wired authentication (kernel module)

Jouni Malinen jkmaline
Wed Sep 22 19:25:15 PDT 2004

On Thu, Sep 23, 2004 at 12:13:37AM +0200, Damjan wrote:

> Sorry if I'm missing something very obvious, but what does a kernel
> module for 802.1x do that a user-space daemon and other functionality
> already in the kernel can't do?


> Isn't it possible to make a user-space daemon that
> 1. puts a rule in Linux's ebtables to DROP all non-EAPOL frames
> 2. Waits for EAPOL frames and does what needs to be done with them

That is something that I would really like to see being done. I have a
bit limited experience in using ebtables, but if it can be configured to
send packets to user space processing, it should have more or less
everything that is needed. Actually, even this would not be needed. It
should be enough to have a "watcher" module that reports dropped
packets (mainly, the src L2 address from them). ebtables has log target,
so either that or something similar could be used.

All packets should be sent to user space by default and rules to allow
packets to pass would be added based on successfully completed
authentication. Statistics from the rules could be used to implement
timing out peers.

More detailed design (e.g., ebtables commands, plans on user space
queue handler) and/or patch to hostapd would be welcome..

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list