From owner-freebsd-current@FreeBSD.ORG Wed Jul 11 01:29:30 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4190F16A421 for ; Wed, 11 Jul 2007 01:29:30 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.freebsd.org (Postfix) with SMTP id 97F3913C4AD for ; Wed, 11 Jul 2007 01:29:29 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 57230 invoked from network); 11 Jul 2007 01:29:28 -0000 Received: from 209.68.2.70 (HELO localhost) (209.68.2.70) by relay03.pair.com with SMTP; 11 Jul 2007 01:29:28 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 10 Jul 2007 20:29:14 -0500 (CDT) From: Mike Silbersack To: Eygene Ryabinkin In-Reply-To: <20070710132253.GJ1038@void.codelabs.ru> Message-ID: <20070710202028.I34890@odysseus.silby.com> References: <20070709234401.S29353@odysseus.silby.com> <20070710132253.GJ1038@void.codelabs.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Andre Oppermann , Robert Watson , current@freebsd.org, net@freebsd.org Subject: Re: FreeBSD 7 TCP syncache fix: request for testers X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jul 2007 01:29:30 -0000 On Tue, 10 Jul 2007, Eygene Ryabinkin wrote: > Can't say that I am pushing much traffic through my box, but after > applying your patch and rebuilding the kernel I am still seeing the > messages like > ----- > TCP: [209.132.176.NNN]:NNN to [144.206.NNN.NNN]:NNN tcpflags 0x19; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) > TCP: [201.90.65.NNN]:NNN to [144.206.NNN.NNN]:NNN; syncache_timer: Response timeout > ----- > But what had changed is that the lines with the 'syncache_timer' > started to appear. There were no such lines prior to the patch, > only the 'failed SYNCOOKIE' ones. The "syncache_timer: Response timeout" message means that the syncache sent a SYN-ACK response four times, but still didn't receive a response. This probably means that someone tried using a port scanner or was going through a faulty firewall. We'll definitely have to take that log message out before 7.0 is released. The fact that you're still getting the syncache_expand message tells me that there's another bug which I have not yet fixed still present. My suspicion is that the "Segment failed SYNCOOKIE authentication" message is the aftereffect of FreeBSD 7 randomly dropping TCP connections, and not the problem itself. My theory is that the connection is silently dropped, without the other endpoint knowing. That other endpoint then sends an ACK packet, which is then believed to be a syncookie. Since it is not, it obviously fails the verification. Finding that bug is my next goal. > But the patch received only half a day of testing, so I will continue > the tests and will inform you if some other information will be > available. Up to date I don't see problems that had appeared without > the patch, but they tend to show up after a midnight ;)) > > Thank you! Thanks for testing, I look forward to hearing how things work for you. Mike "Silby" Silbersack