Modify the ACL code slightly to support a few nifty things:

* Call it before sending probe responses, so the ACL code has the
  chance to reject sending them.

* Pass the whole frame to the ACL code now, rather than just the
  destination MAC - that way the ACL module can look at the frame
  contents to determine what the response should be.

This is part of some uncommitted work to support band steering.

Sponsored by:	Hobnob, Inc.

4 files changed, 17 insertions, 4 deletions

diff --git a/sys/net80211/ieee80211_acl.c b/sys/net80211/ieee80211_acl.c
index d39c428..feff4ad 100644
--- a/sys/net80211/ieee80211_acl.c
+++ b/sys/net80211/ieee80211_acl.c
@@ -152,7 +152,8 @@ _acl_free(struct aclstate *as, struct acl *acl)
 }
 
 static int
-acl_check(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
+acl_check(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
+    const uint8_t mac[IEEE80211_ADDR_LEN])
 {
 	struct aclstate *as = vap->iv_as;
 
diff --git a/sys/net80211/ieee80211_hostap.c b/sys/net80211/ieee80211_hostap.c
index e190450..625e45e 100644
--- a/sys/net80211/ieee80211_hostap.c
+++ b/sys/net80211/ieee80211_hostap.c
@@ -1795,6 +1795,16 @@ hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
 			return;
 		}
 		/*
+		 * Consult the ACL policy module if setup.
+		 */
+		if (vap->iv_acl != NULL &&
+		    !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) {
+			IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
+			    wh, NULL, "%s", "disallowed by ACL");
+			vap->iv_stats.is_rx_acl++;
+			return;
+		}
+		/*
 		 * prreq frame format
 		 *	[tlv] ssid
 		 *	[tlv] supported rates
@@ -1874,7 +1884,7 @@ hostap_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0,
 		 * Consult the ACL policy module if setup.
 		 */
 		if (vap->iv_acl != NULL &&
-		    !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
+		    !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) {
 			IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
 			    wh, NULL, "%s", "disallowed by ACL");
 			vap->iv_stats.is_rx_acl++;
diff --git a/sys/net80211/ieee80211_mesh.c b/sys/net80211/ieee80211_mesh.c
index cfffd87..d6e992b 100644
--- a/sys/net80211/ieee80211_mesh.c
+++ b/sys/net80211/ieee80211_mesh.c
@@ -1120,7 +1120,8 @@ mesh_input(struct ieee80211_node *ni, struct mbuf *m, int rssi, int nf)
 	 *
 	 * NB: this check is also done upon peering link initiation.
 	 */
-	if (vap->iv_acl != NULL && !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
+	if (vap->iv_acl != NULL &&
+	    !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) {
 		IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
 		    wh, NULL, "%s", "disallowed by ACL");
 		vap->iv_stats.is_rx_acl++;
@@ -1379,7 +1380,7 @@ mesh_recv_mgmt(struct ieee80211_node *ni, struct mbuf *m0, int subtype,
 		 * Peer only based on the current ACL policy.
 		 */
 		if (vap->iv_acl != NULL &&
-		    !vap->iv_acl->iac_check(vap, wh->i_addr2)) {
+		    !vap->iv_acl->iac_check(vap, wh, wh->i_addr2)) {
 			IEEE80211_DISCARD(vap, IEEE80211_MSG_ACL,
 			    wh, NULL, "%s", "disallowed by ACL");
 			vap->iv_stats.is_rx_acl++;
diff --git a/sys/net80211/ieee80211_proto.h b/sys/net80211/ieee80211_proto.h
index 54af007..fbd32d3 100644
--- a/sys/net80211/ieee80211_proto.h
+++ b/sys/net80211/ieee80211_proto.h
@@ -215,6 +215,7 @@ struct ieee80211_aclator {
 	int	(*iac_attach)(struct ieee80211vap *);
 	void	(*iac_detach)(struct ieee80211vap *);
 	int	(*iac_check)(struct ieee80211vap *,
+			const struct ieee80211_frame *wh,
 			const uint8_t mac[IEEE80211_ADDR_LEN]);
 	int	(*iac_add)(struct ieee80211vap *,
 			const uint8_t mac[IEEE80211_ADDR_LEN]);