Merge pull request #263138 from tomfitzhenry/hostapd-optional-managementframeprotection

nixos/hostapd: remove managementFrameProtection in favour of clearer default
author: Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> 2023-11-06 11:17:07 +0100
committer: GitHub <noreply@github.com> 2023-11-06 11:17:07 +0100
commit: 8beca974f9838ff727c949d373ea9e77f4a1ba79 (patch)
tree: b9b3650b9b0ab3e49ef3c9ee8d0f2e9f557a36d3 /nixos/modules/services
parent: ba774d337e70aa2f961e1d1545faa4981f9416aa (diff)
parent: 9e7c877de75835018551bbd3029ac4d83f3e31cc (diff)
1 files changed, 2 insertions, 28 deletions
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix
index ffb154463053..5bd8e1d4d7a0 100644
--- a/nixos/modules/services/networking/hostapd.nix
+++ b/nixos/modules/services/networking/hostapd.nix
@@ -899,25 +899,6 @@ in {
                       '';
                     };
                   };
-
-                  managementFrameProtection = mkOption {
-                    default = "required";
-                    type = types.enum ["disabled" "optional" "required"];
-                    apply = x:
-                      getAttr x {
-                        "disabled" = 0;
-                        "optional" = 1;
-                        "required" = 2;
-                      };
-                    description = mdDoc ''
-                      Management frame protection (MFP) authenticates management frames
-                      to prevent deauthentication (or related) attacks.
-
-                      - {var}`"disabled"`: No management frame protection
-                      - {var}`"optional"`: Use MFP if a connection allows it
-                      - {var}`"required"`: Force MFP for all clients
-                    '';
-                  };
                 };
 
                 config = let
@@ -943,7 +924,8 @@ in {
 
                     # IEEE 802.11i (authentication) related configuration
                     # Encrypt management frames to protect against deauthentication and similar attacks
-                    ieee80211w = bssCfg.managementFrameProtection;
+                    ieee80211w = mkDefault 1;
+                    sae_require_mfp = mkDefault 1;
 
                     # Only allow WPA by default and disable insecure WEP
                     auth_algs = mkDefault 1;
@@ -1185,14 +1167,6 @@ in {
                   message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';
                 }
                 {
-                  assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;
-                  message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';
-                }
-                {
-                  assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;
-                  message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';
-                }
-                {
                   assertion = countWpaPasswordDefinitions <= 1;
                   message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';
                 }
author	Michele Guerini Rocco <rnhmjoj@users.noreply.github.com>	2023-11-06 11:17:07 +0100
committer	GitHub <noreply@github.com>	2023-11-06 11:17:07 +0100
commit	8beca974f9838ff727c949d373ea9e77f4a1ba79 (patch)
tree	b9b3650b9b0ab3e49ef3c9ee8d0f2e9f557a36d3 /nixos/modules/services
parent	ba774d337e70aa2f961e1d1545faa4981f9416aa (diff)
parent	9e7c877de75835018551bbd3029ac4d83f3e31cc (diff)