1:ACL
Access Control List (ACL) is a mechanism in AP mode operation to restrict association of clients based on their MAC addresses. User can add MAC addresses to the ACL and also configure policyto be used for allowing client association based on this list. The policy can be either to allow or deny association of clients with MAC address matching one of the addresses in the ACL.。
上面的意思就是ACL是AP模式里面控制client 连接的一种方式,这种方式是基于client的MAC地址。需要注意的是此书的ACL的实现是在收到client的认证请求帧时进行处理的。
2:代码分析
在代码ieee80211_vap_setup()中的最后有函数: ieee80211_scs_vattach(vap);由此可以知道此处的ACL是建立在VAP的基础之上的,在文件ieee80211_acl.c中有如下的定义:
/*
* IEEE 802.11 MAC ACL support.
* When this module is loaded the sender address of each received
* frame is passed to the iac_check method and the module indicates
* if the frame should be accepted or rejected. If the policy is
* set to ACL_POLICY_OPEN then all frames are accepted w/o checking
* the address. Otherwise, the address is looked up in the database
* and if found the frame is either accepted (ACL_POLICY_ALLOW)
* or rejected (ACL_POLICY_DENT).
*/
enum
{
ACL_POLICY_OPEN = 0,/* open, don't check ACL's */
ACL_POLICY_ALLOW = 1,/* allow traffic from MAC */
ACL_POLICY_DENY = 2,/* deny traffic from MAC */
};
可知:定义了三种模式来控制client的连接访问,open,allow,deny,分别为:此ACL功能不适用,ALC列表中的MAC地址允许连接,在列表中的MAC地址被拒绝。
当client发送认证请求帧的时候,认证请求帧属于管理帧#define IEEE80211_FC0_TYPE_MGT 0x00。在管理帧的处理函数ieee80211_recv_mgmt()中如果收到的数据包的subtype为:
#define IEEE80211_FC0_SUBTYPE_AUTH 0xb0 此是表示收到的管理帧为认证请求帧。接着向下查看源码可以到达函数ieee80211_mlme_recv_auth()中,在向下mlme_recv_auth_ap()函数中有如下代码:
/*
* Consult the ACL policy module if setup.
*/
if (!ieee80211_acl_check(vap, wh->i_addr2))//当找到特定的MAC地址之后,返回refused.
{
IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
"[%s] auth: disallowed by ACL \n",ether_sprintf(wh->i_addr2));
response_status = IEEE80211_STATUS_REFUSED;
indication_status = IEEE80211_STATUS_REFUSED;
vap->iv_stats.is_rx_acl++;
break;
}
/*
* This function is always called from tasklet context and it may be noted
* that the same tasklet is not scheduled on more than one CPU at the same
* time. The user context functions that modify the ACL use spin_lock_dpc
* which disable softIrq on the current CPU. However, a softIrq scheduled
* on another CPU could execute the rx tasklet. Hence, protection is needed
* here. spinlock is sufficient as it disables kernel preemption and if the
* user task is accessing this list, the rx tasklet will wait until the user
* task releases the spinlock. The original code didn't use any protection.
*/
int
ieee80211_acl_check(wlan_if_t vap, const u_int8_t mac[IEEE80211_ADDR_LEN])
{
ieee80211_acl_t acl = vap->iv_acl;
if (acl == NULL) return 1;
/* EV : 89216
* WPS2.0 : Ignore MAC Address Filtering if WPS Enabled
* Display the message.
* return 1 to report success
*/
if(vap->iv_wps_mode){
printk("\n WPS Enabled : Ignoring MAC Filtering\n");
return 1;
}
switch (acl->acl_policy) {
struct ieee80211_acl_entry *entry;
case ACL_POLICY_OPEN:
return 1;
case ACL_POLICY_ALLOW:
spin_lock(&acl->acl_lock);
entry = _find_acl(acl, mac);
spin_unlock(&acl->acl_lock);
return entry != NULL;
case ACL_POLICY_DENY:
spin_lock(&acl->acl_lock);
entry = _find_acl(acl, mac);
spin_unlock(&acl->acl_lock);
return entry == NULL;
}
return 0; /* should not happen */
}
上面可知,会跟路ACL的规则在ACL链表中查找特定的MAC地址是否存在。其他函数如下:
int ieee80211_acl_attach(wlan_if_t vap);
int ieee80211_acl_detach(wlan_if_t vap);
int ieee80211_acl_add(wlan_if_t vap, const u_int8_t mac[IEEE80211_ADDR_LEN]);
int ieee80211_acl_remove(wlan_if_t vap, const u_int8_t mac[IEEE80211_ADDR_LEN]);
int ieee80211_acl_get(wlan_if_t vap, u_int8_t *macList, int len, int *num_mac);
int ieee80211_acl_check(wlan_if_t vap, const u_int8_t mac[IEEE80211_ADDR_LEN]);
int ieee80211_acl_flush(wlan_if_t vap);
int ieee80211_acl_setpolicy(wlan_if_t vap, int);
int ieee80211_acl_getpolicy(wlan_if_t vap);
相对简单,此处不再说明,
3:应用程调用
可以通iwpriv命令来对policy模式的设置及MAC地址的删除与添加。
atheros无线驱动之:ACL黑白名单
最新推荐文章于 2024-08-27 10:02:22 发布