SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
MantisBT - Endian Firewall | |||||
View Issue Details | |||||
ID | Project | Category | View Status | Date Submitted | Last Update |
0004221 | Endian Firewall | Kernel | public | 2011-12-09 16:17 | 2013-02-21 04:52 |
Reporter | ardit-endian | ||||
Assigned To | |||||
Priority | normal | Severity | block | Reproducibility | have not tried |
Status | confirmed | Resolution | open | ||
Platform | OS | OS Version | |||
Product Version | 2.4.1 | ||||
Target Version | Fixed in Version | ||||
Customer Importance | |||||
Customer Occurrences | |||||
Queue | |||||
Summary | 0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH | ||||
Description | Hi, a customer with 500+ concurrent voip connection (a 16 cores workstation) saying that the firewall "crashed" due to heavy voip traffic. When logged in this is what I recall interesting: http://pastie.org/2991370 [^] Leaving the other problems (already know what and why) and focusing to the kernel message I found that is related with netfilter, an the matching rule (MSS) is located in mangle, chain: Chain FORWARD (policy ACCEPT 231M packets, 33G bytes) pkts bytes target prot opt in out source destination 1217K 66M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU http://rhkernel.org/#RHEL6+2.6.32-71.18.2.el6/net/netfilter/xt_TCPMSS.c [^] 63 /* Since it passed flags test in tcp match, we know it is is 64 not a fragment, and has data >= tcp header length. SYN 65 packets should not contain data: if they did, then we risk 66 running over MTU, sending Frag Needed and breaking things 67 badly. --RR */ 68 if (tcplen != tcph->doff*4) { 69 if (net_ratelimit()) 70 printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n", 71 skb->len); 72 return -1; 73 } So the error is caused for 2 reasons: 1) Syn packets which contains data (normally not allowed) 2) TCP header larger than the packet itself It's rare to reproduce because on rare occasions is produced this kind of traffic, however there is already a patch on this problem (I belive it's included in the vanilla). PATCH: http://www.gossamer-threads.com/lists/linux/kernel/1180390?do=post_view_threaded [^] | ||||
Steps To Reproduce | |||||
Additional Information | |||||
Tags | purple | ||||
Relationships | |||||
Attached Files | ![]() https://bugs.endian.com/file_download.php?file_id=895&type=bug | ||||
Issue History | |||||
Date Modified | Username | Field | Change | ||
2011-12-09 16:17 | ardit-endian | New Issue | |||
2011-12-09 16:18 | ardit-endian | Description Updated | |||
2011-12-09 16:18 | ardit-endian | Tag Attached: purple | |||
2011-12-09 16:22 | ardit-endian | File Added: log.txt | |||
2011-12-09 16:32 | ardit-endian | Status | new => confirmed |
There are no notes attached to this issue. |