From 00622fcfefff15e4b821fcc0c8b511f45ee8caf4 Mon Sep 17 00:00:00 2001 From: Chaoli Zhou Date: Thu, 24 Mar 2022 15:19:25 +0800 Subject: [PATCH] Extend ACL to install allow/deny list to the driver dynamically Support installing the updated allow/deny list to the driver if it supports ACL offload. Previously, only the not-offloaded cases were updated dynamically. Signed-off-by: Chaoli Zhou --- hostapd/ctrl_iface.c | 28 +++++++++++++++++----------- wpa_supplicant/ap.c | 13 +++++++++++++ wpa_supplicant/ap.h | 1 + wpa_supplicant/ctrl_iface.c | 13 ++++++++++--- 4 files changed, 41 insertions(+), 14 deletions(-) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 5b81ea0dd..9aa55a846 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -3491,14 +3491,15 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) { if (hostapd_ctrl_iface_acl_add_mac( &hapd->conf->accept_mac, - &hapd->conf->num_accept_mac, buf + 19)) + &hapd->conf->num_accept_mac, buf + 19) || + hostapd_set_acl(hapd)) reply_len = -1; } else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) { - if (!hostapd_ctrl_iface_acl_del_mac( + if (hostapd_ctrl_iface_acl_del_mac( &hapd->conf->accept_mac, - &hapd->conf->num_accept_mac, buf + 19)) - hostapd_disassoc_accept_mac(hapd); - else + &hapd->conf->num_accept_mac, buf + 19) || + hostapd_set_acl(hapd) || + hostapd_disassoc_accept_mac(hapd)) reply_len = -1; } else if (os_strcmp(buf + 11, "SHOW") == 0) { reply_len = hostapd_ctrl_iface_acl_show_mac( @@ -3508,20 +3509,23 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, hostapd_ctrl_iface_acl_clear_list( &hapd->conf->accept_mac, &hapd->conf->num_accept_mac); - hostapd_disassoc_accept_mac(hapd); + if (hostapd_set_acl(hapd) || + hostapd_disassoc_accept_mac(hapd)) + reply_len = -1; } } else if (os_strncmp(buf, "DENY_ACL ", 9) == 0) { if (os_strncmp(buf + 9, "ADD_MAC ", 8) == 0) { - if (!hostapd_ctrl_iface_acl_add_mac( + if (hostapd_ctrl_iface_acl_add_mac( &hapd->conf->deny_mac, - &hapd->conf->num_deny_mac, buf + 17)) - hostapd_disassoc_deny_mac(hapd); - else + &hapd->conf->num_deny_mac, buf + 17) || + hostapd_set_acl(hapd) || + hostapd_disassoc_deny_mac(hapd)) reply_len = -1; } else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) { if (hostapd_ctrl_iface_acl_del_mac( &hapd->conf->deny_mac, - &hapd->conf->num_deny_mac, buf + 17)) + &hapd->conf->num_deny_mac, buf + 17) || + hostapd_set_acl(hapd)) reply_len = -1; } else if (os_strcmp(buf + 9, "SHOW") == 0) { reply_len = hostapd_ctrl_iface_acl_show_mac( @@ -3531,6 +3535,8 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, hostapd_ctrl_iface_acl_clear_list( &hapd->conf->deny_mac, &hapd->conf->num_deny_mac); + if (hostapd_set_acl(hapd)) + reply_len = -1; } #ifdef CONFIG_DPP } else if (os_strncmp(buf, "DPP_QR_CODE ", 12) == 0) { diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c index 57fa083c7..7b31d8e4c 100644 --- a/wpa_supplicant/ap.c +++ b/wpa_supplicant/ap.c @@ -1734,6 +1734,19 @@ int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s) return hostapd_disassoc_accept_mac(hapd); } + +int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s) +{ + struct hostapd_data *hapd; + + if (wpa_s->ap_iface) + hapd = wpa_s->ap_iface->bss[0]; + else + return -1; + + return hostapd_set_acl(hapd); +} + #endif /* CONFIG_CTRL_IFACE */ diff --git a/wpa_supplicant/ap.h b/wpa_supplicant/ap.h index c23d218fd..ccd3e7b58 100644 --- a/wpa_supplicant/ap.h +++ b/wpa_supplicant/ap.h @@ -55,6 +55,7 @@ void ap_ctrl_iface_acl_clear_list(struct wpa_supplicant *wpa_s, enum macaddr_acl acl_type); int ap_ctrl_iface_disassoc_deny_mac(struct wpa_supplicant *wpa_s); int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s); +int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s); void ap_tx_status(void *ctx, const u8 *addr, const u8 *buf, size_t len, int ack); void ap_eapol_tx_status(void *ctx, const u8 *dst, diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c index 4c5407d09..4498a6678 100644 --- a/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c @@ -12026,12 +12026,14 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) { if (ap_ctrl_iface_acl_add_mac(wpa_s, DENY_UNLESS_ACCEPTED, - buf + 19)) + buf + 19) || + ap_ctrl_iface_set_acl(wpa_s)) reply_len = -1; } else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) { if (ap_ctrl_iface_acl_del_mac(wpa_s, DENY_UNLESS_ACCEPTED, buf + 19) || + ap_ctrl_iface_set_acl(wpa_s) || ap_ctrl_iface_disassoc_accept_mac(wpa_s)) reply_len = -1; } else if (os_strcmp(buf + 11, "SHOW") == 0) { @@ -12041,7 +12043,8 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, } else if (os_strcmp(buf + 11, "CLEAR") == 0) { ap_ctrl_iface_acl_clear_list(wpa_s, DENY_UNLESS_ACCEPTED); - if (ap_ctrl_iface_disassoc_accept_mac(wpa_s)) + if (ap_ctrl_iface_set_acl(wpa_s) || + ap_ctrl_iface_disassoc_accept_mac(wpa_s)) reply_len = -1; } else { reply_len = -1; @@ -12051,12 +12054,14 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, if (ap_ctrl_iface_acl_add_mac(wpa_s, ACCEPT_UNLESS_DENIED, buf + 17) || + ap_ctrl_iface_set_acl(wpa_s) || ap_ctrl_iface_disassoc_deny_mac(wpa_s)) reply_len = -1; } else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) { if (ap_ctrl_iface_acl_del_mac(wpa_s, ACCEPT_UNLESS_DENIED, - buf + 17)) + buf + 17) || + ap_ctrl_iface_set_acl(wpa_s)) reply_len = -1; } else if (os_strcmp(buf + 9, "SHOW") == 0) { reply_len = ap_ctrl_iface_acl_show_mac( @@ -12064,6 +12069,8 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s, } else if (os_strcmp(buf + 9, "CLEAR") == 0) { ap_ctrl_iface_acl_clear_list(wpa_s, ACCEPT_UNLESS_DENIED); + if (ap_ctrl_iface_set_acl(wpa_s)) + reply_len = -1; } else { reply_len = -1; }