Today I noticed that the log on our gateway lost some detail for IPIP traffic. (now that everyone is discussing trouble with tunneled packets...)
In the past with Linux kernel 3.2 and 3.16, when some packet incoming over tunl0 was hitting a LOG target in the iptables firewall, it would log a MAC address of the entire IP header as hex bytes (colon separated), like this:
Apr 16 07:39:13 gw-44-137 kernel: [1266597.275238] Packet DROP: IN=tunl0 OUT=eth 1 MAC=45:00:00:44:10:f9:00:00:f9:04:e9:f9:54:6a:7e:b8:d5:de:1d:c2:45:00:00:30:64 :21:40:00:7e:06:29:1a:c0:a8:58:0a:2c:89:2a:51:e9:c0:14:66:1f:fa:64:c8:00:00:00:0 0:70:02:20:00:70:a9:00:00:02:04:05:b4:01:01:04:02:c8:78:03:6b:1a:74:bd:29:37:8d: da:27:61:d7:2f:22:b0:b5:2b:b8:b4:61:3a:60:08:23:48:1b:26:15:57:80:00:00:85:ec:03 :32:df:df:85:46:bb:b3:40:e4:0f:df:4b:3d:93:e0:ed:f3:46:d4:e0:17:68:b6:dd:5d:f1:3 f:1b:1e:6f:a0:f0:69:5c:28:4a:3c:24:17:20:ff:e5:97 SRC=192.168.88.10 DST=44.137.4 2.81 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=25633 DF PROTO=TCP SPT=59840 DPT=5222 WINDOW=8192 RES=0x00 SYN URGP=0
(wrapped)
Ok, that was much too long, there was probably a bug somewhere and the intention was to show only the outer IP header.
Recently I switched to kernel 4.9 but now the packets are logged with no info at all:
May 9 18:05:57 gw-44-137 kernel: [359091.001991] Packet DROP: IN=tunl0 OUT= MAC= SRC=192.168.15.2 DST=44.137.75.242 LEN=243 TOS=0x00 PREC=0x00 TTL=123 ID=39243 PROTO=UDP SPT=5198 DPT=5198 LEN=223
The MAC field is now simply empty. With the first format I had a small perl script that processed the log entries and showed the tunnel endpoint that was sending the packet:
Apr 16 07:39:13 gw-44-137 kernel: [1266597.275238] Packet DROP: IN=tunl0 OUT=eth1 TUNL=84.106.126.184 SRC=192.168.88.10 DST=44.137.42.81 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=25633 DF PROTO=TCP SPT=59840 DPT=5222 WINDOW=8192 RES=0x00 SYN URGP=0
However, now this is no longer possible. I have tried finding info about it but no success yet. Does anyone know if there is some parameter to tune this behaviour?
Rob
Rob,
Perhaps I might ask -
What [additional] information does this MAC field provide to you on the tunnel? Does this field change per packet? Is there some documentation on how to decode it? Is it a hashing of some sort, or just a hex copy of the data (IP header)?
This info might be found in some iptables documentation.
- Lynwood KB3VWG
-
lleachii@aol.com -
Rob Janssen