aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: Update to version 2.85Alan Swanson2021-05-054-92/+6
| | | | | | | | | | | | | | | | | | | | | Fixes issue with merged DNS requests in 2.83/2.84 not being retried on the firsts failed request causing lookup failures. Also fixes the following security problem in dnsmasq: * CVE-2021-3448: If specifiying the source address or interface to be used when contacting upstream name servers such as: server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and server=8.8.8.8@eth0 then all would use the same socket bound to the explicitly configured port. Now only server=8.8.8.8@1.2.3.4#66 will use the explicitly configured port and the others random source ports. Remove upstreamed patches and update remaining patch. Signed-off-by: Alan Swanson <reiver@improbability.net> [refreshed old runtime support patch] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add ignore hosts dir to dnsmasq init scriptJoão Henriques2021-04-241-1/+6
| | | | | | | | When running multiple instances of dnsmasq, for example one being for the lan and another for a guest network, it might not be desirable to have the same dns names configured in both networks Signed-off-by: João Henriques <joaoh88@gmail.com>
* umdns: add missing syscalls to seccomp filterDaniel Golle2021-04-101-27/+30
| | | | | | | | | | | | | | | Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due to changes on libraries used by umdns now using slightly different calls. Found using /etc/init.d/umdns trace now use umdns, ie. cover all ubus call etc., then /etc/init.d/umdns stop find list of syscalls traced in /tmp/umdns.*.json Fixes: FS#3355 ("UMDNS: does not start on master with seccomp") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* lldpd: further size reductionsStijn Tintel2021-04-051-2/+2
| | | | | | | | | | | Size difference on mips_4kec: Before: 120196 After: 120006 Closes https://github.com/openwrt/openwrt/pull/3823 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
* lldpd: enable LTOStijn Tintel2021-04-051-1/+4
| | | | | | | | | Size difference on mips_4kec: W/o LTO: 139674 W/ LTO: 120196 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
* lldpd: bump to 1.0.9Stijn Tintel2021-04-052-64/+3
| | | | | | Contains fixes related to CVE-2020-27827. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* lldpd: add libcap dependencyStijn Tintel2021-04-052-19/+2
| | | | | | | | | Now that libcap is in OpenWrt base, we can drop our custom patch to disable libcap support and have lldpd depend on it instead. This will allow the monitor process to drop its privileges instead of running as root, improving security. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: enable airtime policy for the -basic variantsRui Salvaterra2021-04-031-1/+1
| | | | | | | | | | | | | | Airtime policy configuration is extremely useful in multiple BSS scenarios. Since nowadays most people configure both private and guest networks (at least), it makes sense to enable it by default, except for the most limited of the variants. Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2): 543944 bytes (airtime policy disabled) 548040 bytes (airtime policy enabled) Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> Acked-by: Daniel Golle <daniel@makrotopia.org>
* igmpproxy: remove packageJan Pavlinec2021-03-213-221/+0
| | | | | | | | | Moved to packages repo because it was considered non-essential for most router configurations. Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz> [shorten commit title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* uhttpd: update to git HEADHauke Mehrtens2021-03-211-4/+4
| | | | | | 15346de client: Always close connection with request body in case of error Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uhttpd: Execute uci commit and reload_config onceHauke Mehrtens2021-03-211-4/+6
| | | | | | | | Instead of doing uci commit and reload_config for each setting do it only once when one of these options was changed. This should make it a little faster when both conditions are taken. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uhttpd: Reload config after uhttpd-mod-ubus was addedHauke Mehrtens2021-03-212-1/+3
| | | | | | | | | | | | Without this change the config is only committed, but the uhttpd daemon is not reloaded. This reload is needed to apply the config. Without the reload of uhttpd, the ubus server is not available over http and returns a Error 404. This caused problems when installing luci on the snapshots and accessing it without reloading uhttpd. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* umdns: add syscalls needed on Aarch64Daniel Golle2021-03-191-0/+1
| | | | | | | Now that ujail supports seccomp also on Aarch64, add missing syscall 'fstat' to the list of allowed syscalls. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* ppp: compile fix: unset FILTER variable in MakefileEike Ritter2021-03-191-0/+12
| | | | | | | | | | | | | | | | If the environment variable FILTER is set before compilation, compilation of the ppp-package will fail with the error message Package ppp is missing dependencies for the following libraries: libpcap.so.1 The reason is that the OpenWrt-patch for the Makefile only comments out the line FILTER=y. Hence the pcap-library will be dynamically linked if the environment variable FILTER is set elsewhere, which causes compilation to fail. The fix consists on explicitly unsetting the variable FILTER instead. Signed-off-by: Eike Ritter <git@rittere.co.uk>
* hostapd: P2P: Fix a corner case in peer addition based on PD RequestStefan Lippers-Hollmann2021-03-011-0/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | p2p_add_device() may remove the oldest entry if there is no room in the peer table for a new peer. This would result in any pointer to that removed entry becoming stale. A corner case with an invalid PD Request frame could result in such a case ending up using (read+write) freed memory. This could only by triggered when the peer table has reached its maximum size and the PD Request frame is received from the P2P Device Address of the oldest remaining entry and the frame has incorrect P2P Device Address in the payload. Fix this by fetching the dev pointer again after having called p2p_add_device() so that the stale pointer cannot be used. This fixes the following security vulnerabilities/bugs: - CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
* igmpproxy: update to version 0.3Jan Pavlinec2021-03-011-11/+3
| | | | | | | | | Changes: - Remove custom Build/Compile because it's no longer needed - Remove std=gnu99 which is added automaticaly by igmpproxy if needed - Remove -Dlog from CFLAGS because igmpproxy doesn't have log function Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* kernel: migrate wireguard into the kernel treeIlya Lipnitskiy2021-02-261-88/+0
| | | | | | | | | | On Linux 5.4, build WireGuard from backports. Linux 5.10 contains wireguard in-tree. Add in-kernel crypto libraries required by WireGuard along with arch-specific optimizations. Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
* ppp: Update to version 2.4.9Hauke Mehrtens2021-02-2431-891/+226
| | | | | | | | | | | | | | | | | | | | | | | | Upstream integrated multiple patches from Distributions and did other changes: * rp-pppoe.so was renamed to pppoe.so * Converted to ANSI C The following patches were applied upstream: * 100-debian_ip-ip_option.patch * 101-debian_close_dev_ppp.patch * 103-debian_fix_link_pidfile.patch * 106-debian_stripMSdomain.patch * 107-debian_pppoatm_wildcard.patch * 110-debian_defaultroute.patch * 202-no_strip.patch Compilation with musl libc was fixed upstream so 140-pppoe_compile_fix.patch is not needed any more Parts of the 203-opt_flags.patch patch were applied in a different way upstream. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wireguard: don't build on Linux 5.10Ilya Lipnitskiy2021-02-231-2/+2
| | | | | | | | | | | | There are efforts underway to bring wireguard in-tree for Linux 5.4 and to have a common build infrastructure for both 5.4 and 5.10 for kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on Linux 5.4, because the wireguard-compat package will not build on Linux 5.10. [0]: https://github.com/openwrt/openwrt/pull/3885 Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
* hostapd: backport ignoring 4addr mode enabling errorRaphaël Mélotte2021-02-203-38/+79
| | | | | | | | | | | | | | | | | | | | This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore 4addr mode enabling error if it was already enabled") which fixes same issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch', but in a different way: nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on an interface that is in a bridge and has 4addr mode already enabled. This operation would not have been necessary in the first place and this failure results in disconnecting, e.g., when roaming from one backhaul BSS to another BSS with Multi AP. Avoid this issue by ignoring the nl80211 command failure in the case where 4addr mode is being enabled while it has already been enabled. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be> [bump PKG_RELEASE, more verbose commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* odhcpd: setup dhcpv4 server automagicallyDaniel Golle2021-02-152-6/+26
| | | | | | | | | | Automatically setup dhcpv4 server just like it's done for dhcpv6. To select whether odhcpd or dnsmasq are serving DHCPv4 requests there still is the 'maindhcp' option. To make things less confusing, make sure things really work out-of-the-box in case dnsmasq is not even installed at the time the uci-defaults script is being run. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add patch for setting 4addr mode in multi_apRaphaël Mélotte2021-02-137-47/+57
| | | | | | | | | This patch is required to be able to roam from one backhaul AP to another one in the same ESS. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (daniel@makrotopia.org: PKG_REVISION bump and refreshed patches) Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: reconfigure wps credentials on reloadRaphaël Mélotte2021-02-121-0/+187
| | | | | | | | | | This patch fixes a bug that prevents updating Multi-AP credentials after hostapd has started. It was sent to upstream hostapd here: https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/ Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: add notifications for management framesRaphaël Mélotte2021-02-122-2/+131
| | | | | | | | | | | | | | | | This patch allows other applications to get events management frames (for example: association requests). This is useful in Multi-AP context to be able to save association requests from stations. It has been sent to upstream hostapd in this series: https://patchwork.ozlabs.org/project/hostap/list/?series=217500 '700-wifi-reload.patch' is updated due to the introduction of '110-notify-mgmt-frames.patch'. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* dnsmasq: Bump to v2.84Kevin Darbyshire-Bryant2021-02-083-3/+76
| | | | | | | | | | dnsmasq v2.84rc2 has been promoted to release. No functional difference between v2.83test3 and v2.84/v2.84rc2 Backport 2 patches to fix the version reporting Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: switch to ubus-based hotplug callDaniel Golle2021-02-085-39/+46
| | | | | | | | Use new ubus-based hotplug call in dhcp-script.sh As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq no longer needs to ship ACL to cover ntpd-hotplug. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add forgotten patch for P2P vulnerability fixPetr Štetiar2021-02-042-1/+39
| | | | | | | | Commit 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") was missing the actual patch for the vulnerability. Fixes: 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: fix P2P group information processing vulnerabilityDaniel Golle2021-02-041-1/+1
| | | | | | | | | | | A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. This issue was discovered by fuzz testing of wpa_supplicant by Google's OSS-Fuzz. https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: update to latest git HEADHans Dedecker2021-01-301-3/+3
| | | | | | 8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: bump to 2021-01-26Paul Spooren2021-01-261-5/+5
| | | | | | | | * i78aa36b umdns: fix 64-bit time format string * start using $(AUTORELEASE) * Update Copyright Signed-off-by: Paul Spooren <mail@aparcar.org>
* dnsmasq: Update to 2.84test3Kevin Darbyshire-Bryant2021-01-241-3/+3
| | | | | | | | | | | | | | | dnsmasq v2.83 has a bug in handling duplicate queries which means it may try to reply using the incorrect network socket. This is especially noticeable in dual stack environments where replies may be mis-directed to IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket. This results in system log spam such as: dnsmasq[16020]: failed to send packet: Network unreachable dnsmasq[16020]: failed to send packet: Address family not supported by protocol dnsmasq v2.84test3 resolves these issues. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Update to version 2.83Hauke Mehrtens2021-01-192-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: fix setting wps_state to "not configured"Leon M. George2021-01-152-2/+2
| | | | | | | | | | | | | | | With encryption disabled, it was intended to set wpa_state=1 (enabled, not configured) through the 'wps_not_configured' flag. The flag is set appropriately but the condition using it is broken. Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled, configured). Fix it by using the correct variable name. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu> [commit title/message improvements] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: fix key_mgmt typoLeon M. George2021-01-142-2/+2
| | | | | | | | | | | The key_mgmt variable was mistyped when checking against "WPS", so the if clause was never entered. Fixes: f5753aae233f ("hostapd: add support for WPS pushbutton station") Signed-off-by: Leon M. George <leon@georgemail.eu> [add commit message, bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: remove trailing whitespacesLeon M. George2021-01-141-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'base' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'enc_str' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: run as user 'network' if procd-ujail is installedDaniel Golle2021-01-144-2/+55
| | | | | | | Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running hostapd and wpa_supplicant without root priviledges. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: improve error handling when adding supplicant configDaniel Golle2021-01-142-5/+5
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add multicast_to_unicast and per_sta_vifEtan Kissling2021-01-142-2/+15
| | | | | | | | This allows configuration of multicast_to_unicast and per_sta_vif options. - multicast_to_unicast requests multicast-to-unicast conversion. - per_sta_vif assigns each station its own AP_VLAN interface. Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* hostapd: return PID on config_add callDaniel Golle2021-01-104-4/+11
| | | | | | | | | To simplify the way netifd acquires the PIDs of wpa_supplicant and hostapd let the config_add method of both of them return the PID of the called process. Use the returned PID instead of querying procd when adding wpa_supplicant configuration. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: wpa_supplicant: Enable proper GCMP cipher supportRobert Marko2021-01-052-1/+6
| | | | | | | | | This patch enables hostapd.sh to properly configure wpa_supplicant for when GCMP is used as cipher in station mode. Without this wpa_supplicant will be unable to connect to AP. This is needed for wil6210 as it does not support CCMP. Signed-off-by: Robert Marko <robimarko@gmail.com>
* odhcpd: bump to latest versionNick Hainke2021-01-041-3/+3
| | | | | | 3bda900 odhcpd: add option for setting preferred lifetime Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add support for custom per-BSS optionsFlorian Beverborg2021-01-032-1/+8
| | | | | | | | | | | | This adds an option "hostapd_bss_options" that does the same as "hostapd_options" but on a per-BSS level, instead of a per-device level. This can be used, for example, to configure different per-devce sae_passwords per BSS or to augment some of the existing per-BSS options. Signed-off-by: Florian Beverborg <flo@beverb.org> [remove whitespace errors, bump release] Signed-off-by: Paul Spooren <mail@aparcar.org>
* ppp: Remove already applied patchHauke Mehrtens2021-01-012-14/+1
| | | | | | | This patch was already applied upstream and not needed here. Fixes: 06403981e1f2 ("ppp: update to version 2.4.7.git-2019-05-06") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: do not restart hostapd instance on wireless restartsFelix Fietkau2020-12-311-1/+1
| | | | | | Add the flag that prevents netifd from killing hostapd/wpa_supplicant Signed-off-by: Felix Fietkau <nbd@nbd.name>
* odhcpd: update to latest git HEADHans Dedecker2020-12-241-3/+3
| | | | | | | | b75bcad dhcpv6-ia: remove assignment equal to 0 checks d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0 9d5e379 dhcpv6-ia: fix prefix delegation behavior Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* treewide: nuke DRIVER_11W_SUPPORTDobroslaw Kijowski2020-12-233-11/+1
| | | | | | | | | | | | | | As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter" https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482 802.11w feature is always enabled in the build time. It doesn't make sense to opt-in 802.11w per driver as hostapd will always be compiled with this feature enabled. As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h for compatibility reasons. This option will be dropped when LuCI is adjusted. Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* hostapd: pass respawn settings when registering the serviceJohn Crispin2020-12-221-2/+2
| | | | | | | | When hostapd gets restarted to often/quickly will cause procd to not restart it anymore. it will think that hapd is in a crash loop. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
* hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabledNick Lowe2020-12-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that are not WPA2 (RSN) capable. These legacy clients are often intolerant to this EAPOL version and fail to connect. hostapd.conf upstream documents for eapol_version the following and that this is a known compatibility issue with version 2: // IEEE 802.1X/EAPOL version // hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL // version 2. However, there are many client implementations that do not handle // the new version number correctly (they seem to drop the frames completely). // In order to make hostapd interoperate with these clients, the version number // can be set to the older version (1) with this configuration value. // Note: When using MACsec, eapol_version shall be set to 3, which is // defined in IEEE Std 802.1X-2010. //eapol_version=2 For the wpa parameter, hostapd.conf upstream documents that this is a bitfield, configured as follows: // Enable WPA. Setting this variable configures the AP to require WPA (either // WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either // wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. // Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. // For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), // RADIUS authentication server must be configured, and WPA-EAP must be included // in wpa_key_mgmt. // This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) // and/or WPA2 (full IEEE 802.11i/RSN): // bit0 = WPA // bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) // Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2. // In other words, for WPA3, wpa=2 is used the configuration (and // wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). //wpa=2 For client compatibility therefore: EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled. EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled. To fix this, we can therefore change in the script: set_default eapol_version 0 To the following: set_default eapol_version $((wpa & 1)) This therefore: 1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set. 2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset. For usual configurations that only have WPA2 enabled, EAPOLv2 is then used. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>