From: Ido Schimmel <idosch@idosch.org>
To: SIMON BABY <simonkbaby@gmail.com>
Cc: netdev@vger.kernel.org
Subject: Re: query on EAPOL multicast packet with linux bridge interface
Date: Wed, 23 Apr 2025 18:51:34 +0300 [thread overview]
Message-ID: <aAkMhl3klxYx-n2Q@shredder> (raw)
In-Reply-To: <CAEFUPH0cU-5ZJ_qAevp1DENYrUkSO4zipUTg0vzLmgz16nPbbw@mail.gmail.com>
(Please avoid top posting)
On Wed, Apr 23, 2025 at 06:26:40AM -0700, SIMON BABY wrote:
> Thank you Ido.
>
> Here is the details of my setup:
>
> I have a microchip CPU connected to an 11 port marvell 88E6390 switch.
> I am using the marvel linux DSA driver so that all the switch ports
> (lan1, lan2, lan3 etc) are part of the linux kernel.
>
> I am using hostapd as an authenticator.
>
> An 802.1x client device is connected to port lan1 and binds this port
> (lan1) to hostapd daemon, I can see EAPOL packets are being forwarded
> to a radius server.
>
> I have created a bridge with vlan filtering with below commands and
> bind the bridge (br0) with hostapd daemon. Now EAPOL packets are not
> forwarded.
Do you see the EAPOL packets when running tcpdump on 'lan1' and 'br0'?
Does the result change if you pass '-p' to tcpdump?
>
> ip link add name br0 type bridge vlan_filtering 1
> ip link set dev lan1 master br0
> ip link set dev lan2 master br0
> bridge vlan add dev lan1 vid 10 pvid untagged
> bridge vlan add dev lan2 vid 10 pvid untagged
> ip link set dev br0 up
> ip link set dev lan1 up
> ip link set dev lan2 up
> ip link add link br0 name br0.10 type vlan id 10
> ip link set dev br0.10 up
> ip addr add 192.168.2.1/24 dev br0.10
> bridge vlan add vid 10 dev br0 self
>
> bridge vlan show
> port vlan-id
> lan1 10 PVID Egress Untagged
> lan2 10 PVID Egress Untagged
> br0 10
>
> echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
> cat /sys/class/net/br0/bridge/group_fwd_mask
> 0x8
>
> root@sama7g5ek-tdy-sd:~# cat /etc/hostapd.conf
> ##### hostapd configuration file ##############################################
> # Empty lines and lines starting with # are ignored
>
> # Example configuration file for wired authenticator. See hostapd.conf for
> # more details.
> interface=br0
I have zero experience with hostapd, but I assume it opens a packet
socket on the specified interface to receive the EAPOL packets. When
listening on 'br0' you should see the EAPOL packets with a VLAN tag
which could be a problem for hostapd. When you told it to listen on
'lan1' it received the EAPOL packets without a VLAN. I would try to
specify 'br0.10' and see if it helps. hostapd should observe the packets
without a VLAN tag in this case.
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>passing br0 as interface to
> hostapd.
> driver=wired
>
>
>
> Regards
> Simon
next prev parent reply other threads:[~2025-04-23 15:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-23 1:42 query on EAPOL multicast packet with linux bridge interface SIMON BABY
2025-04-23 11:42 ` Ido Schimmel
2025-04-23 13:26 ` SIMON BABY
2025-04-23 15:51 ` Ido Schimmel [this message]
2025-04-24 5:59 ` SIMON BABY
2025-04-24 8:46 ` Ido Schimmel
2025-04-24 10:22 ` Vladimir Oltean
2025-04-28 6:55 ` SIMON BABY
2025-05-09 5:08 ` SIMON BABY
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aAkMhl3klxYx-n2Q@shredder \
--to=idosch@idosch.org \
--cc=netdev@vger.kernel.org \
--cc=simonkbaby@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).