Philipp Rusch wrote:
Hi all,
yesterday I updated my SuSE 8.1 system with the recommended (auto) updates through YOU. I noticed that there was a kernel update in the list, but I didn't mind.
Today, when under stress, my firewall gives hundres of messages like:
Sep 10 11:53:27 proxy1 kernel: NET: 39 messages suppressed.
I did NOT change a thing besides those updates and rebooted. The firewall is done through iptables and configured with the "shorewall" script which have been in use for over a year now without any problems. Now the firewall simply stops after a certain while.
Unfotunately I cannot log in because the SSH process is crashing as well and I am not on site, but I managed to get the logs via email.
Any hint / help is appreciated very much.
This is not a kernel Bug. I would say you've some kind of worm inside your network. Dunno which one exactly but i've seen it on many routers in the last 3 weeks (would say blaster or sobig). The "solution" beside removing the worm is simple: make your arp cache table bigger to hold more arp entrys. This can be done by: echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 this should be ok for now. Hopefully your RAM isn't full at all ;) Your Box will work ok again and the errors should be gone. After that please check for the worm. The worm pings your local network (any ip) and so you'll get many incomplete arp entries. You can check that (if you have access again to the box) with the arp command. If you want, you can track how many entries in your cache by arp -an | wc -l (and you'll see that it increases up to more than 1024, the old default maximum). HTHm SVen