device: set bridge in supplicant for 802.1X ethernet and macsec

When authenticating via 802.1X, the supplicant must be made aware of the bridge the interface is attached to. This was already done for wifi in commit ae31b4bf4e ('wifi: set the BridgeIfname supplicant property when needed'). When setting the BridgeIfname property, the supplicant opens an additional socket to listen on the bridge, to ensure that all incoming EAPOL packets are received. Without this patch, the initial authentication usually works because it is started during stage2 (prepare), when the device is not yet attached to the bridge, but then the re-authentication fails. Note: I could reproduce the problem only when the bridge is configured with bridge.group-forward-mask 8. Resolves: https://issues.redhat.com/browse/RHEL-121153 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2301
2026-02-03 18:20:29 +01:00 · 2025-10-16 15:36:22 +02:00 · 2025-10-16 15:36:22 +02:00 · 965aa81027
commit 965aa81027
parent 86b67233bf
2 changed files with 26 additions and 0 deletions
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -700,6 +700,9 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
+    NMActRequest                       *request;
+    NMActiveConnection                 *controller_ac;
+    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -714,6 +717,16 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
+
+    /* Tell the supplicant in which bridge the interface is */
+    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
+        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
+        && (controller = nm_active_connection_get_device(controller_ac))
+        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
+    } else
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
+
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -433,6 +433,9 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
+    NMActRequest                       *request;
+    NMActiveConnection                 *controller_ac;
+    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -445,6 +448,16 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
+
+    /* Tell the supplicant in which bridge the interface is */
+    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
+        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
+        && (controller = nm_active_connection_get_device(controller_ac))
+        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
+    } else
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
+
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }