Re: Neighbour table overflow

Re: Neighbour table overflow

[Ard van Breemen]

On Tue, Nov 26, 2002 at 12:39:41PM -0600, g_netfilter@netfids.com wrote:
> Friends, I have some logs like this:
> 
> Nov 26 11:29:46 firewall kernel: NET: 96 messages suppressed.
> Nov 26 11:29:46 firewall kernel: Neighbour table overflow.
> Nov 26 11:29:52 firewall kernel: NET: 52 messages suppressed.
> Nov 26 11:29:52 firewall kernel: Neighbour table overflow.
> Nov 26 11:29:56 firewall kernel: NET: 83 messages suppressed.
> Nov 26 11:29:56 firewall kernel: Neighbour table overflow.
> Nov 26 11:30:08 firewall kernel: NET: 19 messages suppressed.
> Nov 26 11:30:08 firewall kernel: Neighbour table overflow.
> 
> Im running Red Hat 7.3 kernel 2.4.18-3 and iptables 1.2.5-3, please could
> you tell me if those logs are showing some attempts of attacks?
First of all: this has nothing to do with netfilter, just with
the routing and cacheing of the routes.

I guess that you have an internet connection, serving a lot of
different IP's, *and* that this system sees more than 128
different mac addresses, right?

I used to fix it by raising the gc_thresh1 over the amount of mac
addressess I normally would see:
echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

This is what I think happens:
All the routing information is cached on an IP-IP pair basis.
Part of the information is the *destination* mac address.
A new entry in the routing-cache will lock the neighbour entry in
the neighbour table (mac address table) cache by upping it's
usage counters.
So for every new source ip to a common local ip, the mac address
of that local-ip will be locked for every new ip.

If you have more than /proc/sys/net/ipv4/neigh/default/gc_thresh1
in the neighbour table, the garbage collector will try to free
entries in the neighbour table.

(From this point on I am just guessing and trying to understand
the source code:)
If I am correct, it will mark entries to be freed, so that they
wont be used anymore. So to be able to use a specific destination
again, it needs to make a new entry in the neighbour table. So
instead of cleaning up the tables, your neighbour (arp) table
will be filled fast if you see more new source ip's than that old
neighbour entries are discarded by having their usage counts down
to 0.

If somebody else knows the true truth about how it exactly works,
please tell me. I will make notes of it for the lartc so it can
be a FAQ.

-- 
procedure signature;
begin  { telegraaf.com
} writeln('<ard@telegraafnet.nl> SMA-IS | Geeks don't get viruses');
end

Neighbour table overflow

[g_netfilter]

Friends, I have some logs like this:

Nov 26 11:29:46 firewall kernel: NET: 96 messages suppressed.
Nov 26 11:29:46 firewall kernel: Neighbour table overflow.
Nov 26 11:29:52 firewall kernel: NET: 52 messages suppressed.
Nov 26 11:29:52 firewall kernel: Neighbour table overflow.
Nov 26 11:29:56 firewall kernel: NET: 83 messages suppressed.
Nov 26 11:29:56 firewall kernel: Neighbour table overflow.
Nov 26 11:30:08 firewall kernel: NET: 19 messages suppressed.
Nov 26 11:30:08 firewall kernel: Neighbour table overflow.

Im running Red Hat 7.3 kernel 2.4.18-3 and iptables 1.2.5-3, please could
you tell me if those logs are showing some attempts of attacks?

Regards,
Geffrey

Re: Neighbour table overflow

[Arnt Karlsen]

On Tue, 26 Nov 2002 12:39:41 -0600 (CST), 
<g_netfilter@netfids.com> wrote in message 
<35211.200.60.189.231.1038335981.squirrel@www.netfids.com>:

> Im running Red Hat 7.3 kernel 2.4.18-3 and iptables 1.2.5-3, please
> could you tell me if those logs are showing some attempts of attacks?

..easy, prey.  http://rhn.redhat.com/errata/rh73-errata.html

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Neighbour table overflow

[Roberto Nibali]

> (From this point on I am just guessing and trying to understand
> the source code:)
> If I am correct, it will mark entries to be freed, so that they
> wont be used anymore. So to be able to use a specific destination
> again, it needs to make a new entry in the neighbour table. So
> instead of cleaning up the tables, your neighbour (arp) table
> will be filled fast if you see more new source ip's than that old
> neighbour entries are discarded by having their usage counts down
> to 0.

If you haven't already, please take a look at net/core/neighbour.c:neigh_alloc()

          unsigned long now = jiffies;
          if (tbl->entries > tbl->gc_thresh3 ||
              (tbl->entries > tbl->gc_thresh2 &&
               now - tbl->last_flush > 5*HZ)) {
                  if (neigh_forced_gc(tbl) == 0 &&
                      tbl->entries > tbl->gc_thresh3)
                          return NULL;
          }

It's pretty straightforward and should give you everything you need.

> If somebody else knows the true truth about how it exactly works,
> please tell me. I will make notes of it for the lartc so it can
> be a FAQ.

I might write some documents about this because I recently had
someone on the LVS project with the same problems. However, if someone
from the LARTC guys writes it before I do, I won't be disappointed either.

Cheers,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

Neighbour table overflow

[ro0ot]

Hi,

I had setup my bridge (br0) as below: -

ifconfig eth0 0.0.0.0
ifconfig eth5 0.0.0.0

brctl addbr br0

brctl addif br0 eth0
brctl addif br0 eth5

brctl stp br0 on

ifconfig br0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

I had my firewall scripts setup correctly.

Once I connect both the interface (eth0 and eth5) to my network.  I 
can't ping to my router (connect to eth0) or ping to my other IP 
addresses (connect to eth5).  I check around and found out some messages 
pops up in /var/log/syslog file as below: -

Jan  2 10:44:22 fw01 kernel: ipt_tcpmss_target: bad length (64 bytes)
Jan  2 10:44:32 fw01 last message repeated 11 times
Jan  2 12:27:08 fw01 kernel: Neighbour table overflow.
Jan  2 12:27:11 fw01 last message repeated 9 times
Jan  2 12:27:13 fw01 kernel: NET: 10 messages suppressed.
Jan  2 12:27:13 fw01 kernel: Neighbour table overflow.
Jan  2 12:27:18 fw01 kernel: NET: 27 messages suppressed.
Jan  2 12:27:18 fw01 kernel: Neighbour table overflow.

Once I disconnect the cable from the eth5 interface, I can ping to my 
router.  I try to reconnect the cable back to the eth5 interface and run 
a ping to my router.  As the result, I can't ping the router and the 
similar messages pops up in the /var/log/syslog file.

How can I resolve this issue?

Regards,
ro0ot

Re: Neighbour table overflow

[Jason Opperisano]

On Tue, 2005-01-04 at 19:42, ro0ot wrote:
> Hi,
> 
> I had setup my bridge (br0) as below: -
> 
> ifconfig eth0 0.0.0.0
> ifconfig eth5 0.0.0.0
> 
> brctl addbr br0
> 
> brctl addif br0 eth0
> brctl addif br0 eth5
> 
> brctl stp br0 on
> 
> ifconfig br0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
> 
> I had my firewall scripts setup correctly.
> 
> Once I connect both the interface (eth0 and eth5) to my network.  I 
> can't ping to my router (connect to eth0) or ping to my other IP 
> addresses (connect to eth5).  I check around and found out some messages 
> pops up in /var/log/syslog file as below: -
> 
> Jan  2 10:44:22 fw01 kernel: ipt_tcpmss_target: bad length (64 bytes)
> Jan  2 10:44:32 fw01 last message repeated 11 times
> Jan  2 12:27:08 fw01 kernel: Neighbour table overflow.
> Jan  2 12:27:11 fw01 last message repeated 9 times
> Jan  2 12:27:13 fw01 kernel: NET: 10 messages suppressed.
> Jan  2 12:27:13 fw01 kernel: Neighbour table overflow.
> Jan  2 12:27:18 fw01 kernel: NET: 27 messages suppressed.
> Jan  2 12:27:18 fw01 kernel: Neighbour table overflow.
> 
> Once I disconnect the cable from the eth5 interface, I can ping to my 
> router.  I try to reconnect the cable back to the eth5 interface and run 
> a ping to my router.  As the result, I can't ping the router and the 
> similar messages pops up in the /var/log/syslog file.

1)  do you have a loopback interface up with the IP 127.0.0.1 on this
machine?

2) do you > 1024 hosts plugged into this layer 2 broadcast domain?

3) are you plugging both ports of an ethernet bridge into the same layer
2 broadcast domain, creating a broadcast storm?

-j
 
--
"It is better to remain silent and thought a fool, than open your
 mouth and remove all doubt."
	--The Simpsons

Neighbour table overflow

[Sebastiao Antonio Campos (GWA)]

After I had applied the solution bellow I got the follwing msg error:

Neighbour table overflow.

Tks


----- Original Message ----- 
From: "Sebastiao Antonio Campos (GWA)" <sa.campos@datasulsp.com.br>
To: "Netfilter list" <netfilter@lists.netfilter.org>; "Sertys"
<sertys@supportivo.org>
Sent: Tuesday, March 22, 2005 9:51 PM
Subject: Re: Two netwok cards to access the internet.


> Thanks.
>
> It is working good.
>
>
>
> ----- Original Message ----- 
> From: "Sertys" <sertys@supportivo.org>
> To: "Netfilter list" <netfilter@lists.netfilter.org>
> Sent: Tuesday, March 22, 2005 7:24 PM
> Subject: Re: Two netwok cards to access the internet.
>
>
> On Tue, 22 Mar 2005 18:54:26 -0300, Sebastião Antônio Campos
> <sa.campos@datasulsp.com.br> wrote:
>
> Well, that's easy. When you know the ports you want to map through the
> interfaces, just do
>
> iptables -t nat -A POSTROUTING -m multiport -p tcp -s 172.17.1.8 --dports
> 25,110,1723,1701,47 -o eth0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -o eth2 -j MASQUERADE
> or even better
> iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -o eth2 -j SNAT
> --to-source $ETH2_IP
>
> Those are simple states, you might add --syn or -m state, it's a choice of
> yours anyway.
>
>
> > Hi!
> >
> > I have the following:
> >
> > A RedHat 9.0 with 3 Network cards: One we use in local network (eth1)
> > and the other (eth0 and eth2)  to access the internet.
> >
> > I'd like to separate the traffic. In the eth0 use only with the e-mail
> > server (pop, smtp, 1723, 1701 and protocol 47) and the eht0 with others
> > traffis (http, https, msn....).
> >
> > I tried
> >
> > iptables -t nat -A POSTROUTING -o eth2 -s 172.17.1.8 -j MASQUERADE
> > (--this ip addrs is pop and smtp server)
> > iptables -t nat -A POSTROUTING -o eth0 -s 172.17.0.0/16 -j MASQUERADE
> >
> > But when I did this I could not access the port 1723, 1701 and protocol
> > 47 using the eth2.
> >
> > I tried too use only iptables -t nat -A POSTROUTING -o eth2 -s
> > 172.17.0.0/16 -j MASQUERADE
> >
> > And I got the same prob.
> >
> > If I use iptables -t nat -A POSTROUTING  -s 172.17.0.0/16 -j MASQUERADE
> >
> > I will get a success access. Only when I use iptables -t nat -A
> > POSTROUTING  -s 172.17.0.0/16 -j MASQUERADE (without -o eth2 or -o
eth0).
> >
> >
> > Who could help me?
> >
> > Thanks
> >
> >
> > Sebastiгo Antфnio Campos
> > Infojoi Computadores Ltda
> > Joinville -SC - R. Iririъ, 3587
> > Cml. (47) 437-0796 - Cel. (47) 9927-5349
> > tiao@infojoi.com.br
> > http://www.lupusnet.com.br
>
>
>
> -- 
> www.supportivo.org
>
> I can't stop myself checking for pigs in the outlets. Everybody thinks i'm
> a punk, cause of the hairstyle(220V).
> end
>

Re: Neighbour table overflow

[Jason Opperisano]

On Wed, 2005-03-23 at 09:08, Sebastiao Antonio Campos (GWA) wrote:
> After I had applied the solution bellow I got the follwing msg error:
> 
> Neighbour table overflow.

IIRC--that error means you've filled up your arp table.  the values
(defaults shown) are controlled by the kernel parameters:

        net.ipv4.neigh.default.gc_thresh3 = 1024
        net.ipv4.neigh.default.gc_thresh2 = 512
        net.ipv4.neigh.default.gc_thresh1 = 128

how many hosts are on the physical subnets with your firewall machine?

i was surprised to see you say that everything was working, as your
question appeared to be about policy routing, yet setting up a SNAT
seemed to magically make it work--which made no sense to me.

-j

--
"Well, I'm not calling you a liar, but... I can't think of a way to
 finish that sentence."
	--The Simpsons