Package: src:linux Version: 3.2.51-1 Severity: normal I was beefing up the filtering on a VM host, to do source-address checking on outbound packets when I noticed these surprising log messages from the kernel (reformatted for easier reading). | 2014-03-08T13:03:57+00:00 fender kernel: [8562504.500373] fw: bcp38(br) | IN= OUT=bond0 | MAC source = 00:1e:67:15:06:23 MAC dest = 01:00:5e:00:00:01 | proto = 0x0800 IP SRC=8.0.70.192 IP DST=0.32.0.0, | IP tos=0x00, IP proto=21 | 2014-03-08T13:03:57+00:00 fender kernel: [8562504.500404] fw: bcp38(br) | IN= OUT=bond0 | MAC source = 00:1e:67:15:06:23 MAC dest = 33:33:00:00:00:01 | proto = 0x86dd | IPv6 SRC=6715:0623:86dd:6000:0000:0020:0001:fe80 | IPv6 DST=0000:0000:0000:021e:67ff:fe15:0623:ff02, | IPv6 priority=0x3, Next Header=0 These were being reported every two minutes or so. The addresses are definitely foreign, and appear to be nonsense; IP protocol 21 is also surprising. I captured packets and managed to correlate the capture with my logs. I'll try to attach the Wireshark pcap file to this report, but here's tshark's summary anyway: | 1 2014-03-08 13:03:57.508035000 0.0.0.0 -> 224.0.0.1 | IGMPv2 46 Membership Query, general | | 0000 01 00 5e 00 00 01 00 1e 67 15 06 23 08 00 46 c0 ..^.....g..#..F. | 0010 00 20 00 00 40 00 01 02 04 17 00 00 00 00 e0 00 . ..@........... | 0020 00 01 94 04 00 00 11 64 ee 9b 00 00 00 00 .......d...... | | 2 2014-03-08 13:03:57.508065000 fe80::21e:67ff:fe15:623 -> ff02::1 | ICMPv6 86 Multicast Listener Query | | 0000 33 33 00 00 00 01 00 1e 67 15 06 23 86 dd 60 00 33......g..#..`. | 0010 00 00 00 20 00 01 fe 80 00 00 00 00 00 00 02 1e ... ............ | 0020 67 ff fe 15 06 23 ff 02 00 00 00 00 00 00 00 00 g....#.......... | 0030 00 00 00 00 00 01 3a 00 05 02 00 00 00 00 82 00 ......:......... | 0040 ea c1 27 10 00 00 00 00 00 00 00 00 00 00 00 00 ..'............. | 0050 00 00 00 00 00 00 ...... Now things become a little clearer. The reported source address 8.0.70.192 in the first packet comes from the end of the Ethernet frame (the type field, 0x0800 for IPv4) and the start of the IP header (version, length, and TOS); similarly, the reported destination address 0.32.0.0 comes from the total length and identification fields. Working back, it becomes clear that ebtables has been reading these fields assuming that the IP header begins at the start of the packet, entirely ignoring the Ethernet frame. The same has happened with the IPv6 packet, which shouldn't have been reported at all because my rules have an exception for fe80::/10, so it's clear that this misparsing isn't just happening at presentation time. I've not noticed other packets being misparsed in this way, but I can't rule out the possibility. -- [mdw] -- Package-specific info: ** Version: Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.51-1 ** Command line: BOOT_IMAGE=/vmlinuz-3.2.0-4-amd64 root=/dev/mapper/vg--fender-root ro console=tty0 console=ttyS0,9600n8 quiet ** Not tainted ** Network interface configuration: auto lo iface lo inet loopback auto bond0 iface bond0 inet manual bond-slaves eth0 eth1 bond-miimon 100 bond-mode active-backup bond-primary eth0 eth1 auto br-jump iface br-jump inet static bridge-ports bond0 [...] address 212.13.198.69 netmask 255.255.255.240 broadcast 212.13.198.79 gateway 212.13.198.65 iface br-jump inet6 static address 2001:ba8:0:1d9::2 netmask 64 gateway 2001:ba8:0:1d9::1 -- System Information: Debian Release: 7.4 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages linux-image-3.2.0-4-amd64 depends on: ii debconf [debconf-2.0] 1.5.49 ii initramfs-tools [linux-initramfs-tool] 0.109.1 ii kmod 9-3 ii linux-base 3.5 ii module-init-tools 9-3 Versions of packages linux-image-3.2.0-4-amd64 recommends: pn firmware-linux-free <none> Versions of packages linux-image-3.2.0-4-amd64 suggests: pn debian-kernel-handbook <none> ii grub-pc 1.99-27+deb7u2 ii linux-doc-3.2 3.2.54-2 Versions of packages linux-image-3.2.0-4-amd64 is related to: pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> pn firmware-linux <none> pn firmware-linux-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-ralink <none> pn firmware-realtek <none> pn xen-hypervisor <none> -- debconf information: linux-image-3.2.0-4-amd64/postinst/depmod-error-initrd-3.2.0-4-amd64: false linux-image-3.2.0-4-amd64/prerm/removing-running-kernel-3.2.0-4-amd64: true linux-image-3.2.0-4-amd64/postinst/ignoring-ramdisk: linux-image-3.2.0-4-amd64/postinst/missing-firmware-3.2.0-4-amd64:
Attachment:
ebtables-misparse.cap
Description: Binary data