Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 227535

Summary: iptables prints incorrect MAC address in LOG directive
Product: [Fedora] Fedora Reporter: Wolfgang Rupprecht <wolfgang.rupprecht>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-02 22:04:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Wolfgang Rupprecht 2007-02-06 18:58:44 UTC
Description of problem:

The MAC address printed to syslog from the LOG directive makes no sense. It is
much too big. Ethernet MAC addresses are 6-pairs of hex digits.

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2.1

How reproducible:
always

Steps to Reproduce:
1. Before the final REJECT rule in RH-Firewall-1-INPUT add:
   -A RH-Firewall-1-INPUT -j LOG --log-prefix "iptables: scanning: "
2. Wait till some turkey scans the system.
3. Look in /var/log/messages for the log entry.  Notice the MAC address.
  
Actual results:

Feb  6 10:35:33 arbol kernel: iptables: scanning: IN=eth1 OUT=
MAC=00:e0:81:56:8d:67:00:02:3b:01:45:57:08:00 SRC=4.255.202.210
DST=64.142.50.224 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=29662 DF PROTO=TCP
SPT=1896 DPT=139 WINDOW=8760 RES=0x00 SYN URGP=0 

From a different machine with an ath0, an even longer MAC address gets printed.
(This MAC address should win a prize for length!)

Feb  2 19:32:59 ancho kernel: iptables: NEW: IN=ath0 OUT=
MAC=00:15:6d:10:33:2c:00:e0:81:56:8d:66:08:00:45:00:00:3c:e9:96:40:00:40:06:46:6e:c0:53:c5:01:c0:53:c5:0e:03:32:8e:70:4f:18:d9:ca:00:00:00:00:a0:02:16:d0:2f:01:00:00:02:04:05:b4:04:02:08:0a:00:dd:3c:17:00:00:00:00:01:03:03:05:5e:32:ac:ff:0a:76:39:9d:28:07:33:96:00:00
SRC=192.83.197.1 DST=192.83.197.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59798 DF
PROTO=TCP SPT=818 DPT=36464 WINDOW=5840 RES=0x00 SYN URGP=0 

Expected results:

The correct MAC address in the above eth1 case should have been
MAC=00:02:3b:01:45:57 .  The ath0 one should have been MAC=00:E0:81:56:8D:66 .

Additional info:
Note, this is a 64-bit kernel.  More sizeof(something) confusion?

Comment 1 Thomas Woerner 2007-09-10 08:48:46 UTC
Please have a look at iptables-1.3.8-2.fc6 in testing.

Comment 2 Thomas Woerner 2007-09-26 15:58:57 UTC
Can you please verify if the update fixes your problem?

Comment 3 Thomas Woerner 2007-10-02 11:58:28 UTC
This is a netfilter kernel problem.

Assigning to kernel.

Comment 4 Chuck Ebbert 2007-10-02 22:04:39 UTC
It is printing the MAC header from the packet: src address, dest address, and
protocol ID. And wireless uses very large addresses in its headers internally...