Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
Package: linux-image-2.6.26-1-686
Version: 2.6.26-13lenny2
Severity: normal
Hi,
When the half-open TCP connection queue is full and syn cookies are enabled, you get a message like "kernel: possible SYN flooding on port 2710. Sending cookies."
However when syn cookies are disabled, you don't get any message (in kern.log), although connections to your server are timing out.
Could such a message be added?
Maybe with a suggestion to increase the size of that queue or to enable syn cookies.
Greetings,
Olaf
-- Package-specific info:
** Version:
Linux version 2.6.26-1-686 (Debian 2.6.26-13lenny2) (dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Fri Mar 13 18:08:45 UTC 2009
** Command line:
root=/dev/hda1 ro quiet
** Not tainted
** Kernel log:
[ 2.311239] rtc_cmos 00:04: rtc core: registered rtc_cmos as rtc0
[ 2.311239] rtc0: alarms up to one day
[ 2.311239] cpuidle: using governor ladder
[ 2.311239] cpuidle: using governor menu
[ 2.311239] No iBFT detected.
[ 2.311239] TCP cubic registered
[ 2.311239] NET: Registered protocol family 17
[ 2.311239] Using IPI No-Shortcut mode
[ 2.311240] registered taskstats version 1
[ 2.311240] rtc_cmos 00:04: setting system clock to 2009-03-21 08:26:10 UTC (1237623970)
[ 2.311240] Freeing unused kernel memory: 244k freed
[ 2.615240] thermal: Unknown symbol acpi_processor_set_thermal_limit
[ 3.008555] SCSI subsystem initialized
[ 3.052601] aic7xxx 0000:00:06.0: enabling device (0006 -> 0007)
[ 3.052634] PCI: No IRQ known for interrupt pin A of device 0000:00:06.0. Probably buggy MP table.
[ 3.065606] aic7xxx: probe of 0000:00:06.0 failed with error -16
[ 3.086545] Uniform Multi-Platform E-IDE driver
[ 3.086562] ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
[ 3.087790] PIIX4: IDE controller (0x8086:0x7111 rev 0x01) at PCI slot 0000:00:07.1
[ 3.087860] PIIX4: not 100% native mode: will probe irqs later
[ 3.087881] ide0: BM-DMA at 0xffa0-0xffa7
[ 3.087899] ide1: BM-DMA at 0xffa8-0xffaf
[ 3.087911] Probing IDE interface ide0...
[ 3.204905] usbcore: registered new interface driver usbfs
[ 3.204905] usbcore: registered new interface driver hub
[ 3.204905] Linux Tulip driver version 1.1.15-NAPI (Feb 27, 2007)
[ 3.207197] usbcore: registered new device driver usb
[ 3.218101] 8139cp: 10/100 PCI Ethernet driver v1.3 (Mar 22, 2004)
[ 3.231794] USB Universal Host Controller Interface driver v3.0
[ 3.389469] hda: WDC WD200BB-60CVB0, ATA DISK drive
[ 3.725308] hda: host max PIO4 wanted PIO255(auto-tune) selected PIO4
[ 3.726178] hda: UDMA/33 mode selected
[ 3.727069] Probing IDE interface ide1...
[ 4.459970] hdc: LTN486S, ATAPI CD/DVD-ROM drive
[ 4.795793] hdc: host max PIO4 wanted PIO255(auto-tune) selected PIO4
[ 4.795878] hdc: MWDMA2 mode selected
[ 4.796042] ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
[ 4.796126] ide1 at 0x170-0x177,0x376 on irq 15
[ 4.801573] PCI: No IRQ known for interrupt pin D of device 0000:00:07.2. Probably buggy MP table.
[ 4.801573] uhci_hcd 0000:00:07.2: Found HC with no IRQ. Check BIOS/PCI 0000:00:07.2 setup!
[ 4.801573] uhci_hcd 0000:00:07.2: init 0000:00:07.2 fail, -19
[ 4.806966] tulip0: EEPROM default media type Autosense.
[ 4.806978] tulip0: Index #0 - Media 10baseT (#0) described by a 21142 Serial PHY (2) block.
[ 4.806988] tulip0: Index #1 - Media 10baseT-FDX (#4) described by a 21142 Serial PHY (2) block.
[ 4.806998] tulip0: Index #2 - Media 100baseTx (#3) described by a 21143 SYM PHY (4) block.
[ 4.807007] tulip0: Index #3 - Media 100baseTx-FDX (#5) described by a 21143 SYM PHY (4) block.
[ 4.813428] eth0: Digital DS21142/43 Tulip rev 65 at Port 0xec00, 00:10:6f:02:39:a5, IRQ 19.
[ 4.813672] 8139cp 0000:00:12.0: This (id 10ec:8139 rev 10) is not an 8139C+ compatible chip
[ 4.813672] 8139cp 0000:00:12.0: Try the "8139too" driver instead.
[ 4.814022] 8139cp 0000:00:14.0: This (id 10ec:8139 rev 10) is not an 8139C+ compatible chip
[ 4.814022] 8139cp 0000:00:14.0: Try the "8139too" driver instead.
[ 4.821628] 8139too Fast Ethernet driver 0.9.28
[ 4.825619] eth1: RealTek RTL8139 at 0xe400, 00:02:44:52:fe:db, IRQ 19
[ 4.825619] eth1: Identified 8139 chip type 'RTL-8100B/8139D'
[ 4.825619] eth2: RealTek RTL8139 at 0xe800, 00:10:a7:05:2d:47, IRQ 17
[ 4.825619] eth2: Identified 8139 chip type 'RTL-8139B'
[ 4.873461] libata version 3.00 loaded.
[ 4.921469] hda: max request size: 128KiB
[ 5.071451] hda: 39102336 sectors (20020 MB) w/2048KiB Cache, CHS=38792/16/63
[ 5.071467] hda: cache flushes not supported
[ 5.071591] hda: hda1 hda2 < hda5 >
[ 5.100779] hdc: ATAPI 48X CD-ROM drive, 120kB Cache
[ 5.100797] Uniform CD-ROM driver Revision: 3.20
[ 5.365144] PM: Starting manual resume from disk
[ 5.437127] kjournald starting. Commit interval 5 seconds
[ 5.439392] EXT3-fs: mounted filesystem with ordered data mode.
[ 7.236350] udevd version 125 started
[ 8.694499] piix4_smbus 0000:00:07.3: Found 0000:00:07.3 device
[ 8.747037] input: PC Speaker as /class/input/input0
[ 8.790654] Linux agpgart interface v0.103
[ 8.812446] pci_hotplug: PCI Hot Plug PCI Core version: 0.5
[ 8.823500] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[ 8.854313] agpgart: Detected an Intel 440GX Chipset.
[ 8.855524] agpgart: AGP aperture is 4M @ 0xff400000
[ 9.105092] Error: Driver 'pcspkr' is already registered, aborting...
[ 10.237029] Adding 859436k swap on /dev/hda5. Priority:-1 extents:1 across:859436k
[ 10.730556] EXT3 FS on hda1, internal journal
[ 11.265684] loop: module loaded
[ 12.405260] Bridge firewalling registered
[ 12.405933] br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
[ 12.442272] device eth0 entered promiscuous mode
[ 12.452622] device eth1 entered promiscuous mode
[ 12.464290] eth1: link up, 100Mbps, full-duplex, lpa 0x45E1
[ 12.470077] device eth2 entered promiscuous mode
[ 12.473542] eth2: link up, 100Mbps, full-duplex, lpa 0x45E1
[ 12.484789] br0: port 3(eth2) entering learning state
[ 12.484805] br0: port 2(eth1) entering learning state
[ 12.484813] br0: port 1(eth0) entering learning state
[ 27.482386] br0: topology change detected, propagating
[ 27.482401] br0: port 3(eth2) entering forwarding state
[ 27.482408] br0: topology change detected, propagating
[ 27.482415] br0: port 2(eth1) entering forwarding state
[ 27.482422] br0: topology change detected, propagating
[ 27.482429] br0: port 1(eth0) entering forwarding state
[ 30.263769] NET: Registered protocol family 10
[ 30.264660] lo: Disabled Privacy Extensions
[ 40.325400] eth2: no IPv6 routers present
[ 40.502205] eth0: no IPv6 routers present
[ 41.033747] eth1: no IPv6 routers present
[ 41.126277] br0: no IPv6 routers present
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages linux-image-2.6.26-1-686 depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs
ii module-init-tools 3.4-1 tools for managing Linux kernel mo
Versions of packages linux-image-2.6.26-1-686 recommends:
ii libc6-i686 2.7-18 GNU C Library: Shared libraries [i
Versions of packages linux-image-2.6.26-1-686 suggests:
ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy v
pn linux-doc-2.6.26 <none> (no description available)
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
02-25-2010, 05:09 PM
Moritz Muehlenhoff
Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
On Sat, Mar 21, 2009 at 07:47:36PM +0100, Olaf van der Spek wrote:
> Package: linux-image-2.6.26-1-686
> Version: 2.6.26-13lenny2
> Severity: normal
>
> Hi,
>
> When the half-open TCP connection queue is full and syn cookies are enabled, you get a message like "kernel: possible SYN flooding on port 2710. Sending cookies."
> However when syn cookies are disabled, you don't get any message (in kern.log), although connections to your server are timing out.
> Could such a message be added?
> Maybe with a suggestion to increase the size of that queue or to enable syn cookies.
That should be discussed with the upstream developers, the Debian BTS is not
the best way to change this. You can reach them at linux-net@vger.kernel.org
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100225180939.GA3724@galadriel.inutil.org">http://lists.debian.org/20100225180939.GA3724@galadriel.inutil.org
02-25-2010, 05:43 PM
Olaf van der Spek
Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
On Thu, Feb 25, 2010 at 7:09 PM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Sat, Mar 21, 2009 at 07:47:36PM +0100, Olaf van der Spek wrote:
>> Package: linux-image-2.6.26-1-686
>> Version: 2.6.26-13lenny2
>> Severity: normal
>>
>> Hi,
>>
>> When the half-open TCP connection queue is full and syn cookies are enabled, you get a message like "kernel: possible SYN flooding on port 2710. Sending cookies."
>> However when syn cookies are disabled, you don't get any message (in kern.log), although connections to your server are timing out.
>> Could such a message be added?
>> Maybe with a suggestion to increase the size of that queue or to enable syn cookies.
>
> That should be discussed with the upstream developers, the Debian BTS is not
> the best way to change this. You can reach them at linux-net@vger.kernel.org
Hi Linux net devs,
See this issue reported in the Debian BTS.
Olaf
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: b2cc26e41002251043r6cdf1134ic39f6abaeffff650@mail. gmail.com">http://lists.debian.org/b2cc26e41002251043r6cdf1134ic39f6abaeffff650@mail. gmail.com
02-25-2010, 05:52 PM
Charlie Brady
Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
On Thu, 25 Feb 2010, Olaf van der Spek wrote:
On Thu, Feb 25, 2010 at 7:09 PM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
On Sat, Mar 21, 2009 at 07:47:36PM +0100, Olaf van der Spek wrote:
Package: linux-image-2.6.26-1-686
Version: 2.6.26-13lenny2
Severity: normal
Hi,
When the half-open TCP connection queue is full and syn cookies are enabled, you get a message like "kernel: possible SYN flooding on port 2710. Sending cookies."
However when syn cookies are disabled, you don't get any message (in kern.log), although connections to your server are timing out.
Could such a message be added?
Maybe with a suggestion to increase the size of that queue or to enable syn cookies.
That should be discussed with the upstream developers, the Debian BTS is not
the best way to change this. You can reach them at linux-net@vger.kernel.org
Hi Linux net devs,
See this issue reported in the Debian BTS.
Wrong list. You want linux-netdev.
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: Pine.LNX.4.64.1002251352260.8615@e-smith.charlieb.ott.istop.com">http://lists.debian.org/Pine.LNX.4.64.1002251352260.8615@e-smith.charlieb.ott.istop.com
02-25-2010, 05:55 PM
Olaf van der Spek
Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
On Thu, Feb 25, 2010 at 7:52 PM, Charlie Brady
<charlieb@budge.apana.org.au> wrote:
>
> On Thu, 25 Feb 2010, Olaf van der Spek wrote:
>
>> On Thu, Feb 25, 2010 at 7:09 PM, Moritz Muehlenhoff <jmm@inutil.org>
>> wrote:
>>>
>>> On Sat, Mar 21, 2009 at 07:47:36PM +0100, Olaf van der Spek wrote:
>>>>
>>>> Package: linux-image-2.6.26-1-686
>>>> Version: 2.6.26-13lenny2
>>>> Severity: normal
>>>>
>>>> Hi,
>>>>
>>>> When the half-open TCP connection queue is full and syn cookies are
>>>> enabled, you get a message like "kernel: possible SYN flooding on port 2710.
>>>> Sending cookies."
>>>> However when syn cookies are disabled, you don't get any message (in
>>>> kern.log), although connections to your server are timing out.
>>>> Could such a message be added?
>>>> Maybe with a suggestion to increase the size of that queue or to enable
>>>> syn cookies.
>>>
>>> That should be discussed with the upstream developers, the Debian BTS is
>>> not
>>> the best way to change this. You can reach them at
>>> linux-net@vger.kernel.org
>>
>> Hi Linux net devs,
>>
>> See this issue reported in the Debian BTS.
>
> Wrong list. You want linux-netdev.
Oops, trying again.
Olaf
--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: b2cc26e41002251055q5510a733j261e4a8af8eda7d8@mail. gmail.com">http://lists.debian.org/b2cc26e41002251055q5510a733j261e4a8af8eda7d8@mail. gmail.com
Bug#520667: linux-image-2.6.26-1-686: No warning when half-open TCP queue is full
