Red Hat Bugzilla – Bug 186098
Multicast packets loop back with no MAC (netfilter)
Last modified: 2008-05-06 11:35:58 EDT
Description of problem:
Packets from the local machine to multicast addresses loop back via a network
interface but don't have a source MAC address attached. I.e. sending a packet
to 18.104.22.168 through eth0 will cause the packet to go through netfilter's INPUT
chain for eth0 but have no source MAC address. These packets can't be
explicitly specified by iptables.
e.g. If you set up a DROP rule for the interface and then override it with ALLOW
rules for specific MAC addresses there is no way to allow looped back multicast
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set iptables to log all the traffic on eth0
2. ping -I eth0 22.214.171.124
The iptables logs show the traffic logged with no MAC address in the "MAC="
MAC= should probably be set to the MAC of the interface the packet is looped
back on. (Logically the packet has effectively been transmitted and then
received by that interface)
Is this still reproducable with the errata kernel ?
(There's a 2.6.16 one in updates-testing now too).
Yes, still happens under the 2.6.16 kernel:
iptables -A INPUT -d 126.96.36.199/4 -j LOG
ping -n 188.8.131.52
IN=eth0 OUT= MAC= SRC=172.28.148.220 DST=184.108.40.206 LEN=84 TOS=0x00 PREC=0x00
TTL=1 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=64522 SEQ=0
[This comment added as part of a mass-update to all open FC4 kernel bugs]
FC4 has now transitioned to the Fedora legacy project, which will continue to
release security related updates for the kernel. As this bug is not security
related, it is unlikely to be fixed in an update for FC4, and has been migrated
Please retest with Fedora Core 5.
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.
Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.
This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.
Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.
In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed. See bug 207474 for further details.
If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.
If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.
Still unresolved as of 2.6.18-1.2200.fc5smp
You can actually detect null MAC addresses using --mac test. The trick is that
--mac will always return false for null MAC addresses, even if you invert it.
Therefore, something like this will work
iptables -I mychain -m mac --mac 00:00:00:00:00:00 -j RETURN
iptables -I mychain -m mac --mac ! 00:00:00:00:00:00 -j RETURN
iptables -I mychain -j ulooped
Hmm, I hadn't thought of that. Although this still seems like a bug to me - you
shouldn't have to use that sort of kludge.
Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
Thanks for your help, and we apologize again that we haven't handled
these issues to this point.
The process we are following is outlined here:
We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.