Making Linux network bridge transparent for 802.1x packets

Submitted by abb on Tue, 08/31/2010 - 11:33

Update 17/01/2011: If you are interested in 802.1x bridging, have a look at my Tapping 802.1x Links with Marvin blog post.

802.1x authentication messages are sent in Ethernet frames with destination MAC address set to 01:80:C2:00:00:03. This address belongs to “IEEE 802.1D MAC Bridge Filtered MAC Group Addresses” (01:80:C2:00:00:00 to 01:80:C2:00:00:0F) and such frames are not supposed to be relayed by bridges conforming to IEEE 802.1D [2]. For a number of reasons, you may want these frames to go through your bridge.

The quick and dirty way to solve the problem is to hack the Linux kernel – just comment out the “unnecessary” functionality. To do so:
1) Unpack your kernel sources and prepare for compilation
2) Apply a patch.
3) Compile and install the kernel

Steps 1 and 3 are specific to your distribution, these instructions works file for my Ubuntu. Step 2:

abb@d820:~/build$ cd linux-2.6.27/
abb@d820:~/build/linux-2.6.27$ patch -p0 < ~/br_input.patch
patching file net/bridge/br_input.c


+32 (0) 2 215 53 58

Gremwell BVBA
Sint-Katherinastraat 24
1742 Ternat
VAT: BE 0821.897.133.