From a59fb343f92b2b6dbbe873ddd362bb6fc9870f2e Mon Sep 17 00:00:00 2001 From: noface Date: Sun, 22 May 2016 21:36:30 +0200 Subject: [PATCH 1/5] Optional MAC address filtering. Station MAC address -based authentication Please note that this kind of access control requires a driver that uses hostapd to take care of management frame processing and as such, this can be used with driver=hostap or driver=nl80211, but not with driver=atheros. --- create_ap | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/create_ap b/create_ap index 0766a86..59fcc35 100755 --- a/create_ap +++ b/create_ap @@ -42,6 +42,7 @@ usage() { echo " 'none' for no Internet sharing (equivalent to -n)" echo " --psk Use 64 hex digits pre-shared-key instead of passphrase" echo " --hidden Make the Access Point hidden (do not broadcast the SSID)" + echo " --mac-filter Enable MAC address filtering (addresses can be added to /etc/hostapd/accept)" echo " --redirect-to-localhost If -n is set, redirect every web request to localhost (useful for public information networks)" echo " --hostapd-debug With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging." echo " --isolate-clients Disable communication between clients" @@ -600,6 +601,7 @@ ETC_HOSTS=0 DHCP_DNS=gateway NO_DNS=0 HIDDEN=0 +MAC_FILTER=0 ISOLATE_CLIENTS=0 SHARE_METHOD=nat IEEE80211N=0 @@ -618,7 +620,7 @@ USE_PSK=0 HOSTAPD_DEBUG_ARGS= REDIRECT_TO_LOCALHOST=0 -CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN ISOLATE_CLIENTS SHARE_METHOD +CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN MAC_FILER ISOLATE_CLIENTS SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE SSID PASSPHRASE USE_PSK) @@ -1012,7 +1014,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1030,6 +1032,10 @@ while :; do shift HIDDEN=1 ;; + --mac-filter) + shift + MAC_FILTER=1 + ;; --isolate-clients) shift ISOLATE_CLIENTS=1 @@ -1551,6 +1557,8 @@ fi [[ $HIDDEN -eq 1 ]] && echo "Access Point's SSID is hidden!" +[[ $MAC_FILTER -eq 1 ]] && echo "MAC address filtering is enabled!" + [[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!" # hostapd config @@ -1563,6 +1571,7 @@ channel=${CHANNEL} ctrl_interface=$CONFDIR/hostapd_ctrl ctrl_interface_group=0 ignore_broadcast_ssid=$HIDDEN +macaddr_acl=${MAC_FILTER} ap_isolate=$ISOLATE_CLIENTS EOF From 1f8fd23292e9645578c638098ccb0ef245a6e3dc Mon Sep 17 00:00:00 2001 From: noface Date: Mon, 6 Jun 2016 02:21:01 +0200 Subject: [PATCH 2/5] Fix typo --- create_ap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/create_ap b/create_ap index 59fcc35..f26e5f9 100755 --- a/create_ap +++ b/create_ap @@ -620,7 +620,7 @@ USE_PSK=0 HOSTAPD_DEBUG_ARGS= REDIRECT_TO_LOCALHOST=0 -CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN MAC_FILER ISOLATE_CLIENTS SHARE_METHOD +CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN MAC_FILTER ISOLATE_CLIENTS SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE SSID PASSPHRASE USE_PSK) From 116a43b6af886e58be6dc070816906e63842069c Mon Sep 17 00:00:00 2001 From: noface Date: Mon, 6 Jun 2016 02:54:02 +0200 Subject: [PATCH 3/5] Actually point to a filter --- create_ap | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/create_ap b/create_ap index f26e5f9..c023dce 100755 --- a/create_ap +++ b/create_ap @@ -42,7 +42,7 @@ usage() { echo " 'none' for no Internet sharing (equivalent to -n)" echo " --psk Use 64 hex digits pre-shared-key instead of passphrase" echo " --hidden Make the Access Point hidden (do not broadcast the SSID)" - echo " --mac-filter Enable MAC address filtering (addresses can be added to /etc/hostapd/accept)" + echo " --mac-filter Enable MAC address filtering (addresses can be added to /etc/hostapd/hostapd.accept)" echo " --redirect-to-localhost If -n is set, redirect every web request to localhost (useful for public information networks)" echo " --hostapd-debug With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging." echo " --isolate-clients Disable communication between clients" @@ -1571,7 +1571,6 @@ channel=${CHANNEL} ctrl_interface=$CONFDIR/hostapd_ctrl ctrl_interface_group=0 ignore_broadcast_ssid=$HIDDEN -macaddr_acl=${MAC_FILTER} ap_isolate=$ISOLATE_CLIENTS EOF @@ -1588,6 +1587,13 @@ else echo "hw_mode=a" >> $CONFDIR/hostapd.conf fi +if [[ -n $MAC_FILTER ]]; then + cat << EOF >> $CONFDIR/hostapd.conf +macaddr_acl=${MAC_FILTER} +accept_mac_file=/etc/hostapd/hostapd.accept +EOF +fi + if [[ $IEEE80211N -eq 1 ]]; then cat << EOF >> $CONFDIR/hostapd.conf ieee80211n=1 From 2cb3d0cb92a6317f40ea4fc3c7b7d981b4a7738a Mon Sep 17 00:00:00 2001 From: noface Date: Mon, 6 Jun 2016 02:55:53 +0200 Subject: [PATCH 4/5] Add entry to bash_completion --- bash_completion | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bash_completion b/bash_completion index c5a341a..929fc55 100644 --- a/bash_completion +++ b/bash_completion @@ -1,4 +1,4 @@ -# +# # Bash Completion routine for create_ap # @@ -61,6 +61,9 @@ _create_ap() { --hidden) # No Options ;; + --mac-filter) + # No Options + ;; --ieee80211n) # No Options ;; From 0fe6bf8e9f39d30b7f46d96a650cfd60830c1416 Mon Sep 17 00:00:00 2001 From: noface Date: Mon, 6 Jun 2016 03:55:15 +0200 Subject: [PATCH 5/5] Enable selection of mac filter location --- bash_completion | 3 +++ create_ap | 19 +++++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/bash_completion b/bash_completion index 929fc55..aae0bb2 100644 --- a/bash_completion +++ b/bash_completion @@ -64,6 +64,9 @@ _create_ap() { --mac-filter) # No Options ;; + --mac-filter-accept) + # No Options + ;; --ieee80211n) # No Options ;; diff --git a/create_ap b/create_ap index c023dce..7d8b940 100755 --- a/create_ap +++ b/create_ap @@ -42,7 +42,8 @@ usage() { echo " 'none' for no Internet sharing (equivalent to -n)" echo " --psk Use 64 hex digits pre-shared-key instead of passphrase" echo " --hidden Make the Access Point hidden (do not broadcast the SSID)" - echo " --mac-filter Enable MAC address filtering (addresses can be added to /etc/hostapd/hostapd.accept)" + echo " --mac-filter Enable MAC address filtering" + echo " --mac-filter-accept Location of MAC address filter list (defaults to /etc/hostapd/hostapd.accept)" echo " --redirect-to-localhost If -n is set, redirect every web request to localhost (useful for public information networks)" echo " --hostapd-debug With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging." echo " --isolate-clients Disable communication between clients" @@ -602,6 +603,7 @@ DHCP_DNS=gateway NO_DNS=0 HIDDEN=0 MAC_FILTER=0 +MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept ISOLATE_CLIENTS=0 SHARE_METHOD=nat IEEE80211N=0 @@ -620,8 +622,8 @@ USE_PSK=0 HOSTAPD_DEBUG_ARGS= REDIRECT_TO_LOCALHOST=0 -CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN MAC_FILTER ISOLATE_CLIENTS SHARE_METHOD - IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND +CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS HIDDEN MAC_FILTER MAC_FILTER_ACCEPT ISOLATE_CLIENTS + SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE SSID PASSPHRASE USE_PSK) @@ -1014,7 +1016,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1036,6 +1038,11 @@ while :; do shift MAC_FILTER=1 ;; + --mac-filter-accept) + shift + MAC_FILTER_ACCEPT="$1" + shift + ;; --isolate-clients) shift ISOLATE_CLIENTS=1 @@ -1587,10 +1594,10 @@ else echo "hw_mode=a" >> $CONFDIR/hostapd.conf fi -if [[ -n $MAC_FILTER ]]; then +if [[ $MAC_FILTER -eq 1 ]]; then cat << EOF >> $CONFDIR/hostapd.conf macaddr_acl=${MAC_FILTER} -accept_mac_file=/etc/hostapd/hostapd.accept +accept_mac_file=${MAC_FILTER_ACCEPT} EOF fi