>Number:         5992
>Category:       kern
>Synopsis:       sysloging of "arp info overwritten" needs a throttle
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 19 17:20:01 1998
>Last-Modified:
>Originator:     Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release:        current Aug 15, 1998
>Environment:
	
System: NetBSD capsicum.wsrcc.com 1.3G NetBSD 1.3G (WSRCC) #0: Sat Aug 15 17:29:13 PDT 1998 root@capsicum.wsrcc.com:/v/src/netbsd/NetBSD-current/usr/src/sys/arch/i386/compile/WSRCC i386


>Description:
	   
	the kernels syslogging of "arp info overwritten" happens once
	for each flip flop.  Since the exact printout of each line is
	different, they syslog daemon won't collapse them into a "last
	message repeated N times".

Aug 18 22:15:29 capsicum /netbsd: arp info overwritten for 24.1.64.1 by 00:a0:2a:ff:01:52
Aug 18 22:15:29 capsicum /netbsd: arp info overwritten for 24.1.64.1 by 00:60:47:27:cd:00

	Yesturday some user on the local cable modem segment
	configured their machine to "proxy" arp for the main gateway.
        The gateway defended its turf by arping back the correct MAC.
	Syslog was logging 30 lines of arp flip-flops per second.  The
	disk sounded like a jack-hammer.  The only way to stop it was
	to take down the ethernet interface.

>How-To-Repeat:

	Configure two machines for the same IP address.  Telnet to
	that address from a third Netbsd box.

>Fix:

	1) Only allow the kernel to log a certain number of the "arp
	   info overwritten" msgs per unit of time.

	2) allow the syslogd to match the arp info lines by perhaps 
	   allowing for storage of the last two seen lines (or perhaps
	   only matching on the non-numeric parts of the line).


>Audit-Trail:
>Unformatted: