Bug 227535

Summary: iptables prints incorrect MAC address in LOG directive
Product: [Fedora] Fedora Reporter: Wolfgang Rupprecht <wolfgang.rupprecht>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-02 22:04:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wolfgang Rupprecht 2007-02-06 18:58:44 UTC 
Description of problem:

The MAC address printed to syslog from the LOG directive makes no sense. It is
much too big. Ethernet MAC addresses are 6-pairs of hex digits.

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2.1

How reproducible:
always

Steps to Reproduce:
1. Before the final REJECT rule in RH-Firewall-1-INPUT add:
   -A RH-Firewall-1-INPUT -j LOG --log-prefix "iptables: scanning: "
2. Wait till some turkey scans the system.
3. Look in /var/log/messages for the log entry.  Notice the MAC address.
  
Actual results:

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

From a different machine with an ath0, an even longer MAC address gets printed.
(This MAC address should win a prize for length!)

Feb  2 19:32:59 ancho kernel: iptables: NEW: IN=ath0 OUT=
MAC=00:15:6d:10:33:2c:00:e0:81:56:8d:66:08:00:45:00:00:3c:e9:96:40:00:40:06:46:6e:c0:53:c5:01:c0:53:c5:0e:03:32:8e:70:4f:18:d9:ca:00:00:00:00:a0:02:16:d0:2f:01:00:00:02:04:05:b4:04:02:08:0a:00:dd:3c:17:00:00:00:00:01:03:03:05:5e:32:ac:ff:0a:76:39:9d:28:07:33:96:00:00
SRC=192.83.197.1 DST=192.83.197.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59798 DF
PROTO=TCP SPT=818 DPT=36464 WINDOW=5840 RES=0x00 SYN URGP=0 

Expected results:

The correct MAC address in the above eth1 case should have been
MAC=00:02:3b:01:45:57 .  The ath0 one should have been MAC=00:E0:81:56:8D:66 .

Additional info:
Note, this is a 64-bit kernel.  More sizeof(something) confusion?
Comment 1 Thomas Woerner 2007-09-10 08:48:46 UTC 
Please have a look at iptables-1.3.8-2.fc6 in testing.
Comment 2 Thomas Woerner 2007-09-26 15:58:57 UTC 
Can you please verify if the update fixes your problem?
Comment 3 Thomas Woerner 2007-10-02 11:58:28 UTC 
This is a netfilter kernel problem.

Assigning to kernel.
Comment 4 Chuck Ebbert 2007-10-02 22:04:39 UTC 
It is printing the MAC header from the packet: src address, dest address, and
protocol ID. And wireless uses very large addresses in its headers internally...