Description of problem: The MAC address printed to syslog from the LOG directive makes no sense. It is much too big. Ethernet MAC addresses are 6-pairs of hex digits. Feb 6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT= MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210 DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 Version-Release number of selected component (if applicable): iptables-1.3.5-1.2.1 How reproducible: always Steps to Reproduce: 1. Before the final REJECT rule in RH-Firewall-1-INPUT add: -A RH-Firewall-1-INPUT -j LOG --log-prefix "iptables: scanning: " 2. Wait till some turkey scans the system. 3. Look in /var/log/messages for the log entry. Notice the MAC address. Actual results: Feb 6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT= MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210 DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 From a different machine with an ath0, an even longer MAC address gets printed. (This MAC address should win a prize for length!) Feb 2 19:32:59 ancho kernel: iptables: NEW: IN=ath0 OUT= MAC=00:15:6d:10:33:2c:00:e0:81:56:8d:66:08:00:45:00:00:3c:e9:96:40:00:40:06:46:6e:c0:53:c5:01:c0:53:c5:0e:03:32:8e:70:4f:18:d9:ca:00:00:00:00:a0:02:16:d0:2f:01:00:00:02:04:05:b4:04:02:08:0a:00:dd:3c:17:00:00:00:00:01:03:03:05:5e:32:ac:ff:0a:76:39:9d:28:07:33:96:00:00 SRC=192.83.197.1 DST=192.83.197.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59798 DF PROTO=TCP SPT=818 DPT=36464 WINDOW=5840 RES=0x00 SYN URGP=0 Expected results: The correct MAC address in the above eth1 case should have been MAC=00:02:3b:01:45:57 . The ath0 one should have been MAC=00:E0:81:56:8D:66 . Additional info: Note, this is a 64-bit kernel. More sizeof(something) confusion?
Please have a look at iptables-1.3.8-2.fc6 in testing.
Can you please verify if the update fixes your problem?
This is a netfilter kernel problem. Assigning to kernel.
It is printing the MAC header from the packet: src address, dest address, and protocol ID. And wireless uses very large addresses in its headers internally...