wireless-ap: Allow to enable/disable 802.11w Management Frame Protection
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 22 Mar 2019 11:27:38 +0000 (12:27 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 22 Mar 2019 11:27:38 +0000 (12:27 +0100)
This is disabled by default, because loads of stations have issues
associating with an AP that has 802.11w enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/functions/functions.hostapd
src/helpers/hostapd-config-helper
src/hooks/ports/wireless-ap

index 245b4cf..bf0c5fc 100644 (file)
@@ -41,6 +41,7 @@ hostapd_config_write() {
        local encryption
        local environment="${WIRELESS_DEFAULT_ENVIRONMENT}"
        local key
+       local mfp="off"
        local mode
        local ssid
        local wmm="1"
@@ -68,6 +69,9 @@ hostapd_config_write() {
                        --key=*)
                                key=$(cli_get_val "${1}")
                                ;;
+                       --mfp=*)
+                               mfp="$(cli_get_val "${1}")"
+                               ;;
                        --mode=*)
                                mode=$(cli_get_val "${1}")
 
@@ -133,6 +137,12 @@ hostapd_config_write() {
                return ${EXIT_ERROR}
        fi
 
+       # Management Frame Proection
+       if ! isbool mfp; then
+               error "Invalid value for --mfp: ${mfp}"
+               return ${EXIT_ERROR}
+       fi
+
        # 802.11ac/n flags
        local ieee80211ac
        local ieee80211n
@@ -325,6 +335,13 @@ hostapd_config_write() {
                print "vht_oper_chwidth=${vht_oper_chwidth}"
 
                print
+
+               # 802.11w - Management Frame Protection (MFP)
+               if enabled mfp; then
+                       print "ieee80211w=2" # required
+               else
+                       print "ieee80211w=0"
+               fi
        ) >> ${file}
 
        # Control interface.
index d3292c3..7af723d 100644 (file)
@@ -45,6 +45,7 @@ case "${action}" in
                        --encryption="${ENCRYPTION}" \
                        --environment="${ENVIRONMENT}" \
                        --key="${KEY}" \
+                       --mfp="${MFP}" \
                        --mode="${MODE}" \
                        --ssid="${SSID}" \
                || exit $?
index 6db39b8..7073cbc 100644 (file)
@@ -25,6 +25,7 @@ HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
 
 HOOK_SETTINGS="ADDRESS BROADCAST_SSID CHANNEL CHANNEL_BANDWIDTH DFS MODE PHY"
 HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION ENVIRONMENT KEY SSID"
+HOOK_SETTINGS="${HOOK_SETTINGS} MFP"
 
 ADDRESS=$(mac_generate)
 BROADCAST_SSID=on
@@ -37,6 +38,10 @@ SSID=
 # Perform radar detection by default when possible
 DFS="on"
 
+# 802.11w - Management Frame Protection
+# Disable by default because many clients cannot connect when enabled
+MFP="off"
+
 ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
 
 hook_check_settings() {
@@ -46,6 +51,7 @@ hook_check_settings() {
        assert isbool BROADCAST_SSID
        assert isset CHANNEL
        assert isbool DFS
+       assert isbool MFP
        assert isset MODE
        assert isoneof MODE ${HOSTAPD_SUPPORTED_MODES}
        assert isset PHY
@@ -104,6 +110,18 @@ hook_parse_cmdline() {
                        --mac=*)
                                ADDRESS=$(cli_get_val "${1}")
                                ;;
+                       --mfp=*)
+                               MFP="$(cli_get_val "${1}")"
+
+                               if enabled MFP; then
+                                       MFP="on"
+                               elif disabled MFP; then
+                                       MFP="off"
+                               else
+                                       error "Invalid value for --mfp: ${MFP}"
+                                       return ${EXIT_ERROR}
+                               fi
+                               ;;
                        --mode=*)
                                MODE=$(cli_get_val "${1}")