OpenWrt Forum Archive

Topic: MAC filtering for WNDR3700 (hostapd.sh patch)

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
quietdragon
26 Dec 2010, 21:06

Seeking to enable MAC filtering in hardware on a WNDR3700. I found:

https://forum.openwrt.org/viewtopic.php … 91#p116291

but it doesn't seem to have made its way onto:

https://dev.openwrt.org/browser/trunk/p … hostapd.sh

Here's the patch again (BB seems to lose the tabs):

--- hostapd.sh.bak      2010-12-19 03:56:49.000000000 -0800
+++ hostapd.sh  2010-12-26 11:53:53.000000000 -0800
@@ -14,6 +14,31 @@
                append "$var" "ap_isolate=$ap_isolate" "$N"
        fi

+       config_get ifname "$vif" ifname
+       local macfile="/var/run/hostapd-${phy}-${ifname}-mac"
+       config_get macfilter "$vif" macfilter
+       config_get maclist "$vif" maclist
+       test -e $macfile.* && rm -f $macfile.*
+       case "$macfilter" in
+               allow|2)
+                       append "$var" "macaddr_acl=1" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.allow
+                       done
+                       append "$var" "accept_mac_file=$macfile.allow" "$N"
+               ;;
+               deny|1)
+                       append "$var" "macaddr_acl=0" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.deny
+                       done
+                       append "$var" "deny_mac_file=$macfile.deny" "$N"
+               ;;
+                radius|3)
+                       append "$var" "macaddr_acl=3" "$N"
+               ;;
+       esac
+
        # Examples:
        # psk-mixed/tkip        => WPA1+2 PSK, TKIP
        # wpa-psk2/tkip+aes     => WPA2 PSK, CCMP+TKIP
Post #2
quietdragon
26 Dec 2010, 23:20

The patch needs some work because it's looking up the wrong section of the configuration to find the list of MAC addresses.

http://wiki.openwrt.org/doc/uci/wireless

I've restricted the rm command to only remove the files that might be created by this component.

--- hostapd.sh.bak
+++ hostapd.sh
@@ -14,6 +14,32 @@
                append "$var" "ap_isolate=$ap_isolate" "$N"
        fi

+       local macfile="/var/run/hostapd-${phy}-${device}-mac"
+       config_get macfilter "$device" macfilter
+       config_get maclist "$device" maclist
+       for acl in allow deny ; do
+               rm -f $macfile.$acl
+       done
+       case "$macfilter" in
+               allow|2)
+                       append "$var" "macaddr_acl=1" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.allow
+                       done
+                       append "$var" "accept_mac_file=$macfile.allow" "$N"
+               ;;
+               deny|1)
+                       append "$var" "macaddr_acl=0" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.deny
+                       done
+                       append "$var" "deny_mac_file=$macfile.deny" "$N"
+               ;;
+               radius|3)
+                       append "$var" "macaddr_acl=3" "$N"
+               ;;
+       esac
+
        # Examples:
        # psk-mixed/tkip        => WPA1+2 PSK, TKIP
        # wpa-psk2/tkip+aes     => WPA2 PSK, CCMP+TKIP
Post #3
quietdragon
30 Dec 2010, 19:20

I've updated the patch to provide a bit more flexibility.

If option maclist starts with a leading /, it is assumed to be the absolute path to a file containing the MAC ACL. This allows a separate list to be maintained elsewhere rather than in the confines of the UCI format. For example, hostapd allows the MAC ACL file to contain embedded comments:

# Joe's desktop in the basement
00:0C:F1:56:98:AD
+       local macfile="/var/run/hostapd-${phy}-${device}-mac"
+       config_get macfilter "$device" macfilter
+       config_get maclist "$device" maclist
+       for acl in allow deny ; do
+               rm -f $macfile.$acl
+       done
+       if [ -z "${maclist##/*}" ] ; then
+               macfile="$maclist"
+               maclist=
+       fi
+       case "$macfilter" in
+               allow|2)
+                       append "$var" "macaddr_acl=1" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.allow
+                       done
+                       [ -z "$maclist" ] || macfile="$macfile.allow"
+                       append "$var" "accept_mac_file=$macfile" "$N"
+               ;;
+               deny|1)
+                       append "$var" "macaddr_acl=0" "$N"
+                       for mac in $maclist; do
+                               echo "$mac" >> $macfile.deny
+                       done
+                       [ -z "$maclist" ] || macfile="$macfile.deny"
+                       append "$var" "deny_mac_file=$macfile" "$N"
+               ;;
+               radius|3)
+                       append "$var" "macaddr_acl=3" "$N"
+               ;;
+       esac
+

The discussion might have continued from here.