Hello. First of all, the Flint is miss so many of the typical router features and have numerous limitations, that it is frustrating…
So filtering by MAC.
According to the that Mac whitelist for wifi post, the user have to set up this with iwpriv command each time… cra…
Why?
There are the functions in /lib/wifi/qcawifi.sh
that should read the config and setup this already.
So i just copypasted the
option macfilter 'allow'
list maclist 'aa:bb:cc:dd:ee:ff'
sections from the /etc/config/wireless
of the old router…
Ah… Does not work… Lol…
uci show wireless
shows that the configuration is correct…
Well… Ok… This is forcing me to write my own cr.py parser-script.
path and name: /etc/init.d/iwmf
Content:
#!/bin/sh /etc/rc.common
START=99
USE_PROCD=1
service_triggers()
{
procd_add_reload_trigger iwmf
}
start_service()
{
# Trying to catch all ifaces
for i in $(uci -q -X show wireless | grep "ifname" | cut -d'.' -f1,2); do
# Ignring disabled ifaces for $i
if [ "$(uci -q get $i.disabled)" = "0" ]; then
# Setting up variables for check for $i
maclist="$(uci -q get $i.maclist)"
# If there were configured the maclist for the iface, we proceed
if [ -n "$maclist" ]; then
# Get the policy
macfilter="$(uci -q get $i.macfilter)"
# Get ifname
ifname="$(uci -q get $i.ifname)"
# flush MAC list
iwpriv "$ifname" maccmd 3
# Send the MACs to the card
for mac in $maclist; do
iwpriv "$ifname" addmac "$mac"
done
# Set up the policy on the card
case "$macfilter" in
allow)
iwpriv "$ifname" maccmd 1
;;
deny)
iwpriv "$ifname" maccmd 2
;;
*)
# So, there policy is not setted, but there is maclist... Why?..
# May be the user turned off the policy, but keep the maclist?..
# If that is true, we should flush the maclist on the iface
iwpriv "$ifname" maccmd 3
;;
esac
fi
fi
done
}
stop_service()
{
return 0
}
reload_service()
{
start_service
}
restart_service()
{
start_service
}
After copypasteing that snippet to the /etc/init.d/iwmf
just enable that service by executing
chmod +x /etc/init.d/iwmf
/etc/init.d/iwmf enable
/etc/init.d/iwmf start
Obviously you need to setup the maclist and macfilter policy in the /etc/config/wireless in the first [OpenWrt Wiki] Wi-Fi /etc/config/wireless
There was some problems… the helper functions like config_get from /lib/functions.sh and etc… I couldn’t get it to work. Therefore, I just parsed the output of the uci show from scratch…
And in the /lib/wifi/qcawifi.sh
there is piece
2235 config_get macfilter "$vif" macfilter
2236 case "$macfilter" in
2237 allow)
2238 iwpriv "$ifname" maccmd 1
2239 ;;
2240 deny)
2241 iwpriv "$ifname" maccmd 2
2242 ;;
2243 *)
2244 # default deny policy if mac list exists
2245 [ -n "$maclist" ] && iwpriv "$ifname" maccmd 2
2246 ;;
2247 esac
The last # default deny policy if mac list exists...
is not very wisefull. What if the user configured the maclist earlier, and then disabled the macfilter for a while?
Update.
Well… I have updated the script… it works pretty well when you restart it…
I kind of came close to the root of the problem.
The system file that sets up the maclist and macfilter in our case is /lib/wifi/qcawificfg80211.sh
I slightly modified it:
# diff -ub /lib/wifi/qcawificfg80211.0sh /lib/wifi/qcawificfg80211.sh
--- /lib/wifi/qcawificfg80211.0sh 2021-08-23 12:03:03.000000000 +0000
+++ /lib/wifi/qcawificfg80211.sh 2022-01-14 01:18:43.000000000 +0000
@@ -2520,25 +2520,26 @@
[ -n "$stafwd" ] && "$device_if" "$ifname" stafwd "$stafwd"
config_get maclist "$vif" maclist
+ logger "config_get maclist "$vif" maclist"
[ -n "$maclist" ] && {
# flush MAC list
- "$device_if" "$ifname" maccmd 3
+ "$device_if" "$ifname" maccmd 3 && logger ""$device_if" "$ifname" maccmd 3"
for mac in $maclist; do
- "$device_if" "$ifname" addmac "$mac"
+ "$device_if" "$ifname" addmac "$mac" && logger "$device_if" "$ifname" addmac "$mac"
done
}
config_get macfilter "$vif" macfilter
case "$macfilter" in
allow)
- "$device_if" "$ifname" maccmd 1
+ "$device_if" "$ifname" maccmd 1 && logger " "$device_if" "$ifname" maccmd 1"
;;
deny)
- "$device_if" "$ifname" maccmd 2
+ "$device_if" "$ifname" maccmd 2 && logger " "$device_if" "$ifname" maccmd 2"
;;
*)
# default deny policy if mac list exists
- [ -n "$maclist" ] && "$device_if" "$ifname" maccmd 2
+ [ -n "$maclist" ] && "$device_if" "$ifname" maccmd 2 && logger ""$device_if" "$ifname" maccmd 2 "
;;
esac
for debugging.
and it executes, and fills up the maclist and sets macfilter policy:
Fri Jan 14 01:27:28 2022 user.notice root: config_get maclist cfg103579 maclist
Fri Jan 14 01:27:28 2022 user.notice root: cfg80211tool ath7 maccmd 3
Fri Jan 14 01:27:29 2022 user.notice root: cfg80211tool ath7 addmac **:**:**:**:**:**
Fri Jan 14 01:27:29 2022 user.notice root: cfg80211tool ath7 addmac **:**:**:**:**:**
Fri Jan 14 01:27:29 2022 user.notice root: cfg80211tool ath7 maccmd 1
Fri Jan 14 01:27:29 2022 kern.info kernel: [39315.110868] br-IOT: port 3(ath5) entered forwarding state
Fri Jan 14 01:27:30 2022 kern.warn kernel: [39315.531832] __mc_netlink_receive: Disable bridge snooping!
Fri Jan 14 01:27:30 2022 kern.warn kernel: [39316.162582] __mc_netlink_receive: Enable bridge snooping!
Fri Jan 14 01:27:31 2022 kern.info kernel: [39316.437388] 8021q: adding VLAN 0 to HW filter on device ath7
Fri Jan 14 01:27:31 2022 daemon.info hostapd: ath7: IEEE 802.11 driver had channel switch: freq=2462, ht=1, vht_ch=0x0, offset=-1, width=2 (40 MHz), cf1=2452, cf2=0
Fri Jan 14 01:27:32 2022 kern.err kernel: [39317.855581] cnss: Ignore double allocation for QDSS trace, current len 1
But right after that (I have monitored iwpriv ath$i getmac
in cycle) something flushes the maclists on the all ifaces at once.