SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004221Endian FirewallKernelpublic2011-12-09 16:172013-02-21 04:52
Reporterardit-endian 
Assigned To 
PrioritynormalSeverityblockReproducibilityhave not tried
StatusconfirmedResolutionopen 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Summary0004221: kernel : xt_TCPMSS: bad length (1024 bytes) + PATCH
DescriptionHi,

a customer with 500+ concurrent voip connection (a 16 cores workstation) saying that the firewall "crashed" due to heavy voip traffic.

When logged in this is what I recall interesting:
http://pastie.org/2991370 [^]

Leaving the other problems (already know what and why) and focusing to the kernel message I found that is related with netfilter, an the matching rule (MSS) is located in mangle, chain:

Chain FORWARD (policy ACCEPT 231M packets, 33G bytes)
 pkts bytes target prot opt in out source destination
1217K 66M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU


http://rhkernel.org/#RHEL6+2.6.32-71.18.2.el6/net/netfilter/xt_TCPMSS.c [^]
  63 /* Since it passed flags test in tcp match, we know it is is
  64 not a fragment, and has data >= tcp header length. SYN
  65 packets should not contain data: if they did, then we risk
  66 running over MTU, sending Frag Needed and breaking things
  67 badly. --RR */
  68 if (tcplen != tcph->doff*4) {
  69 if (net_ratelimit())
  70 printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
  71 skb->len);
  72 return -1;
  73 }


So the error is caused for 2 reasons:

1) Syn packets which contains data (normally not allowed)
2) TCP header larger than the packet itself

It's rare to reproduce because on rare occasions is produced this kind of traffic, however there is already a patch on this problem (I belive it's included in the vanilla).

PATCH:

http://www.gossamer-threads.com/lists/linux/kernel/1180390?do=post_view_threaded [^]
Tagspurple
Attached Filestxt file icon log.txt [^] (2,467 bytes) 2011-12-09 16:22 [Show Content]

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2011-12-09 16:17 ardit-endian New Issue
2011-12-09 16:18 ardit-endian Description Updated
2011-12-09 16:18 ardit-endian Tag Attached: purple
2011-12-09 16:22 ardit-endian File Added: log.txt
2011-12-09 16:32 ardit-endian Status new => confirmed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker