My logs are beeind flooded with messages like this: Jul 31 23:58:00 premetenec kernel: TCP: [213.253.92.100]:11711 to [xxxxxxxx]:80 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Aug 1 00:00:37 premetenec kernel: TCP: [213.253.92.100]:30837 to [xxxxxxxx]:80 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Aug 1 00:00:41 premetenec kernel: TCP: [83.218.196.142]:1579 to [xxxxxxxx]:25 tcpflags 0x4<RST>; syncache_chkrst: Spurious RST without matching syncache entry (possibly syncookie only), segment ignored Aug 1 00:00:52 premetenec kernel: TCP: [193.198.80.29]:2524 to [xxxxxxxx]:80 tcpflags 0x2<SYN>; _syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK Aug 1 00:01:01 premetenec kernel: TCP: [190.109.157.30]:15396 to [91.185.206.35]:25 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Aug 1 00:01:01 premetenec kernel: TCP: [xxxxxxxx]:3353 to [xxxxxxxx]:995 tcpflags 0x4<RST>; syncache_chkrst: Spurious RST without matching syncache entry (possibly syncookie only), segment ignored Aug 1 00:01:05 premetenec kernel: TCP: [213.253.92.100]:12391 to [xxxxxxxx]:80 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Aug 1 00:02:55 premetenec kernel: TCP: [213.253.92.100]:9833 to [xxxxxxxx]:80 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Aug 1 00:03:54 premetenec kernel: TCP: [213.253.92.100]:6298 to [xxxxxxxx]:80 tcpflags 0x11<FIN,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) Among ip's that are creating this are: my ip, servers own ip, and google! Nearly all messages are apache or pop3-ssl related. sysctl net.inet.tcp.log_debug=0 does nothing.
Responsible Changed From-To: freebsd-bugs->freebsd-net Over to maintainer(s).
perhaps some more information would help: I'm experiencing this on two different boxes with totally different hardware, one located at datacenter and connected via LAN and second one that is sitting on ADSL line. I have tried all sysctl variables that I could find remotely related to this with no luck, tried compiling kernel with and without DUMMYNET This are kernel customizations I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options DUMMYNET options HZ=1000 # strongly recommended options IPDIVERT options IPSTEALTH #support for stealth forwarding options ACCEPT_FILTER_HTTP # Must be here or AcceptFilter won't work w/Apache2 options DEVICE_POLLING # Imporoves network driver performance options ZERO_COPY_SOCKETS device coretemp # On-die temperature sensor on Intel Core and newer CPUs Is it at least possible to turn of this checks for local IP's - it is most disturbing that I'm getting droped packets at apache jail to mysql jail communication?
Responsible Changed From-To: freebsd-net->andre Take over.
Kause, the likely cause for your TCP log messages is another sysctl with the name of "net.inet.tcp.log_in_vain" which you have enabled. It has the side effect of also silently causing the other debug output to be generated as with "net.inet.tcp.log_debug". Please check the setting of "net.inet.tcp.log_in_vain" and disable it to stop the log messages. Please report back whether this fixed your problem or not. -- Andre
State Changed From-To: open->feedback
Tried net.inet.tcp.log_in_vain=0 and it indeed helps, but - it also kills listening to incoming connections to closed ports, which I need to have logged. It worked ok (or at least seemed to) in 6.x - any way to get this in 7/8 ? Regards Kause ________________________________ From: Andre Oppermann <andre@freebsd.org> To: kauselot@yahoo.com Cc: bug-followup@freebsd.org Sent: Mon, August 16, 2010 11:36:20 PM Subject: Re: kern/137317: [tcp] logs full of syncache problems Kause, the likely cause for your TCP log messages is another sysctl with the name of "net.inet.tcp.log_in_vain" which you have enabled. It has the side effect of also silently causing the other debug output to be generated as with "net.inet.tcp.log_debug". Please check the setting of "net.inet.tcp.log_in_vain" and disable it to stop the log messages. Please report back whether this fixed your problem or not. -- Andre
On 17.08.2010 03:45, kause lotski wrote: > Tried net.inet.tcp.log_in_vain=0 and it indeed helps, but - > it also kills listening to incoming connections to closed ports, which I need to > have logged. It worked ok (or at least seemed to) in 6.x - any way to get this > in 7/8 ? It's the same in FreeBSD 7 and 8. I've changed the code to properly differentiate between log_in_vain and log_debug. Would be great if you could test it. It's against current but should also apply to 8 and 7, possibly 6. -- Andre
State Changed From-To: feedback->analyzed
Author: andre Date: Wed Aug 18 17:39:47 2010 New Revision: 211462 URL: http://svn.freebsd.org/changeset/base/211462 Log: Untangle the net.inet.tcp.log_in_vain and net.inet.tcp.log_debug sysctl's and remove any side effects. Both sysctl's share the same backend infrastructure and due to the way it was implemented enabling net.inet.tcp.log_in_vain would also cause log_debug output to be generated. This was surprising and eventually annoying to the user. The log output backend is kept the same but a little shim is inserted to properly separate log_in_vain and log_debug and to remove any side effects. PR: kern/137317 MFC after: 1 week Modified: head/sys/netinet/tcp_input.c head/sys/netinet/tcp_subr.c head/sys/netinet/tcp_var.h Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Wed Aug 18 15:58:26 2010 (r211461) +++ head/sys/netinet/tcp_input.c Wed Aug 18 17:39:47 2010 (r211462) @@ -571,7 +571,7 @@ findpcb: */ if ((tcp_log_in_vain == 1 && (thflags & TH_SYN)) || tcp_log_in_vain == 2) { - if ((s = tcp_log_addrs(NULL, th, (void *)ip, ip6))) + if ((s = tcp_log_vain(NULL, th, (void *)ip, ip6))) log(LOG_INFO, "%s; %s: Connection attempt " "to closed port\n", s, __func__); } Modified: head/sys/netinet/tcp_subr.c ============================================================================== --- head/sys/netinet/tcp_subr.c Wed Aug 18 15:58:26 2010 (r211461) +++ head/sys/netinet/tcp_subr.c Wed Aug 18 17:39:47 2010 (r211462) @@ -268,6 +268,8 @@ VNET_DEFINE(uma_zone_t, sack_hole_zone); static struct inpcb *tcp_notify(struct inpcb *, int); static void tcp_isn_tick(void *); +static char * tcp_log_addr(struct in_conninfo *inc, struct tcphdr *th, + void *ip4hdr, const void *ip6hdr); /* * Target size of TCP PCB hash tables. Must be a power of two. @@ -2234,9 +2236,33 @@ SYSCTL_PROC(_net_inet_tcp, TCPCTL_DROP, * and ip6_hdr pointers have to be passed as void pointers. */ char * +tcp_log_vain(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr, + const void *ip6hdr) +{ + + /* Is logging enabled? */ + if (tcp_log_in_vain == 0) + return (NULL); + + return (tcp_log_addr(inc, th, ip4hdr, ip6hdr)); +} + +char * tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr, const void *ip6hdr) { + + /* Is logging enabled? */ + if (tcp_log_debug == 0) + return (NULL); + + return (tcp_log_addr(inc, th, ip4hdr, ip6hdr)); +} + +static char * +tcp_log_addr(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr, + const void *ip6hdr) +{ char *s, *sp; size_t size; struct ip *ip; @@ -2259,10 +2285,6 @@ tcp_log_addrs(struct in_conninfo *inc, s 2 * INET_ADDRSTRLEN; #endif /* INET6 */ - /* Is logging enabled? */ - if (tcp_log_debug == 0 && tcp_log_in_vain == 0) - return (NULL); - s = malloc(size, M_TCPLOG, M_ZERO|M_NOWAIT); if (s == NULL) return (NULL); Modified: head/sys/netinet/tcp_var.h ============================================================================== --- head/sys/netinet/tcp_var.h Wed Aug 18 15:58:26 2010 (r211461) +++ head/sys/netinet/tcp_var.h Wed Aug 18 17:39:47 2010 (r211462) @@ -611,6 +611,8 @@ void tcp_destroy(void); void tcp_fini(void *); char *tcp_log_addrs(struct in_conninfo *, struct tcphdr *, void *, const void *); +char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *, + const void *); int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *); void tcp_reass_init(void); #ifdef VIMAGE _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: analyzed->patched
Thanks for the feedback. The patches are the same. The first one is the one I sent you directly and the second one is what I already committed to SVN in head. They are identical, hence the warning you got. In a few days I will also apply the patch to 8 and 7. You should revert the manually applied patch then. -- Andre On 19.08.2010 20:25, kause lotski wrote: > Applied v-1 patch to RELENG-8 and it seems to work as intended for now. > > Is v2 any different ot is it just made for another brancg/version? Had some > problems triing to apply it (reverse or already applied patch detected for the > first file) > > Kause > > > > > ________________________________ > From: "andre@FreeBSD.org"<andre@FreeBSD.org> > To: kauselot@yahoo.com; andre@FreeBSD.org; andre@FreeBSD.org > Sent: Wed, August 18, 2010 9:26:19 PM > Subject: Re: kern/137317: [tcp] logs full of syncache problems > > Synopsis: [tcp] logs full of syncache problems > > State-Changed-From-To: analyzed->patched > State-Changed-By: andre > State-Changed-When: Wed Aug 18 19:25:55 UTC 2010 > State-Changed-Why: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=137317
State Changed From-To: patched->closed All MFC's done.