Extend ACL to install allow/deny list to the driver dynamically

Support installing the updated allow/deny list to the driver if it
supports ACL offload. Previously, only the not-offloaded cases were
updated dynamically.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
This commit is contained in:
Chaoli Zhou 2022-03-24 15:19:25 +08:00 committed by Jouni Malinen
parent 077bce96f3
commit 00622fcfef
4 changed files with 41 additions and 14 deletions

View file

@ -3491,14 +3491,15 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) { if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) {
if (hostapd_ctrl_iface_acl_add_mac( if (hostapd_ctrl_iface_acl_add_mac(
&hapd->conf->accept_mac, &hapd->conf->accept_mac,
&hapd->conf->num_accept_mac, buf + 19)) &hapd->conf->num_accept_mac, buf + 19) ||
hostapd_set_acl(hapd))
reply_len = -1; reply_len = -1;
} else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) { } else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) {
if (!hostapd_ctrl_iface_acl_del_mac( if (hostapd_ctrl_iface_acl_del_mac(
&hapd->conf->accept_mac, &hapd->conf->accept_mac,
&hapd->conf->num_accept_mac, buf + 19)) &hapd->conf->num_accept_mac, buf + 19) ||
hostapd_disassoc_accept_mac(hapd); hostapd_set_acl(hapd) ||
else hostapd_disassoc_accept_mac(hapd))
reply_len = -1; reply_len = -1;
} else if (os_strcmp(buf + 11, "SHOW") == 0) { } else if (os_strcmp(buf + 11, "SHOW") == 0) {
reply_len = hostapd_ctrl_iface_acl_show_mac( reply_len = hostapd_ctrl_iface_acl_show_mac(
@ -3508,20 +3509,23 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
hostapd_ctrl_iface_acl_clear_list( hostapd_ctrl_iface_acl_clear_list(
&hapd->conf->accept_mac, &hapd->conf->accept_mac,
&hapd->conf->num_accept_mac); &hapd->conf->num_accept_mac);
hostapd_disassoc_accept_mac(hapd); if (hostapd_set_acl(hapd) ||
hostapd_disassoc_accept_mac(hapd))
reply_len = -1;
} }
} else if (os_strncmp(buf, "DENY_ACL ", 9) == 0) { } else if (os_strncmp(buf, "DENY_ACL ", 9) == 0) {
if (os_strncmp(buf + 9, "ADD_MAC ", 8) == 0) { if (os_strncmp(buf + 9, "ADD_MAC ", 8) == 0) {
if (!hostapd_ctrl_iface_acl_add_mac( if (hostapd_ctrl_iface_acl_add_mac(
&hapd->conf->deny_mac, &hapd->conf->deny_mac,
&hapd->conf->num_deny_mac, buf + 17)) &hapd->conf->num_deny_mac, buf + 17) ||
hostapd_disassoc_deny_mac(hapd); hostapd_set_acl(hapd) ||
else hostapd_disassoc_deny_mac(hapd))
reply_len = -1; reply_len = -1;
} else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) { } else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) {
if (hostapd_ctrl_iface_acl_del_mac( if (hostapd_ctrl_iface_acl_del_mac(
&hapd->conf->deny_mac, &hapd->conf->deny_mac,
&hapd->conf->num_deny_mac, buf + 17)) &hapd->conf->num_deny_mac, buf + 17) ||
hostapd_set_acl(hapd))
reply_len = -1; reply_len = -1;
} else if (os_strcmp(buf + 9, "SHOW") == 0) { } else if (os_strcmp(buf + 9, "SHOW") == 0) {
reply_len = hostapd_ctrl_iface_acl_show_mac( reply_len = hostapd_ctrl_iface_acl_show_mac(
@ -3531,6 +3535,8 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
hostapd_ctrl_iface_acl_clear_list( hostapd_ctrl_iface_acl_clear_list(
&hapd->conf->deny_mac, &hapd->conf->deny_mac,
&hapd->conf->num_deny_mac); &hapd->conf->num_deny_mac);
if (hostapd_set_acl(hapd))
reply_len = -1;
} }
#ifdef CONFIG_DPP #ifdef CONFIG_DPP
} else if (os_strncmp(buf, "DPP_QR_CODE ", 12) == 0) { } else if (os_strncmp(buf, "DPP_QR_CODE ", 12) == 0) {

View file

@ -1734,6 +1734,19 @@ int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s)
return hostapd_disassoc_accept_mac(hapd); return hostapd_disassoc_accept_mac(hapd);
} }
int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s)
{
struct hostapd_data *hapd;
if (wpa_s->ap_iface)
hapd = wpa_s->ap_iface->bss[0];
else
return -1;
return hostapd_set_acl(hapd);
}
#endif /* CONFIG_CTRL_IFACE */ #endif /* CONFIG_CTRL_IFACE */

View file

@ -55,6 +55,7 @@ void ap_ctrl_iface_acl_clear_list(struct wpa_supplicant *wpa_s,
enum macaddr_acl acl_type); enum macaddr_acl acl_type);
int ap_ctrl_iface_disassoc_deny_mac(struct wpa_supplicant *wpa_s); int ap_ctrl_iface_disassoc_deny_mac(struct wpa_supplicant *wpa_s);
int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s); int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s);
int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s);
void ap_tx_status(void *ctx, const u8 *addr, void ap_tx_status(void *ctx, const u8 *addr,
const u8 *buf, size_t len, int ack); const u8 *buf, size_t len, int ack);
void ap_eapol_tx_status(void *ctx, const u8 *dst, void ap_eapol_tx_status(void *ctx, const u8 *dst,

View file

@ -12026,12 +12026,14 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) { if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) {
if (ap_ctrl_iface_acl_add_mac(wpa_s, if (ap_ctrl_iface_acl_add_mac(wpa_s,
DENY_UNLESS_ACCEPTED, DENY_UNLESS_ACCEPTED,
buf + 19)) buf + 19) ||
ap_ctrl_iface_set_acl(wpa_s))
reply_len = -1; reply_len = -1;
} else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) { } else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) {
if (ap_ctrl_iface_acl_del_mac(wpa_s, if (ap_ctrl_iface_acl_del_mac(wpa_s,
DENY_UNLESS_ACCEPTED, DENY_UNLESS_ACCEPTED,
buf + 19) || buf + 19) ||
ap_ctrl_iface_set_acl(wpa_s) ||
ap_ctrl_iface_disassoc_accept_mac(wpa_s)) ap_ctrl_iface_disassoc_accept_mac(wpa_s))
reply_len = -1; reply_len = -1;
} else if (os_strcmp(buf + 11, "SHOW") == 0) { } else if (os_strcmp(buf + 11, "SHOW") == 0) {
@ -12041,7 +12043,8 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
} else if (os_strcmp(buf + 11, "CLEAR") == 0) { } else if (os_strcmp(buf + 11, "CLEAR") == 0) {
ap_ctrl_iface_acl_clear_list(wpa_s, ap_ctrl_iface_acl_clear_list(wpa_s,
DENY_UNLESS_ACCEPTED); DENY_UNLESS_ACCEPTED);
if (ap_ctrl_iface_disassoc_accept_mac(wpa_s)) if (ap_ctrl_iface_set_acl(wpa_s) ||
ap_ctrl_iface_disassoc_accept_mac(wpa_s))
reply_len = -1; reply_len = -1;
} else { } else {
reply_len = -1; reply_len = -1;
@ -12051,12 +12054,14 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
if (ap_ctrl_iface_acl_add_mac(wpa_s, if (ap_ctrl_iface_acl_add_mac(wpa_s,
ACCEPT_UNLESS_DENIED, ACCEPT_UNLESS_DENIED,
buf + 17) || buf + 17) ||
ap_ctrl_iface_set_acl(wpa_s) ||
ap_ctrl_iface_disassoc_deny_mac(wpa_s)) ap_ctrl_iface_disassoc_deny_mac(wpa_s))
reply_len = -1; reply_len = -1;
} else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) { } else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) {
if (ap_ctrl_iface_acl_del_mac(wpa_s, if (ap_ctrl_iface_acl_del_mac(wpa_s,
ACCEPT_UNLESS_DENIED, ACCEPT_UNLESS_DENIED,
buf + 17)) buf + 17) ||
ap_ctrl_iface_set_acl(wpa_s))
reply_len = -1; reply_len = -1;
} else if (os_strcmp(buf + 9, "SHOW") == 0) { } else if (os_strcmp(buf + 9, "SHOW") == 0) {
reply_len = ap_ctrl_iface_acl_show_mac( reply_len = ap_ctrl_iface_acl_show_mac(
@ -12064,6 +12069,8 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
} else if (os_strcmp(buf + 9, "CLEAR") == 0) { } else if (os_strcmp(buf + 9, "CLEAR") == 0) {
ap_ctrl_iface_acl_clear_list(wpa_s, ap_ctrl_iface_acl_clear_list(wpa_s,
ACCEPT_UNLESS_DENIED); ACCEPT_UNLESS_DENIED);
if (ap_ctrl_iface_set_acl(wpa_s))
reply_len = -1;
} else { } else {
reply_len = -1; reply_len = -1;
} }