Bug 200147 - Sometimes icmp type gets reported as included dest port
Sometimes icmp type gets reported as included dest port
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Depends On:
  Show dependency treegraph
Reported: 2006-07-25 14:41 EDT by Allen Kistler
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-15 07:18:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for /usr/share/logwatch/scripts/services/iptables (644 bytes, patch)
2006-07-25 14:41 EDT, Allen Kistler
no flags Details | Diff

  None (edit)
Description Allen Kistler 2006-07-25 14:41:28 EDT
Description of problem:
I posted a patch (Bug 174954) for /usr/share/logwatch/scripts/services/iptables
with a small bug in December last year.  The bug occurs when an icmp packet is
an error response that includes an offending tcp or udp packet.  In that case
netfilter logs both the icmp type and the destination port.  The current
iptables script preferentially extracts the dest port, but should preferentially
extract the icmp type.

Version-Release number of selected component (if applicable):
I checked upstream, and the bug still exists in logwatch-7.3, so fc6test is
probably affected, too.  (Sorry, I haven't been testing fc6.)

How reproducible:

Steps to Reproduce:
1. log icmp packets with included tcp or udp packets (example below)
2. run logwatch
Actual results: (example)
   From - 1 packet to icmp(33499)

Expected results: (example)
   From - 1 packet to icmp(11)

Additional info:
The above examples are derived from an example syslog entry as follows.

kernel: iptables ACCEPT: IN=ppp0 OUT=eth0 SRC= DST=
LEN=56 TOS=0x00 PREC=0xC0 TTL=240 ID=44656 PROTO=ICMP TYPE=11 CODE=0
[SRC= DST= LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=37595
PROTO=UDP SPT=32768 DPT=33499 LEN=18 ]

The included patch corrects the bug.  Port numbers for actual tcp and udp
packets have no type, so their reporting is not affected.

I submitted the same patch to logwatch-patches@logwatch.org, so it may come
downstream eventually.
Comment 1 Allen Kistler 2006-07-25 14:41:28 EDT
Created attachment 133009 [details]
patch for /usr/share/logwatch/scripts/services/iptables

Note You need to log in before you can comment on or make changes to this bug.