package/hostapd/patches/110-nl80211_socketfilter.patch

   1 --- a/hostapd/driver_nl80211.c
   2 +++ b/hostapd/driver_nl80211.c
   3 @@ -27,6 +27,7 @@
   4  #include <net/if.h>
   5  #include <netpacket/packet.h>
   6  #include "wireless_copy.h"
   7 +#include <linux/filter.h>
   8  #include <net/if_arp.h>
   9
  10  #include "hostapd.h"
  11 @@ -1728,6 +1729,9 @@ static void handle_frame(struct hostapd_
  12                 case WLAN_FC_TODS:
  13                         bssid = hdr->addr1;
  14                         break;
  15 +               case WLAN_FC_FROMDS:
  16 +                       bssid = hdr->addr2;
  17 +                       break;
  18                 default:
  19                         /* discard */
  20                         return;
  21 @@ -1908,6 +1912,150 @@ static void handle_monitor_read(int sock
  22  }
  23
  24
  25 +/*
  26 + * we post-process the filter code later and rewrite
  27 + * this to the offset to the last instruction
  28 + */
  29 +#define PASS   0xFF
  30 +#define FAIL   0xFE
  31 +
  32 +static struct sock_filter msock_filter_insns[] = {
  33 +       /*
  34 +        * do a little-endian load of the radiotap length field
  35 +        */
  36 +       /* load lower byte into A */
  37 +       BPF_STMT(BPF_LD  | BPF_B | BPF_ABS, 2),
  38 +       /* put it into X (== index register) */
  39 +       BPF_STMT(BPF_MISC| BPF_TAX, 0),
  40 +       /* load upper byte into A */
  41 +       BPF_STMT(BPF_LD  | BPF_B | BPF_ABS, 3),
  42 +       /* left-shift it by 8 */
  43 +       BPF_STMT(BPF_ALU | BPF_LSH | BPF_K, 8),
  44 +       /* or with X */
  45 +       BPF_STMT(BPF_ALU | BPF_OR | BPF_X, 0),
  46 +       /* put result into X */
  47 +       BPF_STMT(BPF_MISC| BPF_TAX, 0),
  48 +
  49 +       /*
  50 +        * Allow management frames through, this also gives us those
  51 +        * management frames that we sent ourselves with status
  52 +        */
  53 +       /* load the lower byte of the IEEE 802.11 frame control field */
  54 +       BPF_STMT(BPF_LD  | BPF_B | BPF_IND, 0),
  55 +       /* mask off frame type and version */
  56 +       BPF_STMT(BPF_ALU | BPF_AND | BPF_K, 0xF),
  57 +       /* accept frame if it's both 0, fall through otherwise */
  58 +       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0, PASS, 0),
  59 +
  60 +       /*
  61 +        * TODO: add a bit to radiotap RX flags that indicates
  62 +        * that the sending station is not associated, then
  63 +        * add a filter here that filters on our DA and that flag
  64 +        * to allow us to deauth frames to that bad station.
  65 +        *
  66 +        * Not a regression -- we didn't do it before either.
  67 +        */
  68 +
  69 +#if 0
  70 +       /*
  71 +        * drop non-data frames, WDS frames
  72 +        */
  73 +       /* load the lower byte of the frame control field */
  74 +       BPF_STMT(BPF_LD   | BPF_B | BPF_IND, 0),
  75 +       /* mask off QoS bit */
  76 +       BPF_STMT(BPF_ALU  | BPF_AND | BPF_K, 0x0c),
  77 +       /* drop non-data frames */
  78 +       BPF_JUMP(BPF_JMP  | BPF_JEQ | BPF_K, 8, 0, FAIL),
  79 +       /* load the upper byte of the frame control field */
  80 +       BPF_STMT(BPF_LD   | BPF_B | BPF_IND, 0),
  81 +       /* mask off toDS/fromDS */
  82 +       BPF_STMT(BPF_ALU  | BPF_AND | BPF_K, 0x03),
  83 +       /* drop WDS frames */
  84 +       BPF_JUMP(BPF_JMP  | BPF_JEQ | BPF_K, 3, FAIL, 0),
  85 +#endif
  86 +
  87 +       /*
  88 +        * add header length to index
  89 +        */
  90 +       /* load the lower byte of the frame control field */
  91 +       BPF_STMT(BPF_LD   | BPF_B | BPF_IND, 0),
  92 +       /* mask off QoS bit */
  93 +       BPF_STMT(BPF_ALU  | BPF_AND | BPF_K, 0x80),
  94 +       /* right shift it by 6 to give 0 or 2 */
  95 +       BPF_STMT(BPF_ALU  | BPF_RSH | BPF_K, 6),
  96 +       /* add data frame header length */
  97 +       BPF_STMT(BPF_ALU  | BPF_ADD | BPF_K, 24),
  98 +       /* add index, was start of 802.11 header */
  99 +       BPF_STMT(BPF_ALU  | BPF_ADD | BPF_X, 0),
 100 +       /* move to index, now start of LL header */
 101 +       BPF_STMT(BPF_MISC | BPF_TAX, 0),
 102 +
 103 +       /*
 104 +        * Accept empty data frames, we use those for
 105 +        * polling activity.
 106 +        */
 107 +       BPF_STMT(BPF_LD  | BPF_W | BPF_LEN, 0),
 108 +       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_X, 0, PASS, 0),
 109 +
 110 +       /*
 111 +        * Accept EAPOL frames
 112 +        */
 113 +       BPF_STMT(BPF_LD  | BPF_W | BPF_IND, 0),
 114 +       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xAAAA0300, 0, FAIL),
 115 +       BPF_STMT(BPF_LD  | BPF_W | BPF_IND, 4),
 116 +       BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0x0000888E, PASS, FAIL),
 117 +
 118 +       /* keep these last two statements or change the code below */
 119 +       /* return 0 == "DROP" */
 120 +       BPF_STMT(BPF_RET | BPF_K, 0),
 121 +       /* return ~0 == "keep all" */
 122 +       BPF_STMT(BPF_RET | BPF_K, ~0),
 123 +};
 124 +
 125 +static struct sock_fprog msock_filter = {
 126 +       .len = sizeof(msock_filter_insns)/sizeof(msock_filter_insns[0]),
 127 +       .filter = msock_filter_insns,
 128 +};
 129 +
 130 +
 131 +static int add_monitor_filter(int s)
 132 +{
 133 +       int idx;
 134 +
 135 +       /* rewrite all PASS/FAIL jump offsets */
 136 +       for (idx = 0; idx < msock_filter.len; idx++) {
 137 +               struct sock_filter *insn = &msock_filter_insns[idx];
 138 +
 139 +               if (BPF_CLASS(insn->code) == BPF_JMP) {
 140 +                       if (insn->code == (BPF_JMP|BPF_JA)) {
 141 +                               if (insn->k == PASS)
 142 +                                       insn->k = msock_filter.len - idx - 2;
 143 +                               else if (insn->k == FAIL)
 144 +                                       insn->k = msock_filter.len - idx - 3;
 145 +                       }
 146 +
 147 +                       if (insn->jt == PASS)
 148 +                               insn->jt = msock_filter.len - idx - 2;
 149 +                       else if (insn->jt == FAIL)
 150 +                               insn->jt = msock_filter.len - idx - 3;
 151 +
 152 +                       if (insn->jf == PASS)
 153 +                               insn->jf = msock_filter.len - idx - 2;
 154 +                       else if (insn->jf == FAIL)
 155 +                               insn->jf = msock_filter.len - idx - 3;
 156 +               }
 157 +       }
 158 +
 159 +       if (setsockopt(s, SOL_SOCKET, SO_ATTACH_FILTER,
 160 +                      &msock_filter, sizeof(msock_filter))) {
 161 +               perror("SO_ATTACH_FILTER");
 162 +               return -1;
 163 +       }
 164 +
 165 +       return 0;
 166 +}
 167 +
 168 +
 169  static int nl80211_create_monitor_interface(struct i802_driver_data *drv)
 170  {
 171         char buf[IFNAMSIZ];
 172 @@ -1936,6 +2084,12 @@ static int nl80211_create_monitor_interf
 173                 goto error;
 174         }
 175
 176 +       if (add_monitor_filter(drv->monitor_sock)) {
 177 +               wpa_printf(MSG_INFO, "Failed to set socket filter for monitor "
 178 +                          "interface; do filtering in user space");
 179 +               /* This works, but will cost in performance. */
 180 +       }
 181 +
 182         if (bind(drv->monitor_sock, (struct sockaddr *) &ll,
 183                  sizeof(ll)) < 0) {
 184                 perror("monitor socket bind");