Making Linux network bridge transparent for 802.1x packets

Update 17/01/2011: If you are interested in 802.1x bridging, have a look at my Tapping 802.1x Links with Marvin blog post.

802.1x authentication messages are sent in Ethernet frames with destination MAC address set to 01:80:C2:00:00:03. This address belongs to “IEEE 802.1D MAC Bridge Filtered MAC Group Addresses” (01:80:C2:00:00:00 to 01:80:C2:00:00:0F) and such frames are not supposed to be relayed by bridges conforming to IEEE 802.1D [2]. For a number of reasons, you may want these frames to go through your bridge.

The quick and dirty way to solve the problem is to hack the Linux kernel – just comment out the “unnecessary” functionality. To do so:
1) Unpack your kernel sources and prepare for compilation
2) Apply a patch.
3) Compile and install the kernel

Steps 1 and 3 are specific to your distribution, these instructions works file for my Ubuntu. Step 2:

abb@d820:~/build$ cd linux-2.6.27/
abb@d820:~/build/linux-2.6.27$ patch -p0 < ~/br_input.patch
patching file net/bridge/br_input.c


this looks like a better (less drastic) patch. Apply this patch and disable spanning tree protocol and 802.1x frames will be forwarded.


Yes, the patch of Benjamin Poirier is cleaner than mine. However, both these patches are somewhat obsolete now. Currently is the easiest way to manipulate 802.1x links is to use Marvin.