Home / server / Questions / 277009
Accepted
Antonius Bloch
Asked: 2011-06-05 07:42:07 +0800 CST

What does "net_ratelimit: 44 callbacks suppressed" mean on a linux?

  • 772

I'm trying to tune Snort performance on a Debian based router. I was seeing stuff like:

snort packet recv contents failure: No buffer space available

So I upped the buffers to 8M and when that didn't work I tried 16M, per the tuning guide at http://fasterdata.es.net/fasterdata/host-tuning/linux/:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Increase TCP Buffers to 16 MB
sysctl -w net.core.rmem_default='16777216'
sysctl -w net.core.wmem_default='16777216'
sysctl -w net.core.rmem_max='16777216'
sysctl -w net.core.wmem_max='16777216'
sysctl -w net.ipv4.tcp_wmem='1048576 4194304 16777216'
sysctl -w net.ipv4.tcp_rmem='1048576 4194304 16777216'
sysctl -w net.core.netdev_max_backlog='30000'
exit 0

Now I don't see the "no buffer space" log entry, but I've got a new one:

net_ratelimit: 44 callbacks suppressed

The only other messages from the same time frame are these martians, maybe that's what's being suppressed?

Jun  4 07:09:36 ilium ntpd_intres[3575]: host name not found: 0.us.pool.ntp.org
Jun  4 14:17:36 ilium kernel: [25743.259951] net_ratelimit: 44 callbacks suppressed
Jun  4 14:17:36 ilium kernel: [25743.259955] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:36 ilium kernel: [25743.259956] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:17:58 ilium kernel: [25765.055449] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:58 ilium kernel: [25765.055451] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:18:43 ilium kernel: [25809.998978] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:18:43 ilium kernel: [25809.998980] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:24:11 ilium kernel: [26138.700143] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:24:11 ilium kernel: [26138.700145] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:28:42 ilium kernel: [26409.130701] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:28:42 ilium kernel: [26409.130703] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
linux tcp linux-networking

1 Answers

  1. Best Answer

    'net_ratelimit()' is used to limit syslog messages from kernel.
    This "callbacks suppressed" message implies it suppressed a bulk of 44 syslog messages.
    This is an attempt to avoid loading your syslog logging path.

    Here is the source reference if you are interested,
    FreeBSD/Linux Kernel Cross Reference; sys/net/core/utils.c,
    It calls sys/lib/ratelimit.c -- ___ratelimit()

    You might want to investigate your "martian source",
    but if you ignore it I guess, the ratelimit will handle the logs
    (it is usually a good idea to fix unknown log sources tho).

    In your case it appears like your Martian Packets are,

    An incoming or outgoing packet whose source or destination address is in the range 127.0.0.0/8, which is reserved for loopback within the host.

    • 22