From owner-svn-src-all@FreeBSD.ORG Thu Dec 15 00:52:30 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5A4D106564A; Thu, 15 Dec 2011 00:52:30 +0000 (UTC) (envelope-from adrian@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8AA168FC0A; Thu, 15 Dec 2011 00:52:30 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBF0qUoK022056; Thu, 15 Dec 2011 00:52:30 GMT (envelope-from adrian@svn.freebsd.org) Received: (from adrian@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBF0qUA5022051; Thu, 15 Dec 2011 00:52:30 GMT (envelope-from adrian@svn.freebsd.org) Message-Id: <201112150052.pBF0qUA5022051@svn.freebsd.org> From: Adrian Chadd Date: Thu, 15 Dec 2011 00:52:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r228514 - head/sys/net80211 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2011 00:52:30 -0000 Author: adrian Date: Thu Dec 15 00:52:30 2011 New Revision: 228514 URL: http://svn.freebsd.org/changeset/base/228514 Log: Modify the ACL code slightly to support a few nifty things: * Call it before sending probe responses, so the ACL code has the chance to reject sending them. * Pass the whole frame to the ACL code now, rather than just the destination MAC - that way the ACL module can look at the frame contents to determine what the response should be. This is part of some uncommitted work to support band steering. Sponsored by: Hobnob, Inc. Modified: head/sys/net80211/ieee80211_acl.c head/sys/net80211/ieee80211_hostap.c head/sys/net80211/ieee80211_mesh.c head/sys/net80211/ieee80211_proto.h Modified: head/sys/net80211/ieee80211_acl.c ============================================================================== --- head/sys/net80211/ieee80211_acl.c Wed Dec 14 23:57:47 2011 (r228513) +++ head/sys/net80211/ieee80211_acl.c Thu Dec 15 00:52:30 2011 (r228514) @@ -152,7 +152,8 @@ _acl_free(struct aclstate *as, struct ac } static int -acl_check(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN]) +acl_check(struct ieee80211vap *vap, const struct ieee80211_frame *wh, + const uint8_t mac[IEEE80211_ADDR_LEN]) { struct aclstate *as = vap->iv_as; Modified: head/sys/net80211/ieee80211_hostap.c ============================================================================== --- head/sys/net80211/ieee80211_hostap.c Wed Dec 14 23:57:47 2011 (r228513) +++ head/sys/net80211/ieee80211_hostap.c Thu Dec 15 00:52:30 2011 (r228514) @@ -1795,6 +1795,16 @@ hostap_recv_mgmt(struct ieee80211_node * return; } /* + * Consult the ACL policy module if setup. + */ + if (vap->iv_acl != NULL && + !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) { + IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, + wh, NULL, "%s", "disallowed by ACL"); + vap->iv_stats.is_rx_acl++; + return; + } + /* * prreq frame format * [tlv] ssid * [tlv] supported rates @@ -1874,7 +1884,7 @@ hostap_recv_mgmt(struct ieee80211_node * * Consult the ACL policy module if setup. */ if (vap->iv_acl != NULL && - !vap->iv_acl->iac_check(vap, wh->i_addr2)) { + !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) { IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, wh, NULL, "%s", "disallowed by ACL"); vap->iv_stats.is_rx_acl++; Modified: head/sys/net80211/ieee80211_mesh.c ============================================================================== --- head/sys/net80211/ieee80211_mesh.c Wed Dec 14 23:57:47 2011 (r228513) +++ head/sys/net80211/ieee80211_mesh.c Thu Dec 15 00:52:30 2011 (r228514) @@ -1120,7 +1120,8 @@ mesh_input(struct ieee80211_node *ni, st * * NB: this check is also done upon peering link initiation. */ - if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh->i_addr2)) { + if (vap->iv_acl != NULL && + !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) { IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, wh, NULL, "%s", "disallowed by ACL"); vap->iv_stats.is_rx_acl++; @@ -1379,7 +1380,7 @@ mesh_recv_mgmt(struct ieee80211_node *ni * Peer only based on the current ACL policy. */ if (vap->iv_acl != NULL && - !vap->iv_acl->iac_check(vap, wh->i_addr2)) { + !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) { IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL, wh, NULL, "%s", "disallowed by ACL"); vap->iv_stats.is_rx_acl++; Modified: head/sys/net80211/ieee80211_proto.h ============================================================================== --- head/sys/net80211/ieee80211_proto.h Wed Dec 14 23:57:47 2011 (r228513) +++ head/sys/net80211/ieee80211_proto.h Thu Dec 15 00:52:30 2011 (r228514) @@ -215,6 +215,7 @@ struct ieee80211_aclator { int (*iac_attach)(struct ieee80211vap *); void (*iac_detach)(struct ieee80211vap *); int (*iac_check)(struct ieee80211vap *, + const struct ieee80211_frame *wh, const uint8_t mac[IEEE80211_ADDR_LEN]); int (*iac_add)(struct ieee80211vap *, const uint8_t mac[IEEE80211_ADDR_LEN]);