Bug 672690

Summary: iptables labeling of packets seems broken for address 255.255.255.255
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: gansalmon, itamar, jforbes, jonathan, jrieden, kernel-maint, madhu.chinakonda, nhorman, paul.moore, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-15 15:38:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
iptables rules
none
selinux policy none

Description Daniel Walsh 2011-01-25 21:06:00 UTC 
time->Tue Jan 25 16:04:34 2011
type=AVC msg=audit(1295989474.550:354): avc:  denied  { recv } for  src=68 daddr=255.255.255.255 dest=67 netif=eth0 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:external_packet_t:s0 tclass=packet
Comment 1 Daniel Walsh 2011-01-25 21:08:26 UTC 
Created attachment 475276 [details]
iptables rules
Comment 2 Daniel Walsh 2011-01-25 21:18:59 UTC 
Created attachment 475282 [details]
selinux policy
Comment 3 Fedora End Of Life 2013-04-03 15:35:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Justin M. Forbes 2013-04-05 19:52:20 UTC 
Is this still an issue with the 3.9 kernels in F19?
Comment 5 Neil Horman 2013-04-19 17:42:12 UTC 
I think thats the wrong syntax for a rule.  you apply the specified mask (in your rule, its 32) to the incomming source address, and then check to see if it matches your supplied address (in your rule 255.255.255.255).  If they match you jump to the designated target (INTERNAL).  That said, no valid ip address will ever match 255.255.255.255 when you apply an all 1's mask to it.  I think you're intention was to match all incomming source addresses, isn't it?  If thats the case, what you want is a rule that says:

-A <CHAIN> -s 0.0.0.0/0 -j INTERNAL

That will match on all source addresses.  Or was your intention something else?
Comment 6 Josh Boyer 2013-05-15 13:17:38 UTC 
Dan?
Comment 7 Daniel Walsh 2013-05-15 15:38:15 UTC 
Sounds good, I have not dealt with this stuff for a while,  So you can close this bug.