Merge pull request #2159 from c-po/t5491-wifi

wifi: T5491: allow white-/blacklisting station MAC addresses for security

2 files changed, 20 insertions, 10 deletions

diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index 29ab9713f..02b4a2500 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -25,8 +25,6 @@ from vyos.configdict import get_interface_dict
 from vyos.configdict import dict_merge
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
-from vyos.configverify import verify_dhcpv6
-from vyos.configverify import verify_source_interface
 from vyos.configverify import verify_mirror_redirect
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
@@ -42,6 +40,8 @@ airbag.enable()
 # XXX: wpa_supplicant works on the source interface
 wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
 hostapd_conf = '/run/hostapd/{ifname}.conf'
+hostapd_accept_station_conf = '/run/hostapd/{ifname}_station_accept.conf'
+hostapd_deny_station_conf = '/run/hostapd/{ifname}_station_deny.conf'
 
 def find_other_stations(conf, base, ifname):
     """
@@ -81,10 +81,12 @@ def get_config(config=None):
 
     if 'deleted' not in wifi:
         # then get_interface_dict provides default keys
-        if wifi.from_defaults(['security']): # if not set by user
-            del wifi['security']
+        if wifi.from_defaults(['security', 'wep']): # if not set by user
+            del wifi['security']['wep']
+        if wifi.from_defaults(['security', 'wpa']): # if not set by user
+            del wifi['security']['wpa']
 
-    if 'security' in wifi and 'wpa' in wifi['security']:
+    if dict_search('security.wpa', wifi) != None:
         wpa_cipher = wifi['security']['wpa'].get('cipher')
         wpa_mode = wifi['security']['wpa'].get('mode')
         if not wpa_cipher:
@@ -102,6 +104,10 @@ def get_config(config=None):
     tmp = find_other_stations(conf, base, wifi['ifname'])
     if tmp: wifi['station_interfaces'] = tmp
 
+    # used in hostapt.conf.j2
+    wifi['hostapd_accept_station_conf'] = hostapd_accept_station_conf.format(**wifi)
+    wifi['hostapd_deny_station_conf'] = hostapd_deny_station_conf.format(**wifi)
+
     return wifi
 
 def verify(wifi):
@@ -189,7 +195,10 @@ def generate(wifi):
     if 'deleted' in wifi:
         if os.path.isfile(hostapd_conf.format(**wifi)):
             os.unlink(hostapd_conf.format(**wifi))
-
+        if os.path.isfile(hostapd_accept_station_conf.format(**wifi)):
+            os.unlink(hostapd_accept_station_conf.format(**wifi))
+        if os.path.isfile(hostapd_deny_station_conf.format(**wifi)):
+            os.unlink(hostapd_deny_station_conf.format(**wifi))
         if os.path.isfile(wpa_suppl_conf.format(**wifi)):
             os.unlink(wpa_suppl_conf.format(**wifi))
 
@@ -224,12 +233,12 @@ def generate(wifi):
 
     # render appropriate new config files depending on access-point or station mode
     if wifi['type'] == 'access-point':
-        render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.j2',
-               wifi)
+        render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.j2', wifi)
+        render(hostapd_accept_station_conf.format(**wifi), 'wifi/hostapd_accept_station.conf.j2', wifi)
+        render(hostapd_deny_station_conf.format(**wifi), 'wifi/hostapd_deny_station.conf.j2', wifi)
 
     elif wifi['type'] == 'station':
-        render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.j2',
-               wifi)
+        render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.j2', wifi)
 
     return None
 
diff --git a/src/etc/netplug/netplugd.conf b/src/etc/netplug/netplugd.conf
index ab4d826d6..7da3c67e8 100644
--- a/src/etc/netplug/netplugd.conf
+++ b/src/etc/netplug/netplugd.conf
@@ -1,3 +1,4 @@
 eth*
 br*
 bond*
+wlan*