Bug 227535 - iptables prints incorrect MAC address in LOG directive
iptables prints incorrect MAC address in LOG directive
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-06 13:58 EST by Wolfgang Rupprecht
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-02 18:04:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wolfgang Rupprecht 2007-02-06 13:58:44 EST
Description of problem:

The MAC address printed to syslog from the LOG directive makes no sense. It is
much too big. Ethernet MAC addresses are 6-pairs of hex digits.

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2.1

How reproducible:
always

Steps to Reproduce:
1. Before the final REJECT rule in RH-Firewall-1-INPUT add:
   -A RH-Firewall-1-INPUT -j LOG --log-prefix "iptables: scanning: "
2. Wait till some turkey scans the system.
3. Look in /var/log/messages for the log entry.  Notice the MAC address.
  
Actual results:

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

From a different machine with an ath0, an even longer MAC address gets printed.
(This MAC address should win a prize for length!)

Feb  2 19:32:59 ancho kernel: iptables: NEW: IN=ath0 OUT=
MAC=00:15:6d:10:33:2c:00:e0:81:56:8d:66:08:00:45:00:00:3c:e9:96:40:00:40:06:46:6e:c0:53:c5:01:c0:53:c5:0e:03:32:8e:70:4f:18:d9:ca:00:00:00:00:a0:02:16:d0:2f:01:00:00:02:04:05:b4:04:02:08:0a:00:dd:3c:17:00:00:00:00:01:03:03:05:5e:32:ac:ff:0a:76:39:9d:28:07:33:96:00:00
SRC=192.83.197.1 DST=192.83.197.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59798 DF
PROTO=TCP SPT=818 DPT=36464 WINDOW=5840 RES=0x00 SYN URGP=0 

Expected results:

The correct MAC address in the above eth1 case should have been
MAC=00:02:3b:01:45:57 .  The ath0 one should have been MAC=00:E0:81:56:8D:66 .

Additional info:
Note, this is a 64-bit kernel.  More sizeof(something) confusion?
Comment 1 Thomas Woerner 2007-09-10 04:48:46 EDT
Please have a look at iptables-1.3.8-2.fc6 in testing.
Comment 2 Thomas Woerner 2007-09-26 11:58:57 EDT
Can you please verify if the update fixes your problem?
Comment 3 Thomas Woerner 2007-10-02 07:58:28 EDT
This is a netfilter kernel problem.

Assigning to kernel.
Comment 4 Chuck Ebbert 2007-10-02 18:04:39 EDT
It is printing the MAC header from the packet: src address, dest address, and
protocol ID. And wireless uses very large addresses in its headers internally...


Note You need to log in before you can comment on or make changes to this bug.