227535 – iptables prints incorrect MAC address in LOG directive

Bug 227535 - iptables prints incorrect MAC address in LOG directive

Summary: iptables prints incorrect MAC address in LOG directive

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	6
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-02-06 18:58 UTC by Wolfgang Rupprecht
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-02 22:04:39 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Wolfgang Rupprecht 2007-02-06 18:58:44 UTC

Description of problem:

The MAC address printed to syslog from the LOG directive makes no sense. It is
much too big. Ethernet MAC addresses are 6-pairs of hex digits.

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2.1

How reproducible:
always

Steps to Reproduce:
1. Before the final REJECT rule in RH-Firewall-1-INPUT add:
   -A RH-Firewall-1-INPUT -j LOG --log-prefix "iptables: scanning: "
2. Wait till some turkey scans the system.
3. Look in /var/log/messages for the log entry.  Notice the MAC address.
  
Actual results:

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

From a different machine with an ath0, an even longer MAC address gets printed.
(This MAC address should win a prize for length!)

Feb  2 19:32:59 ancho kernel: iptables: NEW: IN=ath0 OUT=
MAC=00:15:6d:10:33:2c:00:e0:81:56:8d:66:08:00:45:00:00:3c:e9:96:40:00:40:06:46:6e:c0:53:c5:01:c0:53:c5:0e:03:32:8e:70:4f:18:d9:ca:00:00:00:00:a0:02:16:d0:2f:01:00:00:02:04:05:b4:04:02:08:0a:00:dd:3c:17:00:00:00:00:01:03:03:05:5e:32:ac:ff:0a:76:39:9d:28:07:33:96:00:00
SRC=192.83.197.1 DST=192.83.197.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59798 DF
PROTO=TCP SPT=818 DPT=36464 WINDOW=5840 RES=0x00 SYN URGP=0 

Expected results:

The correct MAC address in the above eth1 case should have been
MAC=00:02:3b:01:45:57 .  The ath0 one should have been MAC=00:E0:81:56:8D:66 .

Additional info:
Note, this is a 64-bit kernel.  More sizeof(something) confusion?

Comment 1 Thomas Woerner 2007-09-10 08:48:46 UTC

Please have a look at iptables-1.3.8-2.fc6 in testing.

Comment 2 Thomas Woerner 2007-09-26 15:58:57 UTC

Can you please verify if the update fixes your problem?

Comment 3 Thomas Woerner 2007-10-02 11:58:28 UTC

This is a netfilter kernel problem.

Assigning to kernel.

Comment 4 Chuck Ebbert 2007-10-02 22:04:39 UTC

It is printing the MAC header from the packet: src address, dest address, and
protocol ID. And wireless uses very large addresses in its headers internally...

Note You need to log in before you can comment on or make changes to this bug.