From 3e633bb3709611d79965fab667e3239fd3bde151 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 16 Oct 2018 12:11:20 +0200 Subject: [PATCH] hostapd: fix MAC filter related log spam Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich --- package/network/services/hostapd/Makefile | 2 +- ...e-undesired-logging-of-ACL-rejection.patch | 39 +++++++++++++++++++ ...-logging-priority-for-handle_auth_cb.patch | 28 +++++++++++++ .../hostapd/patches/600-ubus_support.patch | 20 +++++----- 4 files changed, 78 insertions(+), 11 deletions(-) create mode 100644 package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch create mode 100644 package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index 41f5f54b82..34b6d9708d 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git diff --git a/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch b/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch new file mode 100644 index 0000000000..3fc80a01d7 --- /dev/null +++ b/package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch @@ -0,0 +1,39 @@ +From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 14 Oct 2018 19:57:22 +0300 +Subject: Reduce undesired logging of ACL rejection events from AP mode + +When Probe Request frame handling was extended to use MAC ACL through +ieee802_11_allowed_address(), the MSG_INFO level log print ("Station + not allowed to authenticate") from that function ended up getting +printed even for Probe Request frames. That was not by design and it can +result in excessive logging and MSG_INFO level if MAC ACL is used. + +Fix this by printing this log entry only for authentication and +association frames. In addition, drop the priority of that log entry to +MSG_DEBUG since this is not really an unexpected behavior in most MAC +ACL use cases. + +Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames") +Signed-off-by: Jouni Malinen +--- + src/ap/ieee802_11.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap + is_probe_req); + + if (res == HOSTAPD_ACL_REJECT) { +- wpa_printf(MSG_INFO, +- "Station " MACSTR " not allowed to authenticate", +- MAC2STR(addr)); ++ if (!is_probe_req) ++ wpa_printf(MSG_DEBUG, ++ "Station " MACSTR ++ " not allowed to authenticate", ++ MAC2STR(addr)); + return HOSTAPD_ACL_REJECT; + } + diff --git a/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch b/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch new file mode 100644 index 0000000000..82165a94f9 --- /dev/null +++ b/package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch @@ -0,0 +1,28 @@ +From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 14 Oct 2018 20:03:55 +0300 +Subject: Drop logging priority for handle_auth_cb no-STA-match messages + +This message was printed and MSG_INFO level which would be more +reasonable for error cases where hostapd has accepted authentication. +However, this is not really an error case for the cases where +authentication was rejected (e.g., due to MAC ACL). Drop this to use +MSG_DEBUG level. + +Signed-off-by: Jouni Malinen +--- + src/ap/ieee802_11.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap + + sta = ap_get_sta(hapd, mgmt->da); + if (!sta) { +- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found", ++ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR ++ " not found", + MAC2STR(mgmt->da)); + return; + } diff --git a/package/network/services/hostapd/patches/600-ubus_support.patch b/package/network/services/hostapd/patches/600-ubus_support.patch index cb2c54d57c..b1e7c78c22 100644 --- a/package/network/services/hostapd/patches/600-ubus_support.patch +++ b/package/network/services/hostapd/patches/600-ubus_support.patch @@ -92,7 +92,7 @@ __func__, driver, drv_priv); --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c -@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap +@@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap static void handle_auth(struct hostapd_data *hapd, @@ -108,7 +108,7 @@ u16 fc; const u8 *challenge = NULL; u32 session_timeout, acct_interim_interval; -@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d +@@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d char *identity = NULL; char *radius_cui = NULL; u16 seq_ctrl; @@ -120,7 +120,7 @@ if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", -@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d +@@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto fail; } @@ -134,7 +134,7 @@ if (res == HOSTAPD_ACL_PENDING) return; -@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v +@@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v static void handle_assoc(struct hostapd_data *hapd, const struct ieee80211_mgmt *mgmt, size_t len, @@ -149,7 +149,7 @@ struct sta_info *sta; u8 *tmp = NULL; struct hostapd_sta_wpa_psk_short *psk = NULL; -@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_ +@@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_ #ifdef CONFIG_FILS int delay_assoc = 0; #endif /* CONFIG_FILS */ @@ -161,7 +161,7 @@ if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : sizeof(mgmt->u.assoc_req))) { -@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_ +@@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_ } #endif /* CONFIG_MBO */ @@ -176,7 +176,7 @@ /* * sta->capability is used in check_assoc_ies() for RRM enabled * capability element. -@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta +@@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", MAC2STR(mgmt->sa), le_to_host16(mgmt->u.disassoc.reason_code)); @@ -184,7 +184,7 @@ sta = ap_get_sta(hapd, mgmt->sa); if (sta == NULL) { -@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd +@@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd " reason_code=%d", MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); @@ -193,7 +193,7 @@ sta = ap_get_sta(hapd, mgmt->sa); if (sta == NULL) { wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " -@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data +@@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data if (stype == WLAN_FC_STYPE_PROBE_REQ) { @@ -202,7 +202,7 @@ return 1; } -@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data +@@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data switch (stype) { case WLAN_FC_STYPE_AUTH: wpa_printf(MSG_DEBUG, "mgmt::auth"); -- 2.30.2