[dragonfly.git] / sys / netproto / 802_11 / wlan_acl / ieee80211_acl.c

/*-
 * Copyright (c) 2004-2008 Sam Leffler, Errno Consulting
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * $FreeBSD: head/sys/net80211/ieee80211_acl.c 186302 2008-12-18 23:00:09Z sam $
 * $DragonFly$
 */

/*
 * IEEE 802.11 MAC ACL support.
 *
 * When this module is loaded the sender address of each auth mgt
 * frame is passed to the iac_check method and the module indicates
 * if the frame should be accepted or rejected.  If the policy is
 * set to ACL_POLICY_OPEN then all frames are accepted w/o checking
 * the address.  Otherwise, the address is looked up in the database
 * and if found the frame is either accepted (ACL_POLICY_ALLOW)
 * or rejected (ACL_POLICY_DENT).
 */
#include "opt_wlan.h"

#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h> 
#include <sys/mbuf.h>   
#include <sys/module.h>
#include <sys/queue.h>

#include <sys/socket.h>

#include <net/if.h>
#include <net/if_media.h>
#include <net/ethernet.h>
#include <net/route.h>

#include <netproto/802_11/ieee80211_var.h>

enum {
	ACL_POLICY_OPEN		= 0,	/* open, don't check ACL's */
	ACL_POLICY_ALLOW	= 1,	/* allow traffic from MAC */
	ACL_POLICY_DENY		= 2,	/* deny traffic from MAC */
	/*
	 * NB: ACL_POLICY_RADIUS must be the same value as
	 *     IEEE80211_MACCMD_POLICY_RADIUS because of the way
	 *     acl_getpolicy() works.
	 */
	ACL_POLICY_RADIUS	= 7,	/* defer to RADIUS ACL server */
};

#define	ACL_HASHSIZE	32

struct acl {
	TAILQ_ENTRY(acl)	acl_list;
	LIST_ENTRY(acl)		acl_hash;
	uint8_t			acl_macaddr[IEEE80211_ADDR_LEN];
};
struct aclstate {
	int			as_policy;
	int			as_nacls;
	TAILQ_HEAD(, acl)	as_list;	/* list of all ACL's */
	LIST_HEAD(, acl)	as_hash[ACL_HASHSIZE];
	struct ieee80211vap	*as_vap;
};

/* simple hash is enough for variation of macaddr */
#define	ACL_HASH(addr)	\
	(((const uint8_t *)(addr))[IEEE80211_ADDR_LEN - 1] % ACL_HASHSIZE)

MALLOC_DEFINE(M_80211_ACL, "acl", "802.11 station acl");

static	int acl_free_all(struct ieee80211vap *);

/* number of references from net80211 layer */
static	int nrefs = 0;

static int
acl_attach(struct ieee80211vap *vap)
{
	struct aclstate *as;

	as = (struct aclstate *) kmalloc(sizeof(struct aclstate),
		M_80211_ACL, M_INTWAIT | M_ZERO);
	if (as == NULL)
		return 0;
	TAILQ_INIT(&as->as_list);
	as->as_policy = ACL_POLICY_OPEN;
	as->as_vap = vap;
	vap->iv_as = as;
	nrefs++;			/* NB: we assume caller locking */
	return 1;
}

static void
acl_detach(struct ieee80211vap *vap)
{
	struct aclstate *as = vap->iv_as;

	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
	nrefs--;			/* NB: we assume caller locking */

	acl_free_all(vap);
	vap->iv_as = NULL;
	kfree(as, M_80211_ACL);
}

static __inline struct acl *
_find_acl(struct aclstate *as, const uint8_t *macaddr)
{
	struct acl *acl;
	int hash;

	hash = ACL_HASH(macaddr);
	LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
		if (IEEE80211_ADDR_EQ(acl->acl_macaddr, macaddr))
			return acl;
	}
	return NULL;
}

static void
_acl_free(struct aclstate *as, struct acl *acl)
{

	TAILQ_REMOVE(&as->as_list, acl, acl_list);
	LIST_REMOVE(acl, acl_hash);
	kfree(acl, M_80211_ACL);
	as->as_nacls--;
}

static int
acl_check(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
{
	struct aclstate *as = vap->iv_as;

	switch (as->as_policy) {
	case ACL_POLICY_OPEN:
	case ACL_POLICY_RADIUS:
		return 1;
	case ACL_POLICY_ALLOW:
		return _find_acl(as, mac) != NULL;
	case ACL_POLICY_DENY:
		return _find_acl(as, mac) == NULL;
	}
	return 0;		/* should not happen */
}

static int
acl_add(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
{
	struct aclstate *as = vap->iv_as;
	struct acl *acl, *new;
	int hash;

	new = (struct acl *) kmalloc(sizeof(struct acl), M_80211_ACL, M_INTWAIT | M_ZERO);
	if (new == NULL) {
		IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
			"ACL: add %6D failed, no memory\n", mac, ":");
		/* XXX statistic */
		return ENOMEM;
	}

	hash = ACL_HASH(mac);
	LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
		if (IEEE80211_ADDR_EQ(acl->acl_macaddr, mac)) {
			kfree(new, M_80211_ACL);
			IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
				"ACL: add %6D failed, already present\n",
				mac, ":");
			return EEXIST;
		}
	}
	IEEE80211_ADDR_COPY(new->acl_macaddr, mac);
	TAILQ_INSERT_TAIL(&as->as_list, new, acl_list);
	LIST_INSERT_HEAD(&as->as_hash[hash], new, acl_hash);
	as->as_nacls++;

	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
		"ACL: add %6D\n", mac, ":");
	return 0;
}

static int
acl_remove(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
{
	struct aclstate *as = vap->iv_as;
	struct acl *acl;

	acl = _find_acl(as, mac);
	if (acl != NULL)
		_acl_free(as, acl);

	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
		"ACL: remove %6D%s\n", mac, ":",
		acl == NULL ? ", not present" : "");

	return (acl == NULL ? ENOENT : 0);
}

static int
acl_free_all(struct ieee80211vap *vap)
{
	struct aclstate *as = vap->iv_as;
	struct acl *acl;

	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL, "ACL: %s\n", "free all");

	while ((acl = TAILQ_FIRST(&as->as_list)) != NULL)
		_acl_free(as, acl);

	return 0;
}

static int
acl_setpolicy(struct ieee80211vap *vap, int policy)
{
	struct aclstate *as = vap->iv_as;

	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
		"ACL: set policy to %u\n", policy);

	switch (policy) {
	case IEEE80211_MACCMD_POLICY_OPEN:
		as->as_policy = ACL_POLICY_OPEN;
		break;
	case IEEE80211_MACCMD_POLICY_ALLOW:
		as->as_policy = ACL_POLICY_ALLOW;
		break;
	case IEEE80211_MACCMD_POLICY_DENY:
		as->as_policy = ACL_POLICY_DENY;
		break;
	case IEEE80211_MACCMD_POLICY_RADIUS:
		as->as_policy = ACL_POLICY_RADIUS;
		break;
	default:
		return EINVAL;
	}
	return 0;
}

static int
acl_getpolicy(struct ieee80211vap *vap)
{
	struct aclstate *as = vap->iv_as;

	return as->as_policy;
}

static int
acl_setioctl(struct ieee80211vap *vap, struct ieee80211req *ireq)
{

	return EINVAL;
}

static int
acl_getioctl(struct ieee80211vap *vap, struct ieee80211req *ireq)
{
	struct aclstate *as = vap->iv_as;
	struct acl *acl;
	struct ieee80211req_maclist *ap;
	int error, space, i;

	switch (ireq->i_val) {
	case IEEE80211_MACCMD_POLICY:
		ireq->i_val = as->as_policy;
		return 0;
	case IEEE80211_MACCMD_LIST:
		space = as->as_nacls * IEEE80211_ADDR_LEN;
		if (ireq->i_len == 0) {
			ireq->i_len = space;	/* return required space */
			return 0;		/* NB: must not error */
		}
		ap = (struct ieee80211req_maclist *) kmalloc(space,
		    M_TEMP, M_INTWAIT);
		if (ap == NULL)
			return ENOMEM;
		i = 0;
		TAILQ_FOREACH(acl, &as->as_list, acl_list) {
			IEEE80211_ADDR_COPY(ap[i].ml_macaddr, acl->acl_macaddr);
			i++;
		}
		if (ireq->i_len >= space) {
			error = copyout(ap, ireq->i_data, space);
			ireq->i_len = space;
		} else
			error = copyout(ap, ireq->i_data, ireq->i_len);
		kfree(ap, M_TEMP);
		return error;
	}
	return EINVAL;
}

static const struct ieee80211_aclator mac = {
	.iac_name	= "mac",
	.iac_attach	= acl_attach,
	.iac_detach	= acl_detach,
	.iac_check	= acl_check,
	.iac_add	= acl_add,
	.iac_remove	= acl_remove,
	.iac_flush	= acl_free_all,
	.iac_setpolicy	= acl_setpolicy,
	.iac_getpolicy	= acl_getpolicy,
	.iac_setioctl	= acl_setioctl,
	.iac_getioctl	= acl_getioctl,
};
IEEE80211_ACL_MODULE(wlan_acl, mac, 1);
Commit	Line	Data
32176cfd RP	1	/*-
32176cfd RP	2	* Copyright (c) 2004-2008 Sam Leffler, Errno Consulting
841ab66c SZ	3	* All rights reserved.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions
	7	* are met:
	8	* 1. Redistributions of source code must retain the above copyright
	9	* notice, this list of conditions and the following disclaimer.
	10	* 2. Redistributions in binary form must reproduce the above copyright
	11	* notice, this list of conditions and the following disclaimer in the
	12	* documentation and/or other materials provided with the distribution.
841ab66c SZ	13	*
	14	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	15	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	16	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	17	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	18	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	19	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	20	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	21	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	22	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	23	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	24	*
32176cfd RP	25	* $FreeBSD: head/sys/net80211/ieee80211_acl.c 186302 2008-12-18 23:00:09Z sam $
32176cfd RP	26	* $DragonFly$
841ab66c SZ	27	*/
	28
	29	/*
	30	* IEEE 802.11 MAC ACL support.
	31	*
32176cfd	32	* When this module is loaded the sender address of each auth mgt
841ab66c SZ	33	* frame is passed to the iac_check method and the module indicates
	34	* if the frame should be accepted or rejected. If the policy is
	35	* set to ACL_POLICY_OPEN then all frames are accepted w/o checking
	36	* the address. Otherwise, the address is looked up in the database
	37	* and if found the frame is either accepted (ACL_POLICY_ALLOW)
	38	* or rejected (ACL_POLICY_DENT).
	39	*/
32176cfd RP	40	#include "opt_wlan.h"
32176cfd RP	41
841ab66c SZ	42	#include <sys/param.h>
	43	#include <sys/kernel.h>
	44	#include <sys/systm.h>
	45	#include <sys/mbuf.h>
	46	#include <sys/module.h>
	47	#include <sys/queue.h>
841ab66c SZ	48
	49	#include <sys/socket.h>
	50
	51	#include <net/if.h>
841ab66c SZ	52	#include <net/if_media.h>
	53	#include <net/ethernet.h>
	54	#include <net/route.h>
	55
	56	#include <netproto/802_11/ieee80211_var.h>
	57
	58	enum {
	59	ACL_POLICY_OPEN = 0, /* open, don't check ACL's */
	60	ACL_POLICY_ALLOW = 1, /* allow traffic from MAC */
	61	ACL_POLICY_DENY = 2, /* deny traffic from MAC */
32176cfd RP	62	/*
	63	* NB: ACL_POLICY_RADIUS must be the same value as
	64	* IEEE80211_MACCMD_POLICY_RADIUS because of the way
	65	* acl_getpolicy() works.
	66	*/
	67	ACL_POLICY_RADIUS = 7, /* defer to RADIUS ACL server */
841ab66c SZ	68	};
	69
	70	#define ACL_HASHSIZE 32
	71
	72	struct acl {
	73	TAILQ_ENTRY(acl) acl_list;
	74	LIST_ENTRY(acl) acl_hash;
	75	uint8_t acl_macaddr[IEEE80211_ADDR_LEN];
	76	};
	77	struct aclstate {
841ab66c SZ	78	int as_policy;
	79	int as_nacls;
	80	TAILQ_HEAD(, acl) as_list; /* list of all ACL's */
	81	LIST_HEAD(, acl) as_hash[ACL_HASHSIZE];
32176cfd	82	struct ieee80211vap *as_vap;
841ab66c SZ	83	};
	84
	85	/* simple hash is enough for variation of macaddr */
	86	#define ACL_HASH(addr) \
	87	(((const uint8_t *)(addr))[IEEE80211_ADDR_LEN - 1] % ACL_HASHSIZE)
	88
	89	MALLOC_DEFINE(M_80211_ACL, "acl", "802.11 station acl");
	90
32176cfd RP	91	static int acl_free_all(struct ieee80211vap *);
	92
	93	/* number of references from net80211 layer */
	94	static int nrefs = 0;
841ab66c SZ	95
841ab66c SZ	96	static int
32176cfd	97	acl_attach(struct ieee80211vap *vap)
841ab66c SZ	98	{
	99	struct aclstate *as;
	100
32176cfd	101	as = (struct aclstate *) kmalloc(sizeof(struct aclstate),
c567b546	102	M_80211_ACL, M_INTWAIT \| M_ZERO);
841ab66c SZ	103	if (as == NULL)
	104	return 0;
	105	TAILQ_INIT(&as->as_list);
	106	as->as_policy = ACL_POLICY_OPEN;
32176cfd RP	107	as->as_vap = vap;
	108	vap->iv_as = as;
	109	nrefs++; /* NB: we assume caller locking */
841ab66c SZ	110	return 1;
	111	}
	112
	113	static void
32176cfd	114	acl_detach(struct ieee80211vap *vap)
841ab66c	115	{
32176cfd RP	116	struct aclstate *as = vap->iv_as;
	117
	118	KASSERT(nrefs > 0, ("imbalanced attach/detach"));
	119	nrefs--; /* NB: we assume caller locking */
841ab66c	120
32176cfd RP	121	acl_free_all(vap);
32176cfd RP	122	vap->iv_as = NULL;
32176cfd	123	kfree(as, M_80211_ACL);
841ab66c SZ	124	}
	125
	126	static __inline struct acl *
	127	_find_acl(struct aclstate as, const uint8_t macaddr)
	128	{
	129	struct acl *acl;
	130	int hash;
	131
	132	hash = ACL_HASH(macaddr);
	133	LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
	134	if (IEEE80211_ADDR_EQ(acl->acl_macaddr, macaddr))
	135	return acl;
	136	}
	137	return NULL;
	138	}
	139
	140	static void
	141	_acl_free(struct aclstate as, struct acl acl)
	142	{
841ab66c SZ	143
	144	TAILQ_REMOVE(&as->as_list, acl, acl_list);
	145	LIST_REMOVE(acl, acl_hash);
efda3bd0	146	kfree(acl, M_80211_ACL);
841ab66c SZ	147	as->as_nacls--;
	148	}
	149
	150	static int
32176cfd	151	acl_check(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
841ab66c	152	{
32176cfd	153	struct aclstate *as = vap->iv_as;
841ab66c SZ	154
	155	switch (as->as_policy) {
	156	case ACL_POLICY_OPEN:
32176cfd	157	case ACL_POLICY_RADIUS:
841ab66c SZ	158	return 1;
	159	case ACL_POLICY_ALLOW:
	160	return _find_acl(as, mac) != NULL;
	161	case ACL_POLICY_DENY:
	162	return _find_acl(as, mac) == NULL;
	163	}
	164	return 0; /* should not happen */
	165	}
	166
	167	static int
32176cfd	168	acl_add(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
841ab66c	169	{
32176cfd	170	struct aclstate *as = vap->iv_as;
841ab66c SZ	171	struct acl acl, new;
	172	int hash;
	173
c567b546	174	new = (struct acl *) kmalloc(sizeof(struct acl), M_80211_ACL, M_INTWAIT \| M_ZERO);
841ab66c	175	if (new == NULL) {
32176cfd	176	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
91f6867b	177	"ACL: add %6D failed, no memory\n", mac, ":");
841ab66c SZ	178	/* XXX statistic */
	179	return ENOMEM;
	180	}
	181
	182	hash = ACL_HASH(mac);
	183	LIST_FOREACH(acl, &as->as_hash[hash], acl_hash) {
	184	if (IEEE80211_ADDR_EQ(acl->acl_macaddr, mac)) {
32176cfd RP	185	kfree(new, M_80211_ACL);
32176cfd RP	186	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
841ab66c SZ	187	"ACL: add %6D failed, already present\n",
	188	mac, ":");
	189	return EEXIST;
	190	}
	191	}
	192	IEEE80211_ADDR_COPY(new->acl_macaddr, mac);
	193	TAILQ_INSERT_TAIL(&as->as_list, new, acl_list);
	194	LIST_INSERT_HEAD(&as->as_hash[hash], new, acl_hash);
	195	as->as_nacls++;
	196
32176cfd	197	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
91f6867b	198	"ACL: add %6D\n", mac, ":");
841ab66c SZ	199	return 0;
	200	}
	201
	202	static int
32176cfd	203	acl_remove(struct ieee80211vap *vap, const uint8_t mac[IEEE80211_ADDR_LEN])
841ab66c	204	{
32176cfd	205	struct aclstate *as = vap->iv_as;
841ab66c SZ	206	struct acl *acl;
841ab66c SZ	207
841ab66c SZ	208	acl = _find_acl(as, mac);
	209	if (acl != NULL)
	210	_acl_free(as, acl);
	211
32176cfd	212	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
91f6867b	213	"ACL: remove %6D%s\n", mac, ":",
841ab66c SZ	214	acl == NULL ? ", not present" : "");
	215
	216	return (acl == NULL ? ENOENT : 0);
	217	}
	218
	219	static int
32176cfd	220	acl_free_all(struct ieee80211vap *vap)
841ab66c	221	{
32176cfd	222	struct aclstate *as = vap->iv_as;
841ab66c SZ	223	struct acl *acl;
841ab66c SZ	224
32176cfd	225	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL, "ACL: %s\n", "free all");
841ab66c SZ	226
	227	while ((acl = TAILQ_FIRST(&as->as_list)) != NULL)
	228	_acl_free(as, acl);
	229
	230	return 0;
	231	}
	232
	233	static int
32176cfd	234	acl_setpolicy(struct ieee80211vap *vap, int policy)
841ab66c	235	{
32176cfd	236	struct aclstate *as = vap->iv_as;
841ab66c	237
32176cfd	238	IEEE80211_DPRINTF(vap, IEEE80211_MSG_ACL,
841ab66c SZ	239	"ACL: set policy to %u\n", policy);
	240
	241	switch (policy) {
	242	case IEEE80211_MACCMD_POLICY_OPEN:
	243	as->as_policy = ACL_POLICY_OPEN;
	244	break;
	245	case IEEE80211_MACCMD_POLICY_ALLOW:
	246	as->as_policy = ACL_POLICY_ALLOW;
	247	break;
	248	case IEEE80211_MACCMD_POLICY_DENY:
	249	as->as_policy = ACL_POLICY_DENY;
	250	break;
32176cfd RP	251	case IEEE80211_MACCMD_POLICY_RADIUS:
	252	as->as_policy = ACL_POLICY_RADIUS;
	253	break;
841ab66c SZ	254	default:
	255	return EINVAL;
	256	}
	257	return 0;
	258	}
	259
	260	static int
32176cfd	261	acl_getpolicy(struct ieee80211vap *vap)
841ab66c	262	{
32176cfd RP	263	struct aclstate *as = vap->iv_as;
	264
	265	return as->as_policy;
841ab66c SZ	266	}
	267
	268	static int
32176cfd	269	acl_setioctl(struct ieee80211vap vap, struct ieee80211req ireq)
841ab66c	270	{
32176cfd	271
841ab66c SZ	272	return EINVAL;
	273	}
	274
	275	static int
32176cfd	276	acl_getioctl(struct ieee80211vap vap, struct ieee80211req ireq)
841ab66c	277	{
32176cfd	278	struct aclstate *as = vap->iv_as;
841ab66c SZ	279	struct acl *acl;
	280	struct ieee80211req_maclist *ap;
	281	int error, space, i;
	282
841ab66c SZ	283	switch (ireq->i_val) {
	284	case IEEE80211_MACCMD_POLICY:
	285	ireq->i_val = as->as_policy;
	286	return 0;
	287	case IEEE80211_MACCMD_LIST:
	288	space = as->as_nacls * IEEE80211_ADDR_LEN;
	289	if (ireq->i_len == 0) {
	290	ireq->i_len = space; /* return required space */
	291	return 0; /* NB: must not error */
	292	}
32176cfd	293	ap = (struct ieee80211req_maclist *) kmalloc(space,
c567b546	294	M_TEMP, M_INTWAIT);
841ab66c SZ	295	if (ap == NULL)
	296	return ENOMEM;
	297	i = 0;
	298	TAILQ_FOREACH(acl, &as->as_list, acl_list) {
	299	IEEE80211_ADDR_COPY(ap[i].ml_macaddr, acl->acl_macaddr);
	300	i++;
	301	}
	302	if (ireq->i_len >= space) {
	303	error = copyout(ap, ireq->i_data, space);
	304	ireq->i_len = space;
	305	} else
	306	error = copyout(ap, ireq->i_data, ireq->i_len);
efda3bd0	307	kfree(ap, M_TEMP);
841ab66c SZ	308	return error;
	309	}
	310	return EINVAL;
	311	}
	312
	313	static const struct ieee80211_aclator mac = {
	314	.iac_name = "mac",
	315	.iac_attach = acl_attach,
	316	.iac_detach = acl_detach,
	317	.iac_check = acl_check,
	318	.iac_add = acl_add,
	319	.iac_remove = acl_remove,
	320	.iac_flush = acl_free_all,
	321	.iac_setpolicy = acl_setpolicy,
	322	.iac_getpolicy = acl_getpolicy,
	323	.iac_setioctl = acl_setioctl,
	324	.iac_getioctl = acl_getioctl,
	325	};
32176cfd	326	IEEE80211_ACL_MODULE(wlan_acl, mac, 1);