Commit 01a87f4bd0 changed the encryption
setting of the default SSID "OpenWrt" from "none" to "open". The correct
setting as per the documentation [1] is "none", though.
While this invalid setting won't cause a wrong hostapd setup, it will
at least cause malfunction in LuCI.
Change the default encryption setting back to "none".
[1] https://openwrt.org/docs/guide-user/network/wifi/basic#encryption_modes
Fixes: 01a87f4bd0
Signed-off-by: Shine <4c.fce2@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21925
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 4ab5fcc04f)
The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.
Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.
Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1bbb60184d)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The mobility_domain value generated by ucode differed from the previous
shell script implementation. The legacy shell script used `echo` on the
SSID, which appended a trailing newline.
To maintain roaming compatibility with pre-25.12 releases and OpenWrt
forks in default configuration, update the ucode logic to include this
newline character when generating the default value.
Fixes: #21731
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21732
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1d0e2859c5)
The `syn_flood` option name is deprecated, `synflood_protect` should
be used instead. firewall3 and firewall4 both support this option since
a long time. LuCI already replaces the option name.
0abcb39b62
Suggested-by: rparge in OpenWrt forum
Link: https://github.com/openwrt/openwrt/pull/21642
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ae350b725)
WiFi 6E (802.11ax) clients cannot discover 6GHz APs operating at
320MHz because the HE Operation element contains uninitialized
center frequency values.
For EHT320 mode, the code sets eht_oper_centr_freq_seg0_idx but not
the corresponding HE values. Later, the HE values are copied from
VHT values, but VHT is not used on 6GHz, leaving he_oper_chwidth
and he_oper_centr_freq_seg0_idx at 0. This causes WiFi 6E clients
to see incorrect channel width information, making the AP invisible
to them during scanning.
Fix this by:
1. Setting he_oper_chwidth to 3 (160MHz) for EHT320 mode
2. Computing he_oper_centr_freq_seg0_idx based on the 160MHz segment
that contains the primary channel
3. Preserving these pre-set values instead of overwriting them with
uninitialized VHT values
WiFi 7 clients continue to see 320MHz operation via the EHT Operation
element, while WiFi 6E clients can now discover and connect at 160MHz.
Signed-off-by: Ryan Chen <rchen14b@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21588
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit a8bdb1e6d6)
The code to be replaced is a glorious no-op. A default value for
config.radius_das_client does not need to be assigned. This parameter
already has non-empty value: see the enclosing 'if' block.
As a result, the value of config.radius_das_client never gets modified
to contain both dae_client and dae_secret. This breaks hostapd.add_iface()
that expects config.radius_das_client to contain both dae_client and
dae_secret separated by a whitespace.
Fixes: #21519
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21522
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit c7f585bfc3)
Commit 9151c7015e introduced support for the global DHCP DUID to
generate a RFC4361-style client identifier.
However, the IAID introduced in those changes is based on ifindex, which
is subject to changes and causes issues on environments requiring a stable
IAID.
This commit switches the IAID to a stable one based on MD5.
(cherry picked from commit e1c125c167)
Fixes: 9151c7015e ("netifd: use the global DHCP DUID for DHCPv4")
Link: https://github.com/openwrt/openwrt/pull/21489
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
It is a BSS-level option and not radio-level. As such,
move it to wifi-iface and ap.uc.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21412
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 9b1b5a6aec)
They are being default enabled unconditionally when they should
depend on 802.11k. 802.11k should not be enabled by default
either as it can cause issues with certain older drivers and
is useless without a userspace program like usteer or DAWN.
If users want to enable 802.11k they will enable it when they
set such programs up.
Another inconsistency with rnr was dealt with so that it is not
default enabled. This is also not done with old wifi-scripts
and is generally unexpected and surprising behavior.
Moreoever, this introduces an inconsistency between old shell
wifi-scripts and ucode version. Old wifi-scripts does not do this.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21425
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ee60b65643)
When DHCP Option 60 is specified via sendopts (hex, decimal, or named
formats), udhcpc sends its default "udhcp <version>" string alongside
the custom value, which causes authentication failures with some ISPs.
This fix detects Option 60 in sendopts and automatically passes -V ""
to udhcpc to suppress the default version string while allowing
multiple user-defined vendor classes.
Supported formats:
- Hexadecimal: 0x3c
- Decimal: 60
- Named: vendor
(cherry picked from commit 89d982d723)
Fixes: #21242
Signed-off-by: JINLIANG GU <ihipop@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21450
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Mesh mode interface creation fails when the freq parameter is empty or
undefined. Unlike adhoc mode which checks if freq exists before using it,
mesh mode blindly constructs the iw command with freq parameter, resulting
in invalid syntax like:
iw dev mesh0 mesh join ssid freq NOHT
This causes the mesh interface to be created without joining the mesh
network, leaving it in a DOWN state with no channel assigned.
Fix by adding freq validation check similar to adhoc mode.
Tested on two routers in parallel as mesh peers:
- Xiaomi AX3000T (MediaTek MT7981)
- OpenWrt One (MediaTek MT7981)
- OpenWrt 6.6.119, 802.11s mesh on 5GHz (Channel 36, HE80)
Signed-off-by: Valent Turkovic <valent@meshpointone.com>
Link: https://github.com/openwrt/openwrt/pull/21373
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7214acd759)
Wifi on the 6GHz band does not support open networks, configure owe by
default. 6GHz wifi also needs a country code, configure a broken country
code '00' by default to hint the user to change it.
Link: https://github.com/openwrt/openwrt/pull/21313
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 01a87f4bd0)
Without this patch, the
if (!config.wpa)
config.wpa_pairwise = null;
is overwritten immediately.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Link: https://github.com/openwrt/openwrt/pull/21215
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit bc4e7fd38e)
When wdev interfaces and hostapd interfaces are mixed, race conditions
can occur. Sometimes all interfaces are started correctly, sometimes only
the wdev interface and some of the hostapd interfaces, and sometimes only
the wdev interface.
Fix this by creating the wdev interfaces first, before processing
wpa_supplicant or hostapd interfaces.
Link: https://github.com/openwrt/openwrt/pull/21303
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 2015a40c38)
Add EHT* check so that the hwmode will display 802.11be capability correctly.
Signed-off-by: Elwin Huang <s09289728096@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21267
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 95112a4939)
Mesh interfaces may not define an encryption setting. This results in
a ucode runtime error when parse_encryption() is called:
Reference error: left-hand side expression is null
In parse_encryption(), file /usr/share/ucode/wifi/iface.uc, line 20, byte 32:
called from function setup_sta (/usr/share/ucode/wifi/supplicant.uc:59:31)
called from function generate (/usr/share/ucode/wifi/supplicant.uc:243:41)
called from function setup (./mac80211.sh:254:61)
called from anonymous function (./mac80211.sh:342:14)
` config.auth_type = encryption[0] ?? 'none';`
Near here ------------------------^
Link: https://github.com/openwrt/openwrt/pull/21293
(cherry picked from commit 00e6c18a93)
Link: https://github.com/openwrt/openwrt/pull/21295
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes a failed bring up of the radio on bootup
if the model defines a rename of phy in its /etc/board.json.
This specifically impacts Redmi AX6S and any router that does so
in its /etc/board.json. The fix fortunately is simple, just update
phy name in phys after rename.
The entry that specifically causes this issue is the following:
{
<omitted>
"wlan": {
"wl0": {
"path": "platform/18000000.wmac",
"info": {
"antenna_rx": 15,
"antenna_tx": 15,
"bands": {
"2G": {
"ht": true,
"max_width": 40,
"modes": [
"NOHT",
"HT20",
"HT40"
],
"default_channel": 1
}
},
"radios": [
]
}
},
...
}
The issue is that after rename, referenced phy in config is going to be
wl0 but in phys array it is still phy0; and so it fails to find phy
and does not bring up radio.
Fixes: https://github.com/openwrt/openwrt/issues/20250
Fixes: https://github.com/openwrt/openwrt/issues/20339
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21175
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit e4d5e76af0)
Convert to MBit/s like all other fields and specify the unit.
Most users probably aren't aware that this is in kilobits/s.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20567
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 36da03a6c1)
This is a trivial change to allow users to use 'list' on iface.
Old wifi-scripts already implements this, so this just ensures
that shell-based and ucode wifi-scripts are on-par with each other.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 1ead4e6e16)
When iface is omitted, wifi-vlan will apply to all interfaces.
However, netifd.set_vlan call is not successful as it assumes
that every wifi-vlan section corresponds to one VIF.
For this reason in the wifi-vlan case (cur_type == "vlan")
we create a composite key in the form `${vif.name}/${vlan.name}`
allowing the same vlan section to correspond to multiple VAPs.
`/` was decided as a delimiter as it is an invalid character
for a network interface name and UCI identifier; so it is
impossible for it to cause conflicts.
It was verified that the `ubus call network.wireless status`
works as expected with this change. Moreover, wifi-station
is not susceptible to this problem.
This also means that it is now possible for wifi-vlan
to support `list` iface similar to old shell-based wifi-scripts.
This will be done in a follow-up commit.
Fixes: 98435a37a7 ("wifi-scripts: iface should be optional in wifi-vlan definition")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 211b11a56e)
This adds support for beacon_prot and spp_amsdu in hostapd and
beacon_prot in wpa_supplicant (spp_amsdu is not relevant there).
Both options are disabled by default unless set in the config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20793
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In the past PR[1] to add SAE wifi-station support, a commenter[2] requested
that the mac option be changed into a list. After trying to migrate my old
RADIUS setup I found myself wanting this change as well as it would simplify
my config. This patch does precisely that. Old configs that specify
`option mac ....` still work without any issues.
This change was done for both PSK and SAE. The schema was updated as well.
[1]: https://github.com/openwrt/openwrt/pull/17145
[2]: https://github.com/openwrt/openwrt/pull/17145#issuecomment-2523507953
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/17650
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is useful as there are cases where no network is configured
or the configured network is isolated (APs are blocked from
communicating with each other over it). In both cases, it would make
sense to set ft_iface to another interface dedicated to FT over DS
traffic.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20797
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds missing default value for na_mcast_to_ucast when proxy_arp is not enabled
in order to silence the following msg:
daemon.notice: netifd: radio1 (xxxx): sh: out of range
Fixes: bcdb29f78f ("wifi-scripts: add na_mcast_to_ucast option")
Reported-by: Antony Kolitsos <zeusomighty@hotmail.com>
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20806
Signed-off-by: Robert Marko <robimarko@gmail.com>
When transitioning from a config with one or more wifi-stations, to a configuration
that has no wifi-station; the file would not be empty/reset and the old wifi-station
entries would remain.
This is because iface_wpa_stations and iface_sae_stations return early if there
are no wifi-stations present, which is an incorrect behavior as it causes the
file to actually have old entries.
'sae_password_file' and 'wpa_psk_file' are also set by default inside
of iface_auth_type to same path as the one used by wifi-station, so it
is indeed going to be set in the config and would contain the old
entries.
This happens with reload and wifi restart. So the only solution
would be to manually remove the file.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20700
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to "wifi-scripts: iface should be optional in wifi-vlan definition"
(98435a3), wifi-station iface should also be optional. By default, it is
supposed to match all interfaces if omitted.
Fixes: https://github.com/openwrt/openwrt/issues/20705
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20694
Signed-off-by: Robert Marko <robimarko@gmail.com>
Most users on forums face a broken 802.11r setup when having
a very simple 802.11r config (i.e., just ieee80211r enabled).
In most cases, simply bumping reassociation_deadline to
20000 fixes their problems and allows 802.11r to just work.
Reassociation Deadline is already set to 20 seconds on Cisco
equipment by default[1] which is why this value has been
chosen.
It is also mentioned on the OpenWRT Wiki as a value that should
be changed in order for 802.11r to work on Apple devices. I think
it would be better to change the defaults instead so users don't
have to do much work for a working setup.
[1]: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Fixes: https://github.com/openwrt/openwrt/issues/7907
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20799
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is useful to alter the default ban time after an STA
association is rejected for being below RSSI threshold.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20811
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently the path for setting 20MHz doesn't set ht_capab to '' at the
beginning which results in null in ht_capab in hostapd.conf.
Fix this by setting config.ht_capab to '' for 20MHz htmode.
Fixes: #20762
Signed-off-by: Zhi-Jun You <hujy652@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/20768
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This handles the case when 'wpad' or 'wpad-mini' package is used which is
missing WPA3 support. This makes it impossible to use ucode wifi-scripts
on such APs as it will raise an error:
daemon.err hostapd: Line 87: unknown configuration item 'sae_password_file'
This also achieves parity with what is currently happening with old wifi-scripts.
The behavior now matches.
Fixes: https://github.com/openwrt/openwrt/issues/20781
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20784
Signed-off-by: Robert Marko <robimarko@gmail.com>
Only set rsn_override_key_mgmt when rsn_override is enabled.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When encryption is set to 'sae' without explicit pairwise cipher in
non-HE/EHT mode, both the main RSNE and override RSNE would advertise
identical parameters (SAE+CCMP+MFP=2), adding unnecessary overhead.
Check that the pairwise ciphers differ before enabling override. This
preserves the intended behavior for HE/EHT modes (GCMP-256+CCMP vs CCMP)
while avoiding pointless override IEs.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When an MLO interface specifies multiple radios and the first radio
is disabled, the MLO configuration was never created because the code
only attempted to create it when processing the first device in the
list (which gets skipped if disabled).
Fix by creating the MLO config for the first enabled device instead
of only when processing dev_names[0].
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ensure that the 4addr flag is passed to phy.wdev_add.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When using wpad-openssl/wpad-basic-openssl, wpa_supplicant/hostapd may not be ready because of openssl.
This cause supplicant.setup and hostapd.setup to be failed.
Therefore, wait for wpa_supplicant/hostapd to be ready before supplicant.setup and hostapd.setup.
Run-tested: mediatek/filogic GL-MT3000
fixes: #20361
Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use stationary_ap configuration for 6GHz AX AP (not only BE).
This change fixes the 6GHz network not visible issue for QCN9024.
Signed-off-by: Paweł Owoc <frut3k7@gmail.com>
This exands the list of AKMs to display:
- display the hash when larger than the default (loosely based on
what hostapd uses in config).
- renaming 'WPA PSK2' to 'WPA PSK-SHA256' as a result
- separate FILS suites from plain 802.1x
- add suites 3, 5, 9, 19, 20, 24, and 25
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20686
Signed-off-by: Robert Marko <robimarko@gmail.com>
Escape control characters when displaying ESSID. It is not uncommon for
a scan to encounter invalid SSIDs, containing binary data. Escape the
control characters to avoid messing the display (ENQ is particularly
bothersome).
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20686
Signed-off-by: Robert Marko <robimarko@gmail.com>
This adds the ESSID: line to the iwinfo scan results.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20686
Signed-off-by: Robert Marko <robimarko@gmail.com>
This implements 65a1c666f2 ("hostapd: add SAE support for wifi-station
and optimize PSK file creation") and 913368a2 ("hostapd: add support for
SAE in PPSK option") for the ucode version as well.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/19965
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently we unconditionally set it to 2.0 if 802.11ac and disregard
what the user set. This sets it to 2.0 only as a default in case
user didn't specify a tx_burst setting.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20565
Signed-off-by: Robert Marko <robimarko@gmail.com>
This is useful if multiple passwords were specified without
the use of a SAE password identifier. This is the only
way to get multiple passwords for a single peer to work
without resorting to password identifiers.
Unfortunately, support for password identifiers is non-existent
on Android and macOS; and possibly others. So this is the only
option in that case.
As an alternative, one could also continue to use WPA2-PSK instead
as that could easily resort to a bruteforce approach without any
complications.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20597
Signed-off-by: Robert Marko <robimarko@gmail.com>
As this is generally only useful with "proxy_arp" enabled,
we default na_mcast_to_ucast to true if "proxy_arp" is already
enabled.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20596
Signed-off-by: Robert Marko <robimarko@gmail.com>
