aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2018-10-16 12:11:20 +0200
committerJo-Philipp Wich <jo@mein.io>2018-10-16 12:11:20 +0200
commit3e633bb3709611d79965fab667e3239fd3bde151 (patch)
treeabd1086886fdd4a1b8a692abf1e65d91813c69bf
parent583466bb5b374b29b6b7cba6f065e97c4734f742 (diff)
downloadupstream-3e633bb3709611d79965fab667e3239fd3bde151.tar.gz
upstream-3e633bb3709611d79965fab667e3239fd3bde151.tar.bz2
upstream-3e633bb3709611d79965fab667e3239fd3bde151.zip
hostapd: fix MAC filter related log spam
Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--package/network/services/hostapd/Makefile2
-rw-r--r--package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch39
-rw-r--r--package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch28
-rw-r--r--package/network/services/hostapd/patches/600-ubus_support.patch20
4 files changed, 78 insertions, 11 deletions
diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index 41f5f54b82..34b6d9708d 100644
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -7,7 +7,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
diff --git a/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch b/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch
new file mode 100644
index 0000000000..3fc80a01d7
--- /dev/null
+++ b/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch
@@ -0,0 +1,39 @@
+From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 14 Oct 2018 19:57:22 +0300
+Subject: Reduce undesired logging of ACL rejection events from AP mode
+
+When Probe Request frame handling was extended to use MAC ACL through
+ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
+<addr> not allowed to authenticate") from that function ended up getting
+printed even for Probe Request frames. That was not by design and it can
+result in excessive logging and MSG_INFO level if MAC ACL is used.
+
+Fix this by printing this log entry only for authentication and
+association frames. In addition, drop the priority of that log entry to
+MSG_DEBUG since this is not really an unexpected behavior in most MAC
+ACL use cases.
+
+Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/ieee802_11.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
+ is_probe_req);
+
+ if (res == HOSTAPD_ACL_REJECT) {
+- wpa_printf(MSG_INFO,
+- "Station " MACSTR " not allowed to authenticate",
+- MAC2STR(addr));
++ if (!is_probe_req)
++ wpa_printf(MSG_DEBUG,
++ "Station " MACSTR
++ " not allowed to authenticate",
++ MAC2STR(addr));
+ return HOSTAPD_ACL_REJECT;
+ }
+
diff --git a/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch b/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch
new file mode 100644
index 0000000000..82165a94f9
--- /dev/null
+++ b/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch
@@ -0,0 +1,28 @@
+From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 14 Oct 2018 20:03:55 +0300
+Subject: Drop logging priority for handle_auth_cb no-STA-match messages
+
+This message was printed and MSG_INFO level which would be more
+reasonable for error cases where hostapd has accepted authentication.
+However, this is not really an error case for the cases where
+authentication was rejected (e.g., due to MAC ACL). Drop this to use
+MSG_DEBUG level.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/ieee802_11.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
+
+ sta = ap_get_sta(hapd, mgmt->da);
+ if (!sta) {
+- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
++ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
++ " not found",
+ MAC2STR(mgmt->da));
+ return;
+ }
diff --git a/package/network/services/hostapd/patches/600-ubus_support.patch b/package/network/services/hostapd/patches/600-ubus_support.patch
index cb2c54d57c..b1e7c78c22 100644
--- a/package/network/services/hostapd/patches/600-ubus_support.patch
+++ b/package/network/services/hostapd/patches/600-ubus_support.patch
@@ -92,7 +92,7 @@
__func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
-@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap
+@@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap
static void handle_auth(struct hostapd_data *hapd,
@@ -108,7 +108,7 @@
u16 fc;
const u8 *challenge = NULL;
u32 session_timeout, acct_interim_interval;
-@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d
+@@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL;
char *radius_cui = NULL;
u16 seq_ctrl;
@@ -120,7 +120,7 @@
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
-@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d
+@@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail;
}
@@ -134,7 +134,7 @@
if (res == HOSTAPD_ACL_PENDING)
return;
-@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
+@@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
@@ -149,7 +149,7 @@
struct sta_info *sta;
u8 *tmp = NULL;
struct hostapd_sta_wpa_psk_short *psk = NULL;
-@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_
+@@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_
#ifdef CONFIG_FILS
int delay_assoc = 0;
#endif /* CONFIG_FILS */
@@ -161,7 +161,7 @@
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
-@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_
+@@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_
}
#endif /* CONFIG_MBO */
@@ -176,7 +176,7 @@
/*
* sta->capability is used in check_assoc_ies() for RRM enabled
* capability element.
-@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta
+@@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
MAC2STR(mgmt->sa),
le_to_host16(mgmt->u.disassoc.reason_code));
@@ -184,7 +184,7 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
-@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd
+@@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd
" reason_code=%d",
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
@@ -193,7 +193,7 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
-@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@@ -202,7 +202,7 @@
return 1;
}
-@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");