0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH

SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH - MantisBT

MantisBT - Endian Firewall
View Issue Details

ID	Project	Category	View Status	Date Submitted	Last Update
0004221	Endian Firewall	Kernel	public	2011-12-09 16:17	2013-02-21 04:52

Reporter	ardit-endian
Assigned To
Priority	normal	Severity	block	Reproducibility	have not tried
Status	confirmed	Resolution	open
Platform		OS		OS Version
Product Version	2.4.1
Target Version		Fixed in Version
Customer Importance
Customer Occurrences
Queue

Summary	0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH
Description	Hi, a customer with 500+ concurrent voip connection (a 16 cores workstation) saying that the firewall "crashed" due to heavy voip traffic. When logged in this is what I recall interesting: http://pastie.org/2991370 [^] Leaving the other problems (already know what and why) and focusing to the kernel message I found that is related with netfilter, an the matching rule (MSS) is located in mangle, chain: Chain FORWARD (policy ACCEPT 231M packets, 33G bytes) pkts bytes target prot opt in out source destination 1217K 66M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU http://rhkernel.org/#RHEL6+2.6.32-71.18.2.el6/net/netfilter/xt_TCPMSS.c [^] 63 /* Since it passed flags test in tcp match, we know it is is 64 not a fragment, and has data >= tcp header length. SYN 65 packets should not contain data: if they did, then we risk 66 running over MTU, sending Frag Needed and breaking things 67 badly. --RR / 68 if (tcplen != tcph->doff4) { 69 if (net_ratelimit()) 70 printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n", 71 skb->len); 72 return -1; 73 } So the error is caused for 2 reasons: 1) Syn packets which contains data (normally not allowed) 2) TCP header larger than the packet itself It's rare to reproduce because on rare occasions is produced this kind of traffic, however there is already a patch on this problem (I belive it's included in the vanilla). PATCH: http://www.gossamer-threads.com/lists/linux/kernel/1180390?do=post_view_threaded [^]
Steps To Reproduce
Additional Information
Tags	purple
Relationships
Attached Files	log.txt (2,467) 2011-12-09 16:22 https://bugs.endian.com/file_download.php?file_id=895&type=bug

Issue History
Date Modified	Username	Field	Change
2011-12-09 16:17	ardit-endian	New Issue
2011-12-09 16:18	ardit-endian	Description Updated
2011-12-09 16:18	ardit-endian	Tag Attached: purple
2011-12-09 16:22	ardit-endian	File Added: log.txt
2011-12-09 16:32	ardit-endian	Status	new => confirmed

There are no notes attached to this issue.