Re: too long mac address for --mac-source netfilter option

From: Harald Welte (
Date: Sun Feb 18 2001 - 13:29:42 EST

On Fri, Feb 16, 2001 at 05:40:04PM -0800, Jack Bowling wrote:
> I am trying to use the --mac-source option in the netfilter code to better
> refine access to my linux box. However, I have run up against something. The
> router through which my private subnet work box passes sends a 14-group
> "invalid" mac address, presumably as an attempt to conceal the real hextile
> mac address. However, the code for the --mac-source netfilter option is
> looking for a valid hextile mac address and complains loudly as such
> (numerals converted to x's):
> iptables v1.1.1: Bad mac address `xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx'
> to the respective iptable line:
> $IPT -A INPUT -p tcp -s -d $NET -m mac --mac-source
> xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx --dport 5900:5901 -j ACCEPT
> The idea here is to allow VNC access to my home box with the access filtered
> by both IP and mac address.

This is not a bug. It is by intention. The LOG target (as well as the
ULOG target from netfilter CVS) prints the whole layer two header.

6 bytes mac-source, 6 bytes mac-destination and 2 bytes (08:00) indicating
it is IP. == 14 bytes :)

On the other hand, the --mac-source match (emphasized mac-SOURCE) allows
you to match on the source part of this mac header (i.e. the first 6 bytes)

> Jack Bowling
> mailto:

Live long and prosper
- Harald Welte /      
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Fri Feb 23 2001 - 21:00:18 EST