[20200313]net_ratelimit 38 callbacks suppressed.txt

[20200313]net_ratelimit 38 callbacks suppressed.txt

--//檢查linux伺服器發現如上資訊。
#  dmesg |grep -C4 "net_ratelimit"

TCP: too many of orphaned sockets
net_ratelimit: 56 callbacks suppressed
TCP: too many of orphaned sockets
TCP: too many of orphaned sockets
TCP: too many of orphaned sockets

martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
net_ratelimit: 23 callbacks suppressed
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00

net_ratelimit: N callbacks suppressed表示核心阻止了N條syslog訊息，這是因為系統重複的日誌過多(頻率過高)，太快輸出，被核心
中的net_ratelimit()限制了syslog訊息。



Linux has a mechanism to avoid a DoS attack – with regard to logging – called rate limit. Every message logged by the
kernel (including its modules), with printk(), is checked if it's allowed to be actually printed through this
mechanism.

The limits can be configured by tuning the files /proc/sys/kernel/printk_ratelimit and
/proc/sys/kernel/printk_ratelimit_burst. In my machine, the values for these files are 5 and 10, respectively, meaning:
It's allowed 10 messages every 5 seconds. Exceeding this will make the kernel discard the message and print something
like "ratelimit N: callbacks suppressed".

--//#  sysctl kernel/printk_ratelimit_burst
--//kernel.printk_ratelimit_burst = 10

However, the networking code in the kernel has its own limit configuration. They obey the same logic above, they use a
different path just to allow independence from the generic logging functions. The files are:
/proc/sys/net/core/message_cost and /proc/sys/net/core/message_burst. They are similar to their generic "parents"
mentioned above.

The message_cost file contains the interval and message_burst contains the maximum number of messages allowed in that
interval.

To disable this mechanism and allow every message to be logged, simply set the interval to 0:

# sysctl -w net.core.message_cost=0
--//我們伺服器設定：
--//#  sysctl net/core/message_cost net/core/message_burst
--//net.core.message_cost = 5
--//net.core.message_burst = 10

Write "net.core.message_cost=0" to /etc/sysctl.d/some-file to make this change persistent to reboots.

This will make the message "net_ratelimit: N callbacks suppressed" go away. It's up to you do disable this mechanism.
Sometimes it's just necessary, right?

--//另外rh6.X之前的版本，dmesg的輸出都沒有時間戳，建議加上，不然看到也不知道什麼時候發生的。
# cat /sys/module/printk/parameters/time
N

# echo Y > /sys/module/printk/parameters/time

--//簡單驗證是否有效就是：
# tcpdump -i eth0 host 111.111.111.111;cat /proc/uptime
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

165827663.47 3766099753.68 ----//cat /proc/uptime 輸出的資訊。

# dmesg | tail -2
[165750081.554266] device eth0 entered promiscuous mode
[165750082.398471] device eth0 left promiscuous mode

--//165827663.47-165750082 = 77581.47
--//缺點就是時間戳我不知道如何轉換.
--// cat /proc/uptime看到的秒數，與寫入kernel ring buffer的時間戳存在很大的偏差。那位知道為什麼?
--//實際上網上鍊接許多轉換程式可以講都是錯誤的,有時間探究看看。