Add a ucode API to hostapd and wpa_supplicant for external DPP frame
handling. This allows an external controller to intercept DPP frames
and handle the DPP protocol externally.
The API provides:
- RX callbacks (dpp_rx_action, dpp_rx_gas) called when DPP frames are
received, allowing external handling before internal processing
- TX methods (dpp_send_action, dpp_send_gas_resp/dpp_send_gas_req) for
transmitting DPP frames
- A ubus channel-based API (dpp_channel) for bidirectional communication
with exclusive hook registration per interface
- CCE control for hostapd (set_cce method)
The wpa_supplicant API mirrors hostapd but adapted for STA role:
- Uses tx_gas_req instead of tx_gas_resp
- GAS RX provides full frame instead of parsed query
- No CCE control (AP-only feature)
Both implementations include:
- Timeout handling with automatic channel disconnect after 3 failures
- Hook cleanup on interface removal
- Last-caller-wins semantics for hook registration
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When storing device-level data, wdev_set_data() spread the entire wdev
object into handler_data. Since handler_config.data is set from the
previous handler_data[wdev.name] before each setup, this created
exponentially growing nesting with each reload, eventually causing
"nesting too deep" JSON parse errors.
Fix by initializing cur to a simple object containing only the device
name instead of the entire wdev object.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add support for DPP (Device Provisioning Protocol) as both a primary
encryption type and as an optional addition to existing authentication.
Primary DPP mode (encryption=dpp):
- Sets WPA2 with key_mgmt=DPP
- Requires Management Frame Protection (ieee80211w=2)
- Supports dpp_connector, dpp_csign, dpp_netaccesskey options
Optional DPP mode (dpp=1 boolean on AP):
- Adds DPP to existing key management methods
- Allows AP to accept both DPP and other auth types
- Supports the same connector options
Both ucode and legacy shell implementations are updated for AP and STA
modes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a remote peer's connection drops (device powered off, unetmsgd
crash, network failure), network_rx_cleanup_state silently removed
the remote publish/subscribe handles without notifying local
subscribers. This meant local clients had no way to detect that a
remote peer had disappeared.
Call handle_publish for each channel where a remote publish handle
is removed during connection cleanup, so local subscribers receive
the publisher change notification and can react accordingly.
Signed-off-by: John Crispin <john@phrozen.org>
handle_publish() notifies local subscribers about publisher state
changes. The publish/subscribe handler in network_socket_handle_request()
was calling it for both remote publish and subscribe changes, but
subscriber changes are not relevant to local subscribers.
Guard the handle_publish() calls with a msgtype == "publish" check,
matching the local client paths in unetmsgd-client.uc which already
have this guard.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When both peers connect simultaneously, the RX side can authenticate
before the TX handshake completes. network_check_auth() was sending a
ping on the unauthenticated TX channel, which gets rejected by the
remote's pre-auth handler as "Auth failed", killing the connection and
triggering an endless reconnect cycle.
Check chan.auth before interacting with the TX channel. If TX auth
hasn't completed yet, just schedule a reconnect timer - auth_data_cb
already handles state sync when TX auth completes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
network_close() only closed the listening socket without shutting down
established RX/TX connections. This left remote state in
core.remote_publish/core.remote_subscribe for hosts on the removed
network, causing stale entries in channel listings and failed routing
attempts.
Close all RX and TX channels before removing the network, which also
triggers remote state cleanup via network_rx_socket_close().
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The cleanup condition checked != instead of ==, inverting the logic.
This caused two problems:
When an authenticated RX connection disconnected, remote state for that
host was never cleaned up since the stored entry matched the one being
closed.
When a stale unauthenticated connection from a peer closed, any existing
authenticated connection from the same peer was incorrectly deleted and
its remote state wiped.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
follow-up to 148207730a
Schoolboy error on the peer_psk value.
Also fix an issue when joining peer IPv4 and IPv6 AllowedIPs
(${peer_a_ips/ /, } replaces only the first space, while
${peer_a_ips// /, } replaces all the spaces).
Closes: https://github.com/openwrt/openwrt/issues/21847
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21851
Signed-off-by: Robert Marko <robimarko@gmail.com>
Add a status method to both hostapd and wpa_supplicant ubus objects
that lists all configured interfaces with their wiphy, MAC address,
and running/pending state. For MLO interfaces, links are grouped
under a single entry with per-link status.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
- preserve (active) interface (at reload)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
- no longer write any temporary file for peer gen
- use wg syncconf to update active interfaces (not setconf)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
- no longer write any temporary file for key gen
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
Proto handler now also detects changes to
- addresses
Tighten also assign address portion
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
Commit 168d5af added the possibility to configure netifd logging level.
The option is read from /etc/config/network and validated.
Supposedly the validation sets 2 as default.
But in case of a syntax error in /etc/config/network, the validation
result can be empty. Then the always passed option to netifd is
just '-l' instead of '-l 2'. That crashes netifd and prevents network
from launching.
Add a fallback value to the variable, so that there will always be
a proper value after the '-l' option.
Improves: 168d5af "netifd: add loglevel config option (fixes#18001)"
Fixes: #21816
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/21819
Signed-off-by: Robert Marko <robimarko@gmail.com>
The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.
Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.
Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Adding base64 encoded beacon data needs the base64 functions to be available
Fixes: b44d4290fe ("hostapd: add raw beacon report data to ubus notification")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The mobility_domain value generated by ucode differed from the previous
shell script implementation. The legacy shell script used `echo` on the
SSID, which appended a trailing newline.
To maintain roaming compatibility with pre-25.12 releases and OpenWrt
forks in default configuration, update the ucode logic to include this
newline character when generating the default value.
Fixes: #21731
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21732
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Extend the taxonomy subsystem to capture the complete association frame
in addition to the existing probe and association IE data.
This adds a new assoc_frame_taxonomy field to struct sta_info and exposes
it via the get_sta_ies ubus method as a base64-encoded "assoc_frame" field.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Extend the hostapd_rrm_beacon_req ubus method to support the optional
reporting_detail parameter as defined in IEEE 802.11-2016 section 9.4.2.21.7.
Also fix missing assignment operators (=) in the beacon_req_policy array
initialisation.
Signed-off-by: John Crispin <john@phrozen.org>
Add netifd_loglevel to /etc/config/network:
config globals 'globals'
option netifd_loglevel '1'
The netifd's default value is 2.
Signed-off-by: Peter Meiser <peter.meiser@gmx.com>
Link: https://github.com/openwrt/openwrt/pull/19737
Signed-off-by: Robert Marko <robimarko@gmail.com>
The `syn_flood` option name is deprecated, `synflood_protect` should
be used instead. firewall3 and firewall4 both support this option since
a long time. LuCI already replaces the option name.
0abcb39b62
Suggested-by: rparge in OpenWrt forum
Link: https://github.com/openwrt/openwrt/pull/21642
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
KERNEL_DCB was introduced in 40f1db9cb1, however the dcb utility is not
enabled for iproute2. Although DCB is not generally available among
Ethernet cards, not having the dcb utility renders it completely
unchangeable.
On aarch64, it takes ~85.3KiB.
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21606
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
bump dnsmasq to latest 2.92
updated 200-ubus_dns.patch
no changes to 100-remove-old-runtime-kernel-support.patch
all remaining patches not required
Changelog for version 2.92 https://thekelleys.org.uk/dnsmasq/CHANGELOG
Signed-off-by: gongzi miao <miaogongzi0227@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21598
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Extract survey fetching into get_survey() and store results in iface.survey,
allowing access to full survey info (not just noise) for later use.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Moved interface discovery and data population into an exported update()
function that can be called on-demand to refresh wireless interface
information. This allows using iwinfo.uc as a library inside daemons.
Signed-off-by: John Crispin <john@phrozen.org>
nf_conntrack_ipv6 is no longer a separate kernel module, so remove it.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21612
Signed-off-by: Robert Marko <robimarko@gmail.com>
WiFi 6E (802.11ax) clients cannot discover 6GHz APs operating at
320MHz because the HE Operation element contains uninitialized
center frequency values.
For EHT320 mode, the code sets eht_oper_centr_freq_seg0_idx but not
the corresponding HE values. Later, the HE values are copied from
VHT values, but VHT is not used on 6GHz, leaving he_oper_chwidth
and he_oper_centr_freq_seg0_idx at 0. This causes WiFi 6E clients
to see incorrect channel width information, making the AP invisible
to them during scanning.
Fix this by:
1. Setting he_oper_chwidth to 3 (160MHz) for EHT320 mode
2. Computing he_oper_centr_freq_seg0_idx based on the 160MHz segment
that contains the primary channel
3. Preserving these pre-set values instead of overwriting them with
uninitialized VHT values
WiFi 7 clients continue to see 320MHz operation via the EHT Operation
element, while WiFi 6E clients can now discover and connect at 160MHz.
Signed-off-by: Ryan Chen <rchen14b@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21588
Signed-off-by: Robert Marko <robimarko@gmail.com>
The code to be replaced is a glorious no-op. A default value for
config.radius_das_client does not need to be assigned. This parameter
already has non-empty value: see the enclosing 'if' block.
As a result, the value of config.radius_das_client never gets modified
to contain both dae_client and dae_secret. This breaks hostapd.add_iface()
that expects config.radius_das_client to contain both dae_client and
dae_secret separated by a whitespace.
Fixes: #21519
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21522
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Commit 9151c7015e introduced support for the global DHCP DUID to
generate a RFC4361-style client identifier.
However, the IAID introduced in those changes is based on ifindex, which
is subject to changes and causes issues on environments requiring a stable
IAID.
This commit switches the IAID to a stable one based on MD5.
Fixes: 9151c7015e ("netifd: use the global DHCP DUID for DHCPv4")
Link: https://github.com/openwrt/openwrt/pull/21489
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
It is a BSS-level option and not radio-level. As such,
move it to wifi-iface and ap.uc.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21412
Signed-off-by: Robert Marko <robimarko@gmail.com>
They are being default enabled unconditionally when they should
depend on 802.11k. 802.11k should not be enabled by default
either as it can cause issues with certain older drivers and
is useless without a userspace program like usteer or DAWN.
If users want to enable 802.11k they will enable it when they
set such programs up.
Another inconsistency with rnr was dealt with so that it is not
default enabled. This is also not done with old wifi-scripts
and is generally unexpected and surprising behavior.
Moreoever, this introduces an inconsistency between old shell
wifi-scripts and ucode version. Old wifi-scripts does not do this.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21425
Signed-off-by: Robert Marko <robimarko@gmail.com>
When DHCP Option 60 is specified via sendopts (hex, decimal, or named
formats), udhcpc sends its default "udhcp <version>" string alongside
the custom value, which causes authentication failures with some ISPs.
This fix detects Option 60 in sendopts and automatically passes -V ""
to udhcpc to suppress the default version string while allowing
multiple user-defined vendor classes.
Supported formats:
- Hexadecimal: 0x3c
- Decimal: 60
- Named: vendor
Fixes: #21242
Signed-off-by: JINLIANG GU <ihipop@gmail.com>
https://github.com/openwrt/openwrt/pull/21450
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This helps for setups where the wifi interfaces are added dynamically
via procd data by avoiding automatically bringing up interfaces with
the default config. Internally, they are treated pretty much the same
by netifd.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
