Description:
Hostapd successfully parsed the uplink and downlink bandwidth attributes from
the RADIUS server, but the values were not being propagated correctly into
sta_info. As a result, the bandwidth information was missing in the UBUS
events sent to ucentral-event.
Fix:
Ensure the parsed bandwidth values are correctly passed to sta_info so they
are included in subsequent UBUS notifications.
Tests Performed:
Configured per-client bandwidth limits on the RADIUS server and verified that:
- The AP enforces the configured uplink/downlink limits, and
- The correct bandwidth values appear in the UBUS events.
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
Interfaces like phy6g-ap0 can produce overly long IFB device names
(e.g., i-phy6g-ap0), which may exceed kernel name-length limits,
specifically in case of VLANs.
This patch normalizes such interface names by replacing the phy
prefix with p and shortening ap → a, producing more compact
IFB device names (e.g., i-p2g-a0).
Other interfaces continue using their original names.
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
a6fdd32 cmd_upgrade: enable curl to follow redirects
1c3e51f fix: Updated schema to fix issue with fingerprinting raw mode
Signed-off-by: John Crispin <john@phrozen.org>
Enable the CONFIG_GPIO_WATCHDOG of kernel config
Add the 'wdt' watchdog service in /etc/init.d/
Signed-off-by: Yang-Yongzhi <yangyongzhi@asterfusion.com>
Description:
The num_peers counter does not always update at the exact moment a peer is deleted.
Since deletion and decrement are not fully atomic, there are scenarios where
num_peers can drift out of sync with the actual number of peers.
Fix:
A complete rewrite of the num_peers update logic—ensuring fully correct
increment/decrement handling during peer insertion and deletion—would require
significant effort and QA validation. As an immediate and effective solution,
this patch synchronizes num_peers with the actual peer count whenever a mismatch
is detected.
Fixes WIFI-14998 and indirectly resolves WIFI-15202.
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
The buffer pointed to by event is not freed in case
ATH11K_FLAG_UNREGISTERING bit is set, resulting in
memory leak, so fix it.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210913180246.193388-4-jouni@codeaurora.org
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
crypto_alloc_shash() allocates resources, which should be released by
crypto_free_shash(). When ath11k_peer_find() fails, there has memory
leak. Add missing crypto_free_shash() to fix this.
Fixes: 243874c64c81 ("ath11k: handle RX fragments")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230102081142.3937570-1-linmq006@gmail.com
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
In the DP RX path, fast_rx is set to true by default.
Currently, if peer lookup fails in ath11k_dp_rx_h_mpdu(), the SKB is not sent
to the network stack or mac80211 because fast_rx remains true. This results
in a memory leak.
Fix this by setting fast_rx = false when peer lookup fails in
ath11k_dp_rx_h_mpdu(), ensuring the SKB is properly delivered to mac80211
via ath11k_dp_rx_deliver_msdu().
Fixes: WIFI-15202
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
The num_peers counter becomes corrupted during peer deletion due to race
conditions between ath11k_peer_delete() and ath11k_peer_unmap_event().
The firmware may or may not send unmap events, and the timing varies,
causing the counter to either leak (increment without decrement) or
underflow (double decrement).
Root causes:
1. ath11k_peer_delete() doesn't decrement num_peers, relying on
ath11k_peer_unmap_event() to do it
2. Firmware sometimes doesn't send unmap events, leaving num_peers
inflated
3. When unmap events do arrive, timing races with ath11k_peer_delete()
can cause missed decrements
4. Cleanup paths may double-decrement if delete_in_progress not checked
5. num_peers modified outside proper locking in some paths
This fix:
- Moves num_peers decrement into ath11k_peer_delete() after successful
peer deletion wait, ensuring exactly one decrement per deletion
- Handles both cases: peer removed by unmap event, or peer still in list
- Removes num_peers decrement from ath11k_peer_unmap_event() to prevent
double-decrement when unmap event arrives
- Adds ath11k_dp_peer_cleanup() call before ath11k_peer_delete() in
roaming path to ensure datapath structures properly cleaned up
- Adds delete_in_progress checks in cleanup paths to prevent
double-delete
- Ensures all num_peers modifications happen under base_lock
- Adds comprehensive debug logging to track num_peers throughout peer
lifecycle
Signed-off-by: Arif Alam <arif.alam@netexperience.com>
Signed-off-by: John Crispin <john@phrozen.org>
1. When a connected client roams to another AP, the AP is trying to delete the peer
but for some reason the WMI command times out and while driver is waiting for
the response, we observed that the AP doesn't respond to any frames from STA
(probe requests, authentication etc) and once the response times out (3seconds default)
then AP starts responding to the older requets but client has already connected to
another AP. As the root cause for the response timing out is in the FW, we added
a WAR to reduce the timeout to minimize this blind period, with this AP responds
after 100ms and client connects successfully. And 100ms timeout is also reasonable
for this internal operation.
2. In case of peer deletion timeout, the driver peer database is not cleared, so,
if this happens often (which it is) then eventually we hit the max peers in the
driver and all subsequent operations fail, so, in case of timeout ignore the failure
and proceed with driver peer database cleanup.
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
Add bind-dig package dependency required for CAA record lookups
in est_client, which uses the dig command to query DNS for EST
server discovery.
Signed-off-by: John Crispin <john@phrozen.org>
Change standard FQDN from 'openwifi.network' to 'openwifi.wlan.local'
to prevent DNS hijacking attacks. The .local TLD is reserved for local
network use (mDNS) and cannot be registered in public DNS, ensuring
that discovery traffic cannot be redirected to attacker-controlled
infrastructure.
Signed-off-by: John Crispin <john@phrozen.org>
Move EST client enrollment to occur immediately after successful DHCP
discovery and before starting the ucentral client. This ensures
controller-specific certificates are enrolled before attempting to
connect. If EST enrollment fails during DHCP discovery, the client
will not be started.
Adjust interval_handler to call EST enrollment after DHCP discovery
attempt rather than before, ensuring proper certificate handling for
DHCP-discovered controllers.
Signed-off-by: John Crispin <john@phrozen.org>
Replace resolv module usage with dig command for CAA record lookups
to simplify DNS query handling. Reorganise cert_prefix_determine() to
prioritise controller-specific FQDN from cloud.json before checking
discovery method.
Add extensive debug logging throughout to aid troubleshooting of EST
enrollment process, including curl commands and exit codes.
Signed-off-by: John Crispin <john@phrozen.org>
The air-gapped EST server uses a certificate signed by the OpenLAN
Server Issuing CA. This certificate is used to ensure mTLS
authentication when the device connects to the EST server.
Signed-off-by: John Crispin <john@phrozen.org>
Add dnsmasq_rebind_allow() function to automatically whitelist controller
FQDNs for private IP resolution in air-gapped deployments.
When dnsmasq's boguspriv option is enabled (default), it blocks DNS
responses containing private IP addresses (RFC 1918) as a security
measure. This prevents DHCP Option 224 from resolving controller FQDNs
to local private IPs in air-gapped networks.
Solution: Inject rebind-domain-ok directives into /tmp/dnsmasq.d/
directory, which dnsmasq automatically includes via --conf-dir option.
Behaviour:
- DHCP discovery: Whitelist FQDN from dhcp_server field
- Standard FQDN discovery: Whitelist openwifi.network
- Centralized discovery: No changes (public IPs not affected)
This maintains security by only allowing specific controller domains
to resolve to private IPs whilst filtering all other RFC 1918 responses.
Signed-off-by: John Crispin <john@phrozen.org>
Add cert_prefix_determine() function that reads discovery method from
/tmp/discovery.method and determines appropriate certificate naming:
- Centralized (OpenLAN redirector): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <controller-fqdn>.pem/<controller-fqdn>.ca
The FQDN is extracted from the controller address in /tmp/cloud.json
(DHCP Option 224).
This enables APs to enrol and store separate operational certificates
for multiple controllers, supporting portability between centralized
and air-gapped deployments without certificate conflicts.
Signed-off-by: John Crispin <john@phrozen.org>
Extend gateway.json to include cert and ca fields specifying which
certificate files the client should use for the connection.
Certificate naming strategy:
- Centralized (redirector discovery): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <fqdn>.pem/<fqdn>.ca
Write discovery method to /tmp/discovery.method so est_client can
determine appropriate certificate naming when enrolling.
This enables APs to maintain separate operational certificates for
multiple controllers and automatically select the correct certificates
based on which controller they're connecting to.
Signed-off-by: John Crispin <john@phrozen.org>
Modify early_boot init script to copy all .pem and .ca files from
/certificates/ to /etc/ucentral/ instead of only operational.pem
and operational.ca.
This enables support for multiple trust chains where certificates
are stored with FQDN-based names (e.g., controller.example.com.pem)
alongside the traditional operational.pem.
The simple wildcard copy allows air-gapped deployments to maintain
certificates for multiple controllers without complex logic.
Signed-off-by: John Crispin <john@phrozen.org>
Add discovery method that attempts to resolve a standard FQDN when DHCP
discovery fails. This enables zero-touch provisioning in environments
where administrators configure DNS without modifying DHCP infrastructure.
The standard FQDN is configurable via STANDARD_FQDN constant (defaults
to "openwifi.network"). Administrators can configure their local DNS to
resolve this FQDN to their controller, allowing APs to discover the
controller automatically.
Discovery priority order:
1. EST enrollment (blocking)
2. DHCP discovery (Option 224/138)
3. Flash-based configuration
4. Standard FQDN resolution (NEW)
5. Cloud redirector service (internet-connected only)
The implementation uses the resolv module for DNS queries, performing
A record lookups. If resolution fails, discovery continues to the next
method. The standard FQDN method integrates with the existing discovery
block list mechanism to prevent repeated failed attempts.
Note: The boguspriv dnsmasq option may prevent FQDNs from resolving to
private IPs. Administrators should either use CG NAT Safe IP addresses
(100.64.0.0/10) or configure dnsmasq with rebind-domain-ok exceptions.
Signed-off-by: John Crispin <john@phrozen.org>
Implement EST server discovery via CAA DNS records for air-gapped
deployments. When DHCP Option 224 provides a controller FQDN, query
CAA records to determine the appropriate EST server endpoint.
The discovery flow:
1. Read controller FQDN from /tmp/cloud.json (set by DHCP handler)
2. Query CAA records for the controller domain
3. Use EST server from CAA 'issue' tag if present
4. Fall back to certificate issuer-based selection if CAA lookup fails
This allows network administrators to configure local EST servers via
DNS rather than relying on hardcoded public endpoints. Air-gapped
deployments can now specify private EST servers through standard DNS
infrastructure.
Example DNS configuration:
controller.local. IN CAA 0 issue "est.local:8001"
When an AP receives controller.local via DHCP Option 224, it will
query CAA records and use est.local:8001 for certificate enrollment
instead of the public est.certificates.open-lan.org endpoint.
Signed-off-by: John Crispin <john@phrozen.org>
Add missing ';;' after edgecore,eap111/eap112 LED configuration to
prevent fall-through to subsequent case statements.
Signed-off-by: John Crispin <john@phrozen.org>
Allow configuring small values of duration time for passive
scanning in software scan.
Fixes: WIFI-14822
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
**SPECIFICATIONS:**
SOC: Qualcomm IPQ6018 (64-bit quad-core ARM Cortex-A53 @ 1.8Ghz)
Flash: SPI NOR 8MB + NAND 128MB
Memory: 1GB
2.4GHz Frequency Band: 2.4GHz ~ 2.484GHz (802.11 b/g/n/ax)
5GHz Frequency Band: 5.150GHz~5.850GHz (802.11 a/n/ac/ax)
Wireless Speed: 2.4GHz: 574Mbps, 5GHz: 1201Mbps
**BACKUP YOUR STOCK FIRMWARE:**
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
device=<device_name>
mkdir -p /tmp/fw_backup; cd /tmp/fw_backup
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
dd if=/dev/${rootfs} of=rootfs_${rootfs} bs=1M
dd if=/dev/${rootfs_1} of=rootfs_1_${rootfs_1} bs=1M
cp /sys/firmware/fdt fdt.dtb
md5sum * > md5sum
tar -cvzf /tmp/${device}.tar.gz .
sum=$(md5sum /tmp/${device}.tar.gz | cut -d' ' -f1)
mv /tmp/${device}.tar.gz /tmp/${device}_${sum}.tar.gz
echo "stock fw backup saved to: /tmp/${device}_${sum}.tar.gz"
```
- Upload/save your backup to a safe place.
**STOCK FIRMWARE RECOVERY:**
- Boot initramfs image
- Upload your backed-up stock fw tarball to the device
using scp or download it from the device using wget.
- Enter device ssh cli or tty and exec:
```
cd /tmp && wget <your_web_server_ip>/${stock_fw_backup}.tar.gz`
tar -xpzf ${stock_fw_backup}.tar.gz
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f /tmp/rootfs_${rootfs}
ubiformat /dev/${rootfs_1} -y -f /tmp/rootfs_1_${rootfs_1}
reboot
```
**INSTALLATION:**
1. initramfs method
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
cd /tmp && wget <your_web_server_ip>/factory.ubi`
export rootfs=$(cat /proc/mtd | grep rootfs | cut -d: -f1)
export rootfs_1=$(cat /proc/mtd | grep rootfs_1 | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f factory.ubi
ubiformat /dev/${rootfs_1} -y -f factory.ubi
reboot
```
2. u-boot nand-factory.bin image method
- Put openwrt-*-squashfs-nand-factory.bin to your TFTP server and enter u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:factory.bin
#After downloading is finished:
imxtract 0x44000000 ubi
flash rootfs
flash rootfs_1
reset
```
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
