Bug#355285: iptables changes mac adresses during runtime (corrected version)

Sat, 04 Mar 2006 14:48:20 -0800 

severity 355285 normal
tags 355285 moreinfo unreproducible
thanks

On Sat, Mar 04, 2006 at 07:16:18PM +0100, Hansgeorg Schwibbe wrote:
> After some up time the mac adresses of my iptables filter are changing. 
> I am using Debian GNU/Linux 3.1, kernel 2.4.27-2-k7

This can't be a bug in the iptables package; the iptables package contains
only userspace tools for editing the iptables rules, if you haven't invoked
/sbin/iptables then iptables is not to blame.  If the rules are being
corrupted, that seems to be a kernel bug.

> // The rules after startup are the following: 

Let's trim this to just the parts that have changed.

> Chain INPUT (policy DROP)
> target     prot opt source               destination
[...]
> ACCEPT     tcp  --  anywhere             anywhere            MAC 
> 00:13:D3:FD:20:FA tcp dpts:3128:icpv2
> ACCEPT     udp  --  anywhere             anywhere            MAC 
> 00:13:D3:FD:20:FA udp dpts:3128:icpv2
[...]

> Chain FORWARD (policy DROP)
> target     prot opt source               destination       
[...]
> ACCEPT     all  --  anywhere             anywhere            MAC 
> 00:13:D3:FD:20:FA
[...]

> // But after some up time the mac adresses of the iptables filter are 
> changing and the computers are unable to access the proxy server: //

> Chain INPUT (policy DROP)
> target     prot opt source               destination       

[...]
> ACCEPT     tcp  --  anywhere             anywhere            MAC 
> 00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
> ACCEPT     udp  --  anywhere             anywhere            MAC 
> 00:05:5D:F5:E8:FF udp dpts:3128:icpv2
> ACCEPT     tcp  --  anywhere             anywhere            MAC 
> 00:05:5D:F6:10:BD tcp dpts:3128:icpv2
> ACCEPT     tcp  --  anywhere             anywhere            MAC 
> 00:05:5D:F6:10:BD tcp dpts:3128:icpv2
[...]

> Chain FORWARD (policy DROP)
> target     prot opt source               destination       
> TCPMSS     tcp  --  anywhere             anywhere            tcp 
> flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
[...]
> ACCEPT     all  --  anywhere             anywhere            MAC 
> 00:05:5D:F5:E8:FF
> ACCEPT     all  --  anywhere             anywhere            MAC 
> 00:05:5D:F6:10:BD
[...]

So what's unusual here is not just that the *number* of mac addresses has
been changed, but that you're also getting an added TCPMSS rule in your
FORWARD chain.  You've either found a *very* bad kernel bug, or something
else on your system is overwriting these rules.  Either way, it's not a bug
in iptables itself.

And it's much more likely to be something else on your system, rather than a
kernel bug.  It's been suggested to me that the TCPMSS rule may come from a
pppoe-related package.  Are you using PPPOE on this system?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply via email to