wpa_supplicant and bridges

Jouni Malinen j
Sat Aug 28 01:51:58 PDT 2010

On Sat, Jun 05, 2010 at 05:20:28PM -0400, Jon DeVree wrote:
> I was trying to set up wpa_supplicant with a wireless card that was part
> of a bridge. wpa_supplicant seems unable to authenticate while the
> interface is bridged, but once the handshake is done adding it to the
> bridge works fine.

Layer 2 bridging does not work in general in IEEE 802.11 station mode
unless you can force the bridge to use the MAC address of the IEEE
802.11 interface and even in that case, it does not really bridge frames
correctly from or to other MAC addresses. As such, this kind of
configuration is at best in the experimental category.. 4-address (WDS)
frames could be used to add more general support for this should the AP
handle them.

> So it seems there is a possible kernel bug here. EAPOL frames cannot be
> specifically requested from a raw socket when the interface is part of a
> bridge, but they will show up if all frames are requested. Other frame
> types, like ETH_P_IP seem to work fine. Has anyone else noticed this or
> is it limited to my driver (IWL3945?)

Yes, this is a known issue and I think I brought it up years ago. I
don't remember all the details anymore, but maybe someone disagreed with
the proposed changes.. Anyway, if you were interested in getting this
fixed, it could be worth the effort to re-test this with the latest
kernel snapshot and ask the bridge code developers about this.

> I can post a full patch to wpa_supplicant that works around the kernel
> bug if anyone wants it.

I would hope that such a workaround would not be needed. Filtering
frames in user space is not really good use of CPU.. The -b command
line parameter in wpa_supplicant should be able to handle this issue by
opening a separate l2_packet socket for the specified bridge interface.
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list