Integrating hostap and iptables

Jouni Malinen j
Mon May 7 20:40:46 PDT 2007


On Mon, May 07, 2007 at 01:11:26PM -0400, John A. Sullivan III wrote:

> We would like to have the device running the hostapd authenticator
> dynamically alter iptables rules on itself based upon information
> returned by RADIUS about the client.  I am brand new to hostap and
> RADIUS but, upon perusing the hostapd.conf file and any documentation I
> could find, I did not see a way of running a pre or post authentication
> script on the authenticator device.  Is there a way to do so?

Not currently without modifying source code.

> Our goal is to create a prototype switch using hostapd, iptables and the
> ISCS network security management project (http://iscs.sourceforge.net).

As far as setting up iptables rules is concerned, that could be done by
adding code to hostapd to do the needed operations directly (e.g., with
libiptables). In general, I do not like the idea of calling external
programs from the hostapd process itself since that would block all
hostapd processing (it uses single threaded design).

If you want to run external scripts or do any operations that may take
more than very short period of time, I would suggest using a
notification to an external program for authentication events from
hostapd and then doing whatever is needed in the external program (e.g.,
running a script). This model is already being used in wpa_supplicant
which supports external "monitor" programs that receive event
notifications from wpa_supplicant. As an example, wpa_cli can then be
used to run a script whenever authentication is completed.

hostapd has support for external programs (e.g., hostapd_cli), but it
does not yet really send out notifications in the same way as
wpa_supplicant even though it has code available for attaching external
monitors. The main missing component is in adding the wpa_msg() handle
(wpa_msg_register_cb) into hostapd and then add wpa_msg() calls to the
places in code that are doing operations which could be of interest to
external programs.

Extending the hostapd_cli and ctrl_iface is on my to-do list and I would
recommend that as the direction for the things you may want to do with
hostapd.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list