Red Hat Bugzilla – Bug 186098
Multicast packets loop back with no MAC (netfilter)
Last modified: 2008-05-06 11:35:58 EDT
Description of problem: Packets from the local machine to multicast addresses loop back via a network interface but don't have a source MAC address attached. I.e. sending a packet to 224.0.0.1 through eth0 will cause the packet to go through netfilter's INPUT chain for eth0 but have no source MAC address. These packets can't be explicitly specified by iptables. e.g. If you set up a DROP rule for the interface and then override it with ALLOW rules for specific MAC addresses there is no way to allow looped back multicast traffic. Version-Release number of selected component (if applicable): 2.6.13-1.1532 How reproducible: Always Steps to Reproduce: 1. Set iptables to log all the traffic on eth0 2. ping -I eth0 224.0.0.1 Actual results: The iptables logs show the traffic logged with no MAC address in the "MAC=" parameter. Expected results: MAC= should probably be set to the MAC of the interface the packet is looped back on. (Logically the packet has effectively been transmitted and then received by that interface)
Is this still reproducable with the errata kernel ? (There's a 2.6.16 one in updates-testing now too).
Yes, still happens under the 2.6.16 kernel: iptables -A INPUT -d 224.0.0.0/4 -j LOG ping -n 224.0.0.1 dmesg reports: IN=eth0 OUT= MAC= SRC=172.28.148.220 DST=224.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=64522 SEQ=0
[This comment added as part of a mass-update to all open FC4 kernel bugs] FC4 has now transitioned to the Fedora legacy project, which will continue to release security related updates for the kernel. As this bug is not security related, it is unlikely to be fixed in an update for FC4, and has been migrated to FC5. Please retest with Fedora Core 5. Thank you.
A new kernel update has been released (Version: 2.6.18-1.2200.fc5) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. In the last few updates, some users upgrading from FC4->FC5 have reported that installing a kernel update has left their systems unbootable. If you have been affected by this problem please check you only have one version of device-mapper & lvm2 installed. See bug 207474 for further details. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. If this bug has been fixed, but you are now experiencing a different problem, please file a separate bug for the new problem. Thank you.
Still unresolved as of 2.6.18-1.2200.fc5smp
You can actually detect null MAC addresses using --mac test. The trick is that --mac will always return false for null MAC addresses, even if you invert it. Therefore, something like this will work iptables -I mychain -m mac --mac 00:00:00:00:00:00 -j RETURN iptables -I mychain -m mac --mac ! 00:00:00:00:00:00 -j RETURN iptables -I mychain -j ulooped
Hmm, I hadn't thought of that. Although this still seems like a bug to me - you shouldn't have to use that sort of kludge.
Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or Fedora 8?
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.