Revert "Borrow hostapd.conf.5 man page from OpenBSD"

OpenBSD's hostapd is completely different codebase... https://en.wikipedia.org/wiki/Hostapd This reverts commit 5630ca5ea8.
2020-12-16 14:55:55 -05:00 · 2020-12-16 14:55:55 -05:00 · 6da5b3f4d5
commit 6da5b3f4d5
parent 5630ca5ea8
2 changed files with 4 additions and 842 deletions
--- a/hostapd.conf.5
+++ b/hostapd.conf.5
@ -1,831 +0,0 @@
 .\" $OpenBSD: hostapd.conf.5,v 1.48 2020/04/23 21:10:53 jmc Exp $
 .\"
 .\" Copyright (c) 2004, 2005, 2006 Reyk Floeter <reyk@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
 .\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .Dd $Mdocdate: April 23 2020 $
 .Dt HOSTAPD.CONF 5
 .Os
 .Sh NAME
 .Nm hostapd.conf
 .Nd configuration file for the Host Access Point daemon
 .Sh DESCRIPTION
 .Nm
 is the configuration file for the
 .Xr hostapd 8
 daemon.
 .Pp
 The
 .Nm
 file is divided into the following main sections:
 .Bl -tag -width xxxx
 .It Sy Macros
 User-defined variables may be defined and used later, simplifying the
 configuration file.
 .It Sy Tables
 Tables provide a mechanism to handle a large number of link layer
 addresses easily, with increased performance and flexibility.
 .It Sy Global Configuration
 Global runtime settings for
 .Xr hostapd 8 .
 .It Sy Event Rules
 Event rules provide a powerful mechanism to trigger certain actions
 when receiving specified IEEE 802.11 frames.
 .It Sy IP Roaming
 The concepts and details about the optional IP based roaming in
 .Xr hostapd 8 .
 .El
 .Pp
 The current line can be extended over multiple lines using a backslash
 .Pq Sq \e .
 Comments can be put anywhere in the file using a hash mark
 .Pq Sq # ,
 and extend to the end of the current line.
 Care should be taken when commenting out multi-line text:
 the comment is effective until the end of the entire block.
 .Pp
 Argument names not beginning with a letter, digit, or underscore
 must be quoted.
 .Pp
 Additional configuration files can be included with the
 .Ic include
 keyword, for example:
 .Bd -literal -offset indent
 include "/etc/hostapd.conf.local"
 .Ed
 .Sh MACROS
 Macros can be defined that will later be expanded in context.
 Macro names must start with a letter, digit, or underscore,
 and may contain any of those characters.
 Macro names may not be reserved words (for example,
 .Ic set ,
 .Ic interface ,
 or
 .Ic hostap ) .
 Macros are not expanded inside quotes.
 .Pp
 For example:
 .Bd -literal -offset indent
 wlan="ath0"
 set iapp handle subtype { ! add notify, radiotap }
 set iapp interface $wlan
 .Ed
 .Sh TABLES
 Tables are named structures which can hold a collection of link layer
 addresses, masked address ranges, and link layer to IP address
 assignments.
 Lookups against tables in
 .Xr hostapd 8
 are relatively fast, making a single rule with tables much more
 efficient, in terms of processor usage and memory consumption, than a
 large number of rules which differ only in link layer addresses.
 .Pp
 Tables are used for
 .Xr hostapd 8
 .Em event rules
 to match specified IEEE 802.11 link layer addresses and address ranges,
 and the capability to assign link layer to IP addresses and an option netmask
 is a requirement for advanced IAPP functionality.
 .Pp
 Table options may be presented after the table name declaration.
 The following options are supported:
 .Bl -tag -width const
 .It Ic const
 The table is constant and cannot be later changed from its original
 definition.
 .El
 .Pp
 For example:
 .Bd -literal -offset indent
 cisco="00:40:06:ff:ff:ff & ff:ff:ff:00:00:00"
 table <black> { $cisco, 00:0d:60:ff:f1:2a }
 table <myess> const {
 	00:00:24:c3:40:18 -> 10.195.64.24,
 	00:00:24:c3:40:19 -> 10.195.64.25,
 	00:00:24:c3:40:1a -> 10.195.64.26
 }
 table <myclient> const {
 	00:05:4e:45:d4:b9 -> 172.23.5.1/30
 }
 .Ed
 .Sh GLOBAL CONFIGURATION
 The following configuration settings are understood:
 .Bl -tag -width Ds
 .It Xo
 .Ic set hostap interface
 .Ar interface |
 .Brq Ar interface0 , interface1 , ...
 .Xc
 Specify the wireless interface running in Host AP mode.
 This option could be omitted to use
 .Xr hostapd 8
 to log received IAPP messages.
 Multiple hostap interfaces may be specified
 as a comma-separated list,
 surrounded by curly braces.
 .It Ic set hostap mode Ar mode
 Specify the Host AP capture mode.
 The supported modes are:
 .Pp
 .Bl -tag -width radiotap -offset indent -compact
 .It Ic radiotap
 Capture IEEE 802.11 frames with additional radiotap headers.
 They will provide optional but useful information like received frame
 signal levels.
 .It Ic pcap
 Capture plain IEEE 802.11 frames.
 .El
 .It Xo
 .Ic set hostap hopper interface
 .Ar interface |
 .Brq Ar interface0 , interface1 , ...
 .Xc
 Enable a channel hopper on the selected wireless interface.
 Multiple hostap interfaces may be specified as a comma-separated list,
 surrounded by curly braces.
 .It Ic set hostap hopper delay Ar number
 Set the delay in milliseconds for the channel hopper before hopping to
 the next available channel.
 The default value is 800 milliseconds.
 .It Ic set iapp interface Ar interface
 Specify the mandatory Inter-Access-Point (IAPP) interface.
 It is important that the IAPP interface is on a trusted
 network because there is no authentication and an attacker could force
 disassociation of selected stations on all listening access points.
 .It Xo
 .Ic set iapp
 .Op Ic address | route
 .Ic roaming table
 .Pf < Ar table Ns >
 .Xc
 Specify a table used for
 .Em IP Roaming
 lookups of link layer address to IP address or subnet assignments.
 .It Xo
 .Ic set iapp handle subtype
 .Ar subtype |
 .Brq Ar subtype0 , subtype1 , ...
 .Xc
 Specify the IAPP subtypes to use:
 .Pp
 .Bl -tag -width broadcast -offset indent -compact
 .It Xo
 .Op Ic not
 .Ic add notify
 .Xc
 Send and receive
 .Em ADD.notify
 messages.
 This option is enabled by default.
 .It Xo
 .Op Ic not
 .Ic radiotap
 .Xc
 Receive
 .Em radiotap
 messages.
 This option is enabled by default.
 .It Xo
 .Op Ic not
 .Op Ic address |\ route
 .Ic roaming
 .Xc
 Enable dynamic roaming of IP addresses or routes.
 These options are disabled by default.
 .El
 .It Ic set iapp mode Ar mode
 Specify the IAPP mode.
 The supported modes are:
 .Pp
 .Bl -tag -width broadcast -offset indent -compact
 .It Xo
 .Ic multicast
 .Op Ic address Ar ipv4addr
 .Op Ic port Ar number
 .Op Ic ttl Ar number
 .Xc
 Use
 .Xr multicast 4
 frames.
 A multicast time-to-live (TTL) of 2 or higher is required to allow
 multicast forwarding, for example for use with
 .Xr mrouted 8 .
 .It Xo
 .Ic broadcast
 .Op Ic port Ar number
 .Xc
 Use broadcast frames.
 .El
 .Pp
 The default is multicast using the multicast address 224.0.1.178 and
 port 3517 with a TTL limited to 1 hop.
 Some access point vendors still use broadcast with the pre-standard
 IAPP port 2313.
 .El
 .Sh EVENT RULES
 Event rules provide a powerful way to trigger a certain action when
 receiving specified IEEE 802.11 frames on the
 .Em hostap interface .
 The rules are handled in sequential order, from first to last.
 Rules are handled without a state:
 each rule is processed independently from the others and from
 any previous actions.
 This behaviour is somewhat different to that of packet filter rules
 specified in
 .Xr pf.conf 5 .
 .Pp
 All
 .Xr hostapd 8
 event rules are single line statements beginning with
 the mandatory
 .Ic hostap handle
 keywords and optional rule options, interface, frame matching,
 a specified action, a limit, and a minimal rate:
 .Bd -filled -offset indent
 .Ic hostap handle
 .Op Ar option
 .Op Ar interface
 .Op Ar frame
 .Op Ar action
 .Op Ar limit
 .Op Ar rate
 .Ed
 .Pp
 Some rule statements support the optional keyword
 .Ic not ,
 also represented by the
 .Ic !\&
 operator,
 for inverse matching.
 .Pp
 The optional parts are defined below.
 .Ss Rule Option
 The rule
 .Ar option
 will modify the behaviour of handling the statement.
 There are two possible options,
 .Ic quick
 and
 .Ic skip .
 If either the keyword
 .Ic quick
 or the keyword
 .Ic skip
 is specified, no further event rules will be handled for this frame
 after processing this rule successfully.
 The keyword
 .Ic skip
 additionally skips any further IAPP processing of the frame,
 which is normally done after handling the event rules.
 .Ss Rule Interface
 The rule
 .Ar interface
 specifies the hostap interface the rule is matched on.
 The available interface list is specified by the global
 .Ic set hostap interface
 configuration setting.
 .Bd -filled -offset indent
 .Ic on
 .Op Ic not
 .Ar interface
 .Ed
 .Pp
 If not given,
 the event rule is matched on all available hostap interfaces.
 .Ss Rule Frame
 The
 .Ar frame
 description specifies a mechanism to match IEEE 802.11 frames.
 .Bl -tag -width Ds
 .It Ic any
 Match all frames.
 .It Xo
 .Ic frame
 .Op Ar type
 .Op Ar dir
 .Op Ar from
 .Op Ar to
 .Op Ar bssid
 .Op Ar radiotap
 .Xc
 Apply rules to frames matching the given parameters.
 The parameters are explained below.
 .Pp
 The
 .Ar type
 parameter specifies the frame type to match on.
 The frame type may be specified in the following ways:
 .Bl -tag -width Ds
 .It Ic type any
 Match all frame types.
 .It Xo
 .Ic type
 .Op Ic not
 .Ic data
 .Xc
 Match data frames.
 Presence of the
 .Ic not
 keyword negates the match and will match all non-data frames.
 .It Xo
 .Ic type
 .Op Ic not
 .Ic management
 .Oo Op Ic not
 .Ar subtype Oc
 .Xc
 Match management frames.
 The
 .Ar subtype
 argument may be specified to optionally match management frames of the
 given subtype.
 The subtype match may be negated by specifying the
 .Ic not
 keyword.
 See the
 .Sx Management Frame Subtypes
 section below for available subtypes specifications.
 .El
 .Pp
 The
 .Ar dir
 parameter specifies the direction the frame is being sent.
 The direction may be specified in the following ways:
 .Bl -tag -width Ds
 .It Ic dir any
 Match all directions.
 .It Ic dir Ar framedir
 Match frames with the given direction
 .Ar framedir .
 See the
 .Sx Frame Directions
 section below for available direction specifications.
 .El
 .Pp
 The
 .Ar radiotap
 rules allow parsing and matching of the extra information reported by
 the radiotap header.
 Support for the specified radiotap headers is optional and the
 specific parameters depend on the radiotap elements reported
 by the wireless interface.
 Support for the radiotap data link type can be verified with the
 .Xr tcpdump 8
 command.
 These rules require
 .Ic hostap mode radiotap
 in the global configuration.
 .Bl -tag -width Ds
 .It Xo
 .Ic signal
 .Op Ic operator
 .Ar percentage Ic %
 .Xc
 Match the signal quality of the received frame.
 .It Xo
 .Ic freq
 .Op Ic operator
 .Ar value Ic ( GHz | MHz )
 .Xc
 Match the transmit rate of the received frame.
 .It Xo
 .Ic txrate
 .Op Ic operator
 .Ar rate Ic Mb
 .Xc
 Match the frequency of the received frame,
 in Mbps.
 .El
 .Pp
 The radiotap rules support the following operators.
 If omitted, the specified value will be checked if it is equal or not.
 .Bd -literal -offset indent
 =	(equal)
 !=	(not equal)
 <	(less than)
 <=	(less than or equal)
 >	(greater than)
 >=	(greater than or equal)
 .Ed
 .Pp
 The
 .Ar from , to ,
 and
 .Ar bssid
 parameters specify the IEEE 802.11 address fields to match on.
 They can be specified in the following ways:
 .Bl -tag -width Ds
 .It Xo
 .Ic ( from | to | bssid ) Ic any
 .Xc
 Allow all addresses for the specified address field.
 .It Xo
 .Ic ( from | to | bssid )
 .Op Ic not
 .Pf < Ar table Ns >
 .Xc
 Allow allow addresses from the given
 .Ar table
 (see
 .Sx Tables
 above)
 for the specified address field.
 .It Xo
 .Ic ( from | to | bssid )
 .Op Ic not
 .Ar lladdr
 .Xc
 Allow the given address
 .Ar lladdr
 for the specified address field.
 .El
 .El
 .Ss Rule Action
 An optional
 .Ar action
 is triggered if a received IEEE 802.11 frame matches the frame
 description.
 The following actions are supported:
 .Bl -tag -width Ds
 .It Xo
 .Ic with frame Ar type
 .Op Ar dir
 .Ar from to bssid
 .Xc
 Send an arbitrary constructed frame to the wireless network.
 The arguments are as follows.
 .Pp
 The
 .Ar type
 describes the IEEE 802.11 frame type to send, specified in the
 frame control header.
 The following frames types are supported at present:
 .Bl -tag -width Ds
 .It Ic type data
 Send a data frame.
 This is normally used to encapsulate ordinary IEEE 802.3
 frames into IEEE 802.11 wireless frames.
 .It Ic type management Ar subtype
 Send a management frame with the specified subtype.
 Management frames are used to control states and to find access points
 and IBSS nodes in IEEE 802.11 networks.
 See the
 .Sx Management Frame Subtypes
 section below for available subtypes specifications.
 .El
 .Pp
 The
 .Ar dir
 describes the direction the IEEE 802.11 frame will be sent.
 It has the following syntax:
 .Bd -filled -offset indent
 .Ic dir Ar framedir
 .Ed
 .Pp
 See the
 .Sx Frame Directions
 section below for available direction specifications.
 .Pp
 The
 .Ar from , to ,
 and
 .Ar bssid
 arguments specify the link layer address fields used in IEEE 802.11
 frames.
 All address fields are mandatory in the frame action.
 The optional fourth address field used by wireless distribution
 systems (WDS) is currently not supported.
 Each argument is specified by a keyword of the same name
 .Po
 .Ic from , to ,
 or
 .Ic bssid
 .Pc
 followed by one of the following address specifications:
 .Bl -tag -width "&refaddr"
 .It Ar lladdr
 Specify the link layer addresses used in the IEEE 802.11 frame address
 field.
 The link layer address
 .Ql ff:ff:ff:ff:ff:ff
 is the IEEE 802.11 broadcast address.
 .It Li & Ns Ar refaddr
 Fill in a link layer address from the previously matched IEEE 802.11
 frame.
 .Ic &from
 will use the source link layer address;
 .Ic &to
 the destination link layer address; and
 .Ic &bssid
 the BSSID link layer address of the previously matched frame.
 .It Ic random
 Use a random link layer address in the specified IEEE 802.11 frame
 address field.
 Multicast and broadcast link layer addresses will be skipped.
 .El
 .It Ic with iapp type Ar iapp-type
 Send a
 .Xr hostapd 8
 specific IAPP frame with a raw IEEE 802.11 packet dump of the received
 frame to the wired network.
 The only supported
 .Ar iapp-type
 is
 .Ic radiotap .
 .It Ic with log Op Ic verbose
 Write informational messages to the local system log (see
 .Xr syslogd 8 )
 or standard error.
 If the
 .Sx Rule Rate
 has been specified,
 log will print the actual rate.
 .It Ic node add | delete Ar lladdr
 Add or remove the specified node from the internal kernel
 node table.
 .It Ic resend
 Resend the received IEEE 802.11 frame.
 .El
 .Ss Rule Limit
 It is possible to limit handling of specific rules with the
 .Ic limit
 keyword:
 .Bd -filled -offset indent
 .Ic limit
 .Ar number
 .Ic sec | usec
 .Ed
 .Pp
 In some cases it is absolutely necessary to use limited matching
 to protect
 .Xr hostapd 8
 against excessive flooding with IEEE 802.11 frames.
 For example, beacon frames will be normally received every 100 ms.
 .Ss Rule Rate
 It is possible to tell
 .Xr hostapd 8
 to trigger the action only after a specific
 .Ic rate
 of matched frames.
 .Bd -filled -offset indent
 .Ic rate
 .Ar number
 .Ar /
 .Ar number
 .Ic sec
 .Ed
 .Pp
 This will help to detect excessive flooding of IEEE 802.11 frames.
 For example, de-auth flooding is a denial of service (DoS) attack
 against IEEE 802.11 wireless networks.
 .Ss Management Frame Subtypes
 The
 .Ar subtype
 describes the IEEE 802.11 frame subtype, specified in
 the frame control header.
 The choice of subtypes depends on the used frame type.
 .Xr hostapd 8
 currently only supports management frame subtypes.
 Most frame subtypes require an additional subtype-specific header
 in the frame body, but currently only the
 .Ic deauth
 and
 .Ic disassoc
 reason codes are supported:
 .Bl -ohang -offset 3n
 .It Ic subtype beacon
 A beacon frame.
 Wireless access points and devices running in
 .Em ibss
 master or
 .Em hostap
 mode continuously send beacon frames to indicate their presence,
 traffic load, and capabilities.
 .It Ic subtype deauth Op Ar reason
 A deauthentication frame with an optional reason code.
 Deauthenticated stations will lose any IEEE 802.11 operational state.
 .It Ic subtype disassoc Op Ar reason
 A disassociation frame with an optional reason code.
 .It Ic subtype assoc request
 An association request frame.
 .It Ic subtype assoc response
 An association response frame.
 .It Ic subtype atim
 An announcement traffic indication message (ATIM frame).
 .It Xo
 .Ic subtype auth Op Ic open request | response
 .Xc
 An authentication frame.
 .It Ic subtype probe request
 A probe request frame.
 Probe requests are used to probe for access points and IBSS nodes.
 .It Ic subtype probe response
 A probe response frame.
 .It Ic subtype reassoc request
 A re-association request frame.
 .It Ic subtype reassoc response
 A re-association response frame.
 .El
 .Pp
 The
 .Ar reason
 defines a descriptive reason for the actual
 .Em deauthentication
 or
 .Em disassociation
 of a station:
 .Bl -ohang -offset 3n
 .It Ic reason assoc expire
 Disassociated due to inactivity.
 .It Ic reason assoc leave
 Disassociated because the sending station is leaving or has left the
 wireless network.
 .It Ic reason assoc toomany
 Disassociated because the access point has reached its limit of
 associated stations.
 .It Ic reason auth expire
 Previous authentication no longer valid.
 .It Ic reason auth leave
 Deauthenticated because the sending station is leaving or has left the
 wireless network.
 .It Ic reason ie invalid
 IEEE 802.11i extension.
 .It Ic reason mic failure
 IEEE 802.11i extension.
 .It Ic reason not authed
 Frame received from unauthenticated station.
 .It Ic reason assoc not authed
 Frame received from an associated but unauthenticated station.
 .It Ic reason not assoced
 Frame received from unassociated station.
 .It Ic reason rsn required
 IEEE 802.11i extension.
 .It Ic reason rsn inconsistent
 IEEE 802.11i extension.
 .It Ic reason unspecified
 Unspecified reason.
 .El
 .Ss Frame Directions
 The direction a frame is being transmitted
 .Pq Ar framedir
 can be specified in the following ways:
 .Bl -ohang -offset 3n
 .It Ic dir no ds
 No distribution system direction is used for management frames.
 .It Ic dir to ds
 A frame sent from a station to the distribution system, the access point.
 .It Ic dir from ds
 A frame from the distribution system, the access point, to a station.
 .It Ic dir ds to ds
 A frame direction used by wireless distribution systems (WDS) for
 wireless access point to access point communication.
 .El
 .Sh EVENT RULE EXAMPLES
 .Bd -literal
 # Log probe requests locally
 hostap handle type management subtype probe request \e
    with log
 # Detect flooding of management frames except beacons.
 # This will detect some possible denial of service attacks
 # against the IEEE 802.11 protocol.
 hostap handle skip type management subtype ! beacon \e
    with log \e
    rate 100 / 10 sec
 # Log rogue access points via IAPP, limited to every second,
 # and skip further IAPP processing.
 hostap handle skip type management subtype beacon bssid !<myess> \e
    with iapp type radiotap limit 1 sec
 # Send deauthentication frames to stations associated to rogue APs
 hostap handle type data bssid !<myess> with frame type management \e
    subtype deauth reason auth expire \e
    from &bssid to &from bssid &bssid
 # Send authentication requests from random station addresses to
 # rogue access points. This is a common way to test the quality of
 # various hostap implementations.
 hostap handle skip type management subtype beacon bssid <pentest> \e
    with frame type management subtype auth \e
    from random to &bssid bssid &bssid
 # Re-inject a received IEEE 802.11 frame on the interface ath0
 hostap handle on ath0 type management subtype auth with resend
 # Remove a blacklisted node from the kernel node tree
 hostap handle type management subtype auth from <blacklist> \e
    with node delete &from
 # Log rogue access points with a strong signal quality on
 # channel 3 (2.422GHz) transmitting frames with 1Mbps.
 hostap handle type management subtype beacon bssid !<myess> \e
    signal >= 50% txrate 1Mb freq 2.422GHz \e
    with log
 .Ed
 .Sh IP ROAMING
 In a traditional wireless network, multiple access points are
 members of a single layer 3 broadcast domain.
 The traffic is bridged between physical collision domains,
 as with the
 .Xr bridge 4
 interface in
 .Ox .
 This may cause problems in large wireless networks with a heavy load
 of broadcast traffic, like broadcasted ARP, DHCP or ICMP requests.
 .Pp
 .Xr hostapd 8
 implements IP based roaming to build wireless networks
 without the requirement of a single broadcast domain.
 This works as follows:
 .Pp
 .Bl -enum -compact
 .It
 Every access point running
 .Xr hostapd 8
 is a router to an individual internal broadcast domain,
 .Em without
 using the
 .Xr bridge 4
 interface.
 .It
 An increased multicast TTL is used for IAPP communication
 between access points in multiple network segments.
 Multicast routing is required in the network infrastructure,
 like an
 .Ox
 router running
 .Xr mrouted 8 .
 .It
 The configuration file
 .Nm
 is used to assign IP subnets to link layer addresses.
 If a station with the specified link layer address successfully
 associates to the access point,
 .Xr hostapd 8
 will configure the specified IP address and subnet on
 the wireless interface.
 .It
 The
 IAPP
 .Em ADD.notify
 message is used to notify other access points running
 .Xr hostapd 8
 to remove the station and any assigned IP addresses or subnets from
 the wireless interface.
 .It
 A dynamic routing daemon like
 .Xr ospfd 8
 or
 .Xr bgpd 8
 running on the access point will be used to announce the
 new IP route to the internal network and routers.
 .El
 .Pp
 For example:
 .Bd -literal -offset indent
 # Assign IP addresses to layer 2 addresses
 table <clients> {
 	00:02:6f:42:d0:01 -> 172.23.5.1/30,
 	00:05:4e:45:d3:b8 -> 172.23.5.4/30,
 	00:04:2e:12:03:e0 -> 172.23.5.8/30
 }
 # Global options
 set hostap interface ath0
 set hostap mode radiotap
 set iapp interface sis0
 set iapp address roaming table <clients>
 set iapp handle subtype address roaming
 set iapp mode multicast ttl 2
 .Ed
 .Sh FILES
 .Bl -tag -width /etc/examples/hostapd.conf -compact
 .It Pa /etc/hostapd.conf
 Default location of the configuration file.
 .It Pa /etc/examples/hostapd.conf
 Example configuration file.
 .El
 .Sh SEE ALSO
 .Xr hostapd 8
 .Sh AUTHORS
 The
 .Xr hostapd 8
 program was written by
 .An Reyk Floeter Aq Mt reyk@openbsd.org .
 .Sh CAVEATS
 .Em IP Roaming
 requires statically assigned IP addresses of stations and does
 not support DHCP at present.
--- a/hostapd.spec
+++ b/hostapd.spec
@ -2,7 +2,7 @@
 Name:           hostapd
 Version:        2.9
-Release:        7%{?dist}
+Release:        6%{?dist}
 Summary:        IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
 License:        BSD
 URL:            http://w1.fi/hostapd
@ -12,8 +12,6 @@ Source1:        %{name}.service
 Source2:        %{name}.conf
 Source3:        %{name}.sysconfig
 Source4:        %{name}.init
 # https://github.com/openbsd/src/blob/master/usr.sbin/hostapd/hostapd.conf.5
 Source5:        %{name}.conf.5
 # https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt
 Patch1:         https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
@ -127,9 +125,8 @@ install -pm 0755 %{name}/%{name} %{buildroot}%{_sbindir}/%{name}
 install -pm 0755 %{name}/%{name}_cli %{buildroot}%{_sbindir}/%{name}_cli
 # man pages
-install -d %{buildroot}%{_mandir}/man{1,5,8}
+install -d %{buildroot}%{_mandir}/man{1,8}
 install -pm 0644 %{name}/%{name}_cli.1 %{buildroot}%{_mandir}/man1
 install -pm 0644 %{SOURCE5} %{buildroot}%{_mandir}/man5
 install -pm 0644 %{name}/%{name}.8 %{buildroot}%{_mandir}/man8
 # prepare docs
@ -181,7 +178,6 @@ fi
 %{_sbindir}/%{name}_cli
 %dir %{_sysconfdir}/%{name}
 %{_mandir}/man1/*
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 %if 0%{?fedora} || 0%{?rhel} >= 7
 %{_unitdir}/%{name}.service
@ -195,16 +191,13 @@ fi
 %{_sysconfdir}/logwatch/scripts/services/%{name}
 %changelog
-* Thu Dec 16 2020 John W. Linville <linville@redhat.com> - 2.9-7
+* Thu Dec 10 2020 Johwn W. Linville <linville@redhat.com> - 2.9-6
 - Borrow hostapd.conf.5 man page from OpenBSD
 * Thu Dec 10 2020 John W. Linville <linville@redhat.com> - 2.9-6
 - Enable environment file in hostapd service definition
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-* Wed Jun 24 2020 John W. Linville <linville@redhat.com> - 2.9-4
+* Wed Jun 24 2020 Johwn W. Linville <linville@redhat.com> - 2.9-4
 - Fix CVE-2020-12695 (UPnP SUBSCRIBE misbehavior in hostapd WPS AP)
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-3