Most users on forums face a broken 802.11r setup when having
a very simple 802.11r config (i.e., just ieee80211r enabled).
In most cases, simply bumping reassociation_deadline to
20000 fixes their problems and allows 802.11r to just work.
Reassociation Deadline is already set to 20 seconds on Cisco
equipment by default[1] which is why this value has been
chosen.
It is also mentioned on the OpenWRT Wiki as a value that should
be changed in order for 802.11r to work on Apple devices. I think
it would be better to change the defaults instead so users don't
have to do much work for a working setup.
[1]: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Fixes: https://github.com/openwrt/openwrt/issues/7907
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20799
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is useful to alter the default ban time after an STA
association is rejected for being below RSSI threshold.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20811
Signed-off-by: Robert Marko <robimarko@gmail.com>
When an MLO interface specifies multiple radios and the first radio
is disabled, the MLO configuration was never created because the code
only attempted to create it when processing the first device in the
list (which gets skipped if disabled).
Fix by creating the MLO config for the first enabled device instead
of only when processing dev_names[0].
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ensure that the 4addr flag is passed to phy.wdev_add.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This is useful if multiple passwords were specified without
the use of a SAE password identifier. This is the only
way to get multiple passwords for a single peer to work
without resorting to password identifiers.
Unfortunately, support for password identifiers is non-existent
on Android and macOS; and possibly others. So this is the only
option in that case.
As an alternative, one could also continue to use WPA2-PSK instead
as that could easily resort to a bruteforce approach without any
complications.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20597
Signed-off-by: Robert Marko <robimarko@gmail.com>
As this is generally only useful with "proxy_arp" enabled,
we default na_mcast_to_ucast to true if "proxy_arp" is already
enabled.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20596
Signed-off-by: Robert Marko <robimarko@gmail.com>
When a phy appears after setup has already been attempted, tell netifd
to retry setup for all failed wireless devices.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can be used by other services to trigger reconfiguration, or detect when
PHY renaming has been performed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ensures that renaming is handled properly. For disabled radios, setup is
performed with an empty list of interfaces.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are no supported drivers where it even makes sense to disable WMM
anymore, since so much depends on it.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Can also be used for a client mode interface that is able to connect on
multiple bands individually, while handling hostapd state for the correct
band.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Move mlo specific hostapd ubus call from wireless handler to netifd core
ucode script. This avoids unnecessary queueing and the fake MLO wireless
device.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a wifi-iface section is used either for multiple vifs or MLD links,
make it possible to configure the per-radio/link macaddr.
When MLO is enabled, the main macaddr is used for the MLD interface.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Initialize data to {} if null before calling mac80211.sh
to avoid a confusing error message in the syslog.
Fixes: https://github.com/openwrt/openwrt/issues/14010
Signed-off-by: Tobias Waldvogel <tobias.waldvogel@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cosmetic change]
The option iface should be optional according to the description
of /etc/config/wireless in order to avoid repeating the definition
for each virtual interface.
Signed-off-by: Tobias Waldvogel <tobias.waldvogel@gmail.com>
Unless HE/EHT is enabled, the client should not process the RSN override IE.
This prevents picking up unsupported ciphers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Allow toggling autostart even for disabled devices
When switching from enabled to disabled, call teardown instead of setup
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MLO can be enabled by configuring a wifi-iface section with multiple
radios, like this:
config wifi-iface
list radio 'radio0'
list radio 'radio1'
option mlo '1'
option ssid 'OpenWrt'
option mode 'ap'
option network 'lan'
...
Signed-off-by: Felix Fietkau <nbd@nbd.name>
3a7878065829 system-dummy: add missing vrf functions
471d9d6abb6d CMakeLists.txt: bump minimum required version
c3a0255e2150 scripts: fix dummy mode on systems where libubox is in /usr/local
7a3b281230e4 update example mac80211 script and wireless config
d9f2dd2614f2 wireless: replace with ucode scripts
74c22601baad wireless: add MLO support to example scripts
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Correctly load the list of basic_rates from UCI. basic-rates shall be
stored as a option-list. The current code did not retrieve this list
correctly.
wpa_supplicant uses a different config option to set basic-rates
when operating in mesh-mode.
Use the correct config key and calculation for mesh-interfaces.
Signed-off-by: David Bauer <mail@david-bauer.net>
Override via RSNE is a relatively new feature, which can be used to enable
WPA3 features in a way that is invisible to older clients.
Use it by default to mask the GCMP-256 cipher from older clients, since
there are compatibility issues with existing devices.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
For WIFI7 devices (such as mt7925e), the dev width is currently
always "20 MHz (no HT)" in monitor mode.
Add EHT and HE160 support to iw_htmode to fix this issue.
Additionally, the following changes are made:
1. Set iw_htmode to 160MHz for VHT160. The reason for the current
VHT160 setting is unclear and seems to have been in place for
over a decade (ibss_htmode [1]). If anyone knows its impact,
please inform me so I can restore it.
2. Modify MHZ to MHz. The original matching table in the current
iw tool uses MHz. Although the match is case-insensitive,
correcting this won't hurt.
[1]: 768d09be87
Signed-off-by: Ming Kuang <ming@imkuang.com>
Link: https://github.com/openwrt/openwrt/pull/18319
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
he_spr_psr_enabled is appended to hostapd.conf if it's enabled, but hostapd
doesn't support this config, it should be used as an internal flag to control
the he_spr_sr_control configuring.
Signed-off-by: Lix Zhou <xeontz@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/18025
Signed-off-by: John Crispin <john@phrozen.org>
Bringing up a mesh interface using wpa_supplicant already supports a
per-VIF basic rate selection. Add the same ability when creating a mesh
VIF without wpa_supplicant.
Signed-off-by: David Bauer <mail@david-bauer.net>
Basic rates were not set for mesh-interfaces, resulting in the undesired
behavior where 11s frames might be sent with a rate which was not
configured.
Depending on the driver, the basic rate might also be used to determine
the beacon rate configured to the chip. One such example are MediaTek
MT7915 platforms.
Signed-off-by: David Bauer <mail@david-bauer.net>
On some drivers, setting the tx power on the interface is not enough.
Set it for the phy as well.
Fixes: 04fb05914e ("wifi-scripts: add multi-radio config support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Don't fail wireless interface bringup on empty PSK set. This is a valid
configuration, resulting in a PSK network which can't be connected to.
It does not fail the bringup of the hostapd process.
Keep failing the interface setup in case a password with invalid length
is used.
This is also beneficial when intending to configure a PPSK network. It
allows to create a network where no PPSK is yet set.
Signed-off-by: David Bauer <mail@david-bauer.net>
Link: https://github.com/openwrt/openwrt/pull/17197
Signed-off-by: John Crispin <john@phrozen.org>
With rxkh_file, hostapd will read a list of RxKHs from a text file.
This also makes it possible for hostapd to dynamically reload RxKHs.
RxKHs defined in rxkh_file should be formated as described in hostapd.conf,
with one entry per line.
R0KH/R1KH format:
r0kh=<MAC address> <NAS Identifier> <256-bit key as hex string>
r1kh=<MAC address> <R1KH-ID> <256-bit key as hex string>
Reworked behavior of the uci options r0kh and r1kh.
When rxkh_file is not configured:
Instead of appending the RxKHs to the hostapd bss configuration.
They will be added to a interface specific file with name
/var/run/hostapd-phyX-apX.rxkh.
This file will be used as the rxkh_file in the hostapd bss configuration.
When rxkh_file is configured:
The specified file will be used in the hostapd bss configuration,
and will be the only source for configured RxKHs.
All RxKHs defined with the uci options r0kh or r1kh will be ignored.
Signed-off-by: Sybil127 <sybil127@outlook.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The initialization of mesh interfaces currently fail when wpa_supplicant
is not installed. This is due to the script calling the wpa_supplicant
feature indicator without verifying wpa_supplicant is installed at all.
To avoid failing, first check if wpa_supplicant is installed before
determining the available featureset.
Signed-off-by: David Bauer <mail@david-bauer.net>
Regarding SAE support in wifi-station:
Important Note: Unlike PSK wifi-stations, both `mac` and `key` options are required
to make it work. With PSK, hostapd used to perform a brute-force match to find which
PSK entry to use, but with SAE this is infeasible due to SAE's design.
When `mac` is omitted, it will allow any MAC address to use the SAE password if it
didn't have a MAC address assigned to it, but this could only be done once.
The last wildcard entry would be used.
Also, unlike "hostapd: add support for SAE in PPSK option" (commit 913368a),
it is not required to set `sae_pwe` to `0`. This gives it a slight advantage
over using PPSK that goes beyond not needing RADIUS.
Example Configuration:
```
config wifi-vlan
option iface default_radio0
option name 999
option vid 999
option network management
config wifi-station
# Allow user with MAC address 00:11:22:33:44:55 and matching
# key "secretadminpass" to access the management network.
option iface default_radio0
option vid 999
option mac '00:11:22:33:44:55'
option key secretadminpass
config wifi-vlan
option iface default_radio0
option name 100
option vid 100
option network guest
config wifi-station
# With SAE, when 'mac' is omitted it will be the fallback in case no
# other MAC address matches. It won't be possible for a user that
# has a matching MAC to use this network (i.e., 00:11:22:33:44:55
# in this example).
option iface default_radio0
option vid 100
option key guestpass
```
Regarding PSK file creation optimization:
This patch now conditionally runs `hostapd_set_psk_file` depending on `auth_type`.
Previously, `hostapd_set_psk` would always execute `hostapd_set_psk_file`, which
would create a new file if `wifi-station` was in use even if PSK was not enabled.
This change checks the `auth_type` to ensure that it is appropriate to parse the
`wifi-station` entries and create those files.
Furthermore, we now only configure `wpa_psk_file` when it is a supported option
(i.e., psk or psk-sae is used). Previously, we used to configure it when it was
not necessary. While it didn't cause any issues, it would litter `/var/run` with
unnecessary files. This patch fixes that case by configuring it depending on the
`auth_type`.
The new SAE support is aligned with these PSK file changes.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/17145
Signed-off-by: John Crispin <john@phrozen.org>
Fixup capabilities parsing in iw output.
In addition to the normal capabilities iw now also outputs HE MAC, HE
PHY and EHT MAC and EHT PHY capabilities. Exclude them in the parsing.
The grep returns this with mac80211-hwsim:
```
root@OpenWrt:~# iw phy phy0 info | grep 'Capabilities:'
Capabilities: 0x107e
HE PHY Capabilities: (0x02bfce0000000000000000):
EHT PHY Capabilities: (0x7c0000feffff7f01):
HE PHY Capabilities: (0x02bfce0000000000000000):
EHT PHY Capabilities: (0x7c0000feffff7f01):
HE PHY Capabilities: (0x02bf000000000000000000):
Capabilities: 0x107e
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfc1f3ffeffff7f37):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfc1f3ffeffff7f37):
HE PHY Capabilities: (0x1cbf000000000000000000):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfefffffeffffff7f):
HE PHY Capabilities: (0x1cbfce0000000000000000):
EHT PHY Capabilities: (0xfefffffeffffff7f):
HE PHY Capabilities: (0x1cbf000000000000000000):
Capabilities: 0x107e
```
With busybox 1.36.1 the ht_cap_mask variable will be set to
-72057598332895361. With busybox 1.37.0 it will be set to -1.
Both values are wrong, after this change it will be set to 4222
(0x107E).
Link: https://github.com/openwrt/openwrt/pull/17043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This allows annotating wifi interfaces in the config in a way that can be
queried through wifi status. One example use case is to mark wifi interfaces
for use with specific services without having to explicitly reference the
(often unnamed) sections from elsewhere.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch allows the use of SAE when using PPSK after
https://w1.fi/cgit/hostap/commit/?id=fcbdaae8a52e542705a651ee78b39b02935fda20
added support for it.
It also implements a fix so that this option works with SAE. The reason this
doesn't work out of the box is because OpenWRT deviates from hostapd defaults
by setting `sae_pwe` option to 2 which makes this mode not function properly
(results in every auth attempt being denied).
That issue was addressed by not overriding hostapd's default for the `sae_pwe`
option when the PPSK option is in use. This should be fine because hostapd's
test cases specifically test this mode with the default SAE parameters. See:
https://w1.fi/cgit/hostap/commit/?id=c34b35b54e81dbacd9dee513b74604c87f93f6a3
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16343
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
