iptables --mac-source now 112 bit?

rupertwh · 02-10-2008, 10:38 AM

Hi,

After not using my WLAN for quite a while I now found it not working. A look at the log showed that my firewall was rejecting all traffic because the MAC address wouldn't match anymore:

Code:

Feb 10 17:20:39 jodel kernel: Untrusted MAC on WLAN_IF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:35:58:64:43:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=50 PROTO=UDP SPT=68 DPT=67 LEN=308

Well no wonder, the MAC I'm allowing through is 00:0e:35:58:64:43, not ff:ff:ff:ff:ff:ff:00:0e:35:58:64:43:08:00.

What gives? What are all those extra bytes in the MAC address? Do I simply adapt all my firewalls accordingly and pretend nothing happened?

(Kernel is 2.6.18 on Debian Etch)

blackhole54 · 02-11-2008, 12:50 AM

I don't know why your firewall is rejecting WLAN traffic or why the first 6 octets of the reported "address" are all ones. But the format is just the way netfilter reports things, and TMK always has. I just checked this out on my system: the first 6 octets are the MAC address of the ethernet interface receiving the packet (i.e. the local MAC address) and the next 6 octets are the MAC address of the ethernet interface sending the packet. I don't know what the last two octets represent, but on my machine they are 08:00 just like on your machine.

I don't know why the log is reporting your local MAC address as all ones or if this has anything to do with the packets being rejected. But the logged format is the same as on my machine and I just verified that my machine is matching correctly on the 6 octets of the sender's MAC address:

Code:

iptables ... -m mac --mac-source XX:XX:XX:XX:XX:XX ...

(My test was on Ubuntu edgy with a 2.6.17 kernel.)

rupertwh · 02-11-2008, 06:07 AM

Thank you, you're right. I had been jumping to conclusions.

The reason traffic was rejected was actually an 'enhancement' I had made to my MAC-filter rule (and forgotten about) by testing for both MAC and src ip. Which broke DHCP of course -- but was ok as long as the client kept his ip address. Silly me. ;o)

As to the all 1's, maybe that depends on the NIC/driver? It's a 3com 3c905. I made a test on a different interface (Realtek) and got my own MAC, as you described. But I won't worry about that...

blackhole54 · 02-12-2008, 12:12 AM

Quote:

Originally Posted by rupertwh

As to the all 1's, maybe that depends on the NIC/driver? It's a 3com 3c905. I made a test on a different interface (Realtek) and got my own MAC, as you described. But I won't worry about that...

Hmmm. I have a machine running a 2.4 kernel with a couple of 3c905s and those log their own MACs. The mystery continues ...

Anyway, I am glad you got your problem figured out.