SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004221Endian FirewallKernelpublic2011-12-09 16:172013-02-21 04:52
ardit-endian 
 
normalblockhave not tried
confirmedopen 
2.4.1 
 
0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH
Hi,

a customer with 500+ concurrent voip connection (a 16 cores workstation) saying that the firewall "crashed" due to heavy voip traffic.

When logged in this is what I recall interesting:
http://pastie.org/2991370 [^]

Leaving the other problems (already know what and why) and focusing to the kernel message I found that is related with netfilter, an the matching rule (MSS) is located in mangle, chain:

Chain FORWARD (policy ACCEPT 231M packets, 33G bytes)
 pkts bytes target prot opt in out source destination
1217K 66M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU


http://rhkernel.org/#RHEL6+2.6.32-71.18.2.el6/net/netfilter/xt_TCPMSS.c [^]
  63 /* Since it passed flags test in tcp match, we know it is is
  64 not a fragment, and has data >= tcp header length. SYN
  65 packets should not contain data: if they did, then we risk
  66 running over MTU, sending Frag Needed and breaking things
  67 badly. --RR */
  68 if (tcplen != tcph->doff*4) {
  69 if (net_ratelimit())
  70 printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
  71 skb->len);
  72 return -1;
  73 }


So the error is caused for 2 reasons:

1) Syn packets which contains data (normally not allowed)
2) TCP header larger than the packet itself

It's rare to reproduce because on rare occasions is produced this kind of traffic, however there is already a patch on this problem (I belive it's included in the vanilla).

PATCH:

http://www.gossamer-threads.com/lists/linux/kernel/1180390?do=post_view_threaded [^]
purple
txt log.txt (2,467) 2011-12-09 16:22
https://bugs.endian.com/file_download.php?file_id=895&type=bug
Issue History
2011-12-09 16:17ardit-endianNew Issue
2011-12-09 16:18ardit-endianDescription Updated
2011-12-09 16:18ardit-endianTag Attached: purple
2011-12-09 16:22ardit-endianFile Added: log.txt
2011-12-09 16:32ardit-endianStatusnew => confirmed

There are no notes attached to this issue.