|
||||
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
|
||||
sizeof(mgmt->u.assoc_req))) {
|
||||
@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_
|
||||
@@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_
|
||||
}
|
||||
#endif /* CONFIG_MBO */
|
||||
|
||||
|
@ -176,7 +176,7 @@
|
|||
/*
|
||||
* sta->capability is used in check_assoc_ies() for RRM enabled
|
||||
* capability element.
|
||||
@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta
|
||||
@@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta
|
||||
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
|
||||
MAC2STR(mgmt->sa),
|
||||
le_to_host16(mgmt->u.disassoc.reason_code));
|
||||
|
@ -184,7 +184,7 @@
|
|||
|
||||
sta = ap_get_sta(hapd, mgmt->sa);
|
||||
if (sta == NULL) {
|
||||
@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd
|
||||
@@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd
|
||||
" reason_code=%d",
|
||||
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
|
||||
|
||||
|
@ -193,7 +193,7 @@
|
|||
sta = ap_get_sta(hapd, mgmt->sa);
|
||||
if (sta == NULL) {
|
||||
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
|
||||
@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data
|
||||
@@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data
|
||||
|
||||
|
||||
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
|
||||
|
@ -202,7 +202,7 @@
|
|||
return 1;
|
||||
}
|
||||
|
||||
@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data
|
||||
@@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data
|
||||
switch (stype) {
|
||||
case WLAN_FC_STYPE_AUTH:
|
||||
wpa_printf(MSG_DEBUG, "mgmt::auth");
|
||||
|
|
Loading…
Reference in New Issue