[PATCH] bridge: Forward EAPOL when STP off

[PATCH] bridge: Forward EAPOL when STP off

[Nick Carter]

Signed-off-by: Nick Carter <ncarter100@gmail.com>

If STP is disabled then forward frames destined to the 802.1X PAE group
address (01-80-C2-00-00-03)

This change is required to support virtual machines running an 802.1X
supplicant and bridged to an ethernet interface.

This change has been tested and works fine with a range of supplicants.

I don't think this change will break 802.3ad bonding inside of a bridge.
[See commit f01cb5fbea1c1613621f9f32f385e12c1a29dde0
 Revert "bridge: Forward reserved group addresses if !STP"]
Bonding uses the IEEE Std 802.3ad Slow_Protocols_Multicast address
"#define MULTICAST_LACPDU_ADDR    {0x01, 0x80, 0xC2, 0x00, 0x00, 0x02}"
Which will not be caught by this patch.
---
 net/bridge/br_input.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index f3ac1e8..d6b4479 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -165,7 +165,9 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
 			goto drop;

 		/* If STP is turned off, then forward */
-		if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
+		if (p->br->stp_enabled == BR_NO_STP &&
+		    (dest[5] == 0 || /* Bridge group address */
+		     dest[5] == 3))  /* 802.1X PAE address */
 			goto forward;

 		if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
-- 
1.7.4.1

Re: [PATCH] bridge: Forward EAPOL when STP off

[Stephen Hemminger]

On Thu, 2 Jun 2011 16:59:13 +0100
Nick Carter <ncarter100@gmail.com> wrote:

> Signed-off-by: Nick Carter <ncarter100@gmail.com>
> 
> If STP is disabled then forward frames destined to the 802.1X PAE group
> address (01-80-C2-00-00-03)
> 
> This change is required to support virtual machines running an 802.1X
> supplicant and bridged to an ethernet interface.
> 
> This change has been tested and works fine with a range of supplicants.

No. This is getting messy and starts down the path of the recent
802.3ad change which just got reverted. A better solution is needed
than individual hacky standards breaking. If you really need to do
this, use the "duct tape" of networking ebtables.

See also:
https://lists.linux-foundation.org/pipermail/bridge/2007-November/005638.html

Re: [PATCH] bridge: Forward EAPOL when STP off

[Nick Carter]

Stephen,

It doesn't look like ebtables can do this
http://www.spinics.net/lists/netfilter/msg51200.html

I've written some new diffs that I will send out to netdev.

Thanks,
Nick

On 4 June 2011 14:42, Stephen Hemminger <shemminger@vyatta.com> wrote:
> On Thu, 2 Jun 2011 16:59:13 +0100
> Nick Carter <ncarter100@gmail.com> wrote:
>
>> Signed-off-by: Nick Carter <ncarter100@gmail.com>
>>
>> If STP is disabled then forward frames destined to the 802.1X PAE group
>> address (01-80-C2-00-00-03)
>>
>> This change is required to support virtual machines running an 802.1X
>> supplicant and bridged to an ethernet interface.
>>
>> This change has been tested and works fine with a range of supplicants.
>
> No. This is getting messy and starts down the path of the recent
> 802.3ad change which just got reverted. A better solution is needed
> than individual hacky standards breaking. If you really need to do
> this, use the "duct tape" of networking ebtables.
>
> See also:
> https://lists.linux-foundation.org/pipermail/bridge/2007-November/005638.html
>