Subject: kern/5992: sysloging of "arp info overwritten" needs a throttle
To: None <gnats-bugs@gnats.netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: netbsd-bugs
Date: 08/19/1998 17:11:53
>Number: 5992
>Category: kern
>Synopsis: sysloging of "arp info overwritten" needs a throttle
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 19 17:20:01 1998
>Last-Modified:
>Originator: Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release: current Aug 15, 1998
>Environment:
System: NetBSD capsicum.wsrcc.com 1.3G NetBSD 1.3G (WSRCC) #0: Sat Aug 15 17:29:13 PDT 1998 root@capsicum.wsrcc.com:/v/src/netbsd/NetBSD-current/usr/src/sys/arch/i386/compile/WSRCC i386
>Description:
the kernels syslogging of "arp info overwritten" happens once
for each flip flop. Since the exact printout of each line is
different, they syslog daemon won't collapse them into a "last
message repeated N times".
Aug 18 22:15:29 capsicum /netbsd: arp info overwritten for 24.1.64.1 by 00:a0:2a:ff:01:52
Aug 18 22:15:29 capsicum /netbsd: arp info overwritten for 24.1.64.1 by 00:60:47:27:cd:00
Yesturday some user on the local cable modem segment
configured their machine to "proxy" arp for the main gateway.
The gateway defended its turf by arping back the correct MAC.
Syslog was logging 30 lines of arp flip-flops per second. The
disk sounded like a jack-hammer. The only way to stop it was
to take down the ethernet interface.
>How-To-Repeat:
Configure two machines for the same IP address. Telnet to
that address from a third Netbsd box.
>Fix:
1) Only allow the kernel to log a certain number of the "arp
info overwritten" msgs per unit of time.
2) allow the syslogd to match the arp info lines by perhaps
allowing for storage of the last two seen lines (or perhaps
only matching on the non-numeric parts of the line).
>Audit-Trail:
>Unformatted: