1 /*-
2 * Copyright (c) 2004-2005 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * Alternatively, this software may be distributed under the terms of the
17 * GNU General Public License ("GPL") version 2 as published by the Free
18 * Software Foundation.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifdef __FreeBSD__
34 __FBSDID("$FreeBSD: src/sys/net80211/ieee80211_acl.c,v 1.4 2005/08/13 17:31:48 sam Exp $");
35 #endif
36 #ifdef __NetBSD__
37 __KERNEL_RCSID(0, "$NetBSD: ieee80211_acl.c,v 1.10 2019/11/10 21:16:38 chs Exp $");
38 #endif
39
40 /*
41 * IEEE 802.11 MAC ACL support.
42 *
43 * When this module is loaded the sender address of each received
44 * frame is passed to the iac_check method and the module indicates
45 * if the frame should be accepted or rejected. If the policy is
46 * set to ACL_POLICY_OPEN then all frames are accepted w/o checking
47 * the address. Otherwise, the address is looked up in the database
48 * and if found the frame is either accepted (ACL_POLICY_ALLOW)
49 * or rejected (ACL_POLICY_DENT).
50 */
51 #include <sys/param.h>
52 #include <sys/kernel.h>
53 #include <sys/systm.h>
54 #include <sys/mbuf.h>
55 #include <sys/queue.h>
56
57 #include <sys/socket.h>
58
59 #include <net/if.h>
60 #include <net/if_media.h>
61 #include <net/if_ether.h>
62 #include <net/route.h>
63
64 #include <net80211/ieee80211_var.h>
65
66 enum {
67 ACL_POLICY_OPEN = 0, /* open, don't check ACL's */
68 ACL_POLICY_ALLOW = 1, /* allow traffic from MAC */
69 ACL_POLICY_DENY = 2, /* deny traffic from MAC */
70 };
71
72 #define ACL_HASHSIZE 32
73
74 struct acl {
75 TAILQ_ENTRY(acl) acl_list;
76 LIST_ENTRY(acl) acl_hash;
77 u_int8_t acl_macaddr[IEEE80211_ADDR_LEN];
78 };
79 struct aclstate {
80 acl_lock_t as_lock;
81 int as_policy;
82 uint32_t as_nacls;
83 TAILQ_HEAD(, acl) as_list; /* list of all ACL's */
84 LIST_HEAD(, acl) as_hash[ACL_HASHSIZE];
85 struct ieee80211com *as_ic;
86 };
87
88 /* simple hash is enough for variation of macaddr */
89 #define ACL_HASH(addr) \
90 (((const u_int8_t *)(addr))[IEEE80211_ADDR_LEN - 1] % ACL_HASHSIZE)
91
92 MALLOC_DEFINE(M_80211_ACL, "acl", "802.11 station acl");
93
94 static int acl_free_all(struct ieee80211com *);
95
96 static int
97 acl_attach(struct ieee80211com *ic)
98 {
99 struct aclstate *as;
100
101 as = malloc(sizeof(struct aclstate),
102 M_80211_ACL, M_WAITOK | M_ZERO);
103 ACL_LOCK_INIT(as, "acl");
104 TAILQ_INIT(&as->as_list);
105 as->as_policy = ACL_POLICY_OPEN;
106 as->as_ic = ic;
107 ic->ic_as = as;
108 return 1;
109 }
110
111 static void
112 acl_detach(struct ieee80211com *ic)
113 {
114 struct aclstate *as = ic->ic_as;
115
116 acl_free_all(ic);
117 ic->ic_as = NULL;
118 ACL_LOCK_DESTROY(as);
119 free(as, M_DEVBUF);
120 }
121
122 static __inline struct acl *
123 _find_acl(struct aclstate *as, const u_int8_t *macaddr)
124 {
125 struct acl *acl;
126 int hash;
127
128 hash = ACL_HASH(macaddr);
129 LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
130 if (IEEE80211_ADDR_EQ(acl->acl_macaddr, macaddr))
131 return acl;
132 }
133 return NULL;
134 }
135
136 static void
137 _acl_free(struct aclstate *as, struct acl *acl)
138 {
139 ACL_LOCK_ASSERT(as);
140
141 TAILQ_REMOVE(&as->as_list, acl, acl_list);
142 LIST_REMOVE(acl, acl_hash);
143 free(acl, M_80211_ACL);
144 as->as_nacls--;
145 }
146
147 static int
148 acl_check(struct ieee80211com *ic, const u_int8_t mac[IEEE80211_ADDR_LEN])
149 {
150 struct aclstate *as = ic->ic_as;
151
152 switch (as->as_policy) {
153 case ACL_POLICY_OPEN:
154 return 1;
155 case ACL_POLICY_ALLOW:
156 return _find_acl(as, mac) != NULL;
157 case ACL_POLICY_DENY:
158 return _find_acl(as, mac) == NULL;
159 }
160 return 0; /* should not happen */
161 }
162
163 static int
164 acl_add(struct ieee80211com *ic, const u_int8_t mac[IEEE80211_ADDR_LEN])
165 {
166 struct aclstate *as = ic->ic_as;
167 struct acl *acl, *new;
168 int hash;
169
170 new = malloc(sizeof(struct acl), M_80211_ACL, M_WAITOK | M_ZERO);
171
172 ACL_LOCK(as);
173 hash = ACL_HASH(mac);
174 LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
175 if (IEEE80211_ADDR_EQ(acl->acl_macaddr, mac)) {
176 ACL_UNLOCK(as);
177 free(new, M_80211_ACL);
178 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ACL,
179 "ACL: add %s failed, already present\n",
180 ether_sprintf(mac));
181 return EEXIST;
182 }
183 }
184 IEEE80211_ADDR_COPY(new->acl_macaddr, mac);
185 TAILQ_INSERT_TAIL(&as->as_list, new, acl_list);
186 LIST_INSERT_HEAD(&as->as_hash[hash], new, acl_hash);
187 as->as_nacls++;
188 ACL_UNLOCK(as);
189
190 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ACL,
191 "ACL: add %s\n", ether_sprintf(mac));
192 return 0;
193 }
194
195 static int
196 acl_remove(struct ieee80211com *ic, const u_int8_t mac[IEEE80211_ADDR_LEN])
197 {
198 struct aclstate *as = ic->ic_as;
199 struct acl *acl;
200
201 ACL_LOCK(as);
202 acl = _find_acl(as, mac);
203 if (acl != NULL)
204 _acl_free(as, acl);
205 ACL_UNLOCK(as);
206
207 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ACL,
208 "ACL: remove %s%s\n", ether_sprintf(mac),
209 acl == NULL ? ", not present" : "");
210
211 return (acl == NULL ? ENOENT : 0);
212 }
213
214 static int
215 acl_free_all(struct ieee80211com *ic)
216 {
217 struct aclstate *as = ic->ic_as;
218 struct acl *acl;
219
220 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ACL, "ACL: %s\n", "free all");
221
222 ACL_LOCK(as);
223 while ((acl = TAILQ_FIRST(&as->as_list)) != NULL)
224 _acl_free(as, acl);
225 ACL_UNLOCK(as);
226
227 return 0;
228 }
229
230 static int
231 acl_setpolicy(struct ieee80211com *ic, int policy)
232 {
233 struct aclstate *as = ic->ic_as;
234
235 IEEE80211_DPRINTF(ic, IEEE80211_MSG_ACL,
236 "ACL: set policy to %u\n", policy);
237
238 switch (policy) {
239 case IEEE80211_MACCMD_POLICY_OPEN:
240 as->as_policy = ACL_POLICY_OPEN;
241 break;
242 case IEEE80211_MACCMD_POLICY_ALLOW:
243 as->as_policy = ACL_POLICY_ALLOW;
244 break;
245 case IEEE80211_MACCMD_POLICY_DENY:
246 as->as_policy = ACL_POLICY_DENY;
247 break;
248 default:
249 return EINVAL;
250 }
251 return 0;
252 }
253
254 static int
255 acl_getpolicy(struct ieee80211com *ic)
256 {
257 struct aclstate *as = ic->ic_as;
258
259 return as->as_policy;
260 }
261
262 static int
263 acl_setioctl(struct ieee80211com *ic,
264 struct ieee80211req *ireq)
265 {
266
267 return EINVAL;
268 }
269
270 static int
271 acl_getioctl(struct ieee80211com *ic, struct ieee80211req *ireq)
272 {
273 struct aclstate *as = ic->ic_as;
274 struct acl *acl;
275 struct ieee80211req_maclist *ap;
276 int error;
277 uint32_t i, space;
278
279 switch (ireq->i_val) {
280 case IEEE80211_MACCMD_POLICY:
281 ireq->i_val = as->as_policy;
282 return 0;
283 case IEEE80211_MACCMD_LIST:
284 space = as->as_nacls * IEEE80211_ADDR_LEN;
285 if (ireq->i_len == 0) {
286 ireq->i_len = space; /* return required space */
287 return 0; /* NB: must not error */
288 }
289 ap = malloc(space, M_TEMP, M_WAITOK);
290 i = 0;
291 ACL_LOCK(as);
292 TAILQ_FOREACH(acl, &as->as_list, acl_list) {
293 IEEE80211_ADDR_COPY(ap[i].ml_macaddr, acl->acl_macaddr);
294 i++;
295 }
296 ACL_UNLOCK(as);
297 if (ireq->i_len >= space) {
298 error = copyout(ap, ireq->i_data, space);
299 ireq->i_len = space;
300 } else
301 error = copyout(ap, ireq->i_data, ireq->i_len);
302 free(ap, M_TEMP);
303 return error;
304 }
305 return EINVAL;
306 }
307
308 static const struct ieee80211_aclator mac = {
309 .iac_name = "mac",
310 .iac_attach = acl_attach,
311 .iac_detach = acl_detach,
312 .iac_check = acl_check,
313 .iac_add = acl_add,
314 .iac_remove = acl_remove,
315 .iac_flush = acl_free_all,
316 .iac_setpolicy = acl_setpolicy,
317 .iac_getpolicy = acl_getpolicy,
318 .iac_setioctl = acl_setioctl,
319 .iac_getioctl = acl_getioctl,
320 };
Cache object: ab8095163f4dbad18f4f82d6e8e00503
|