What does "net_ratelimit: 44 callbacks suppressed" mean on a linux?

linux tcp linux-networking

120,758

'net_ratelimit()' is used to limit syslog messages from kernel.
This "callbacks suppressed" message implies it suppressed a bulk of 44 syslog messages.
This is an attempt to avoid loading your syslog logging path.

Here is the source reference if you are interested,
FreeBSD/Linux Kernel Cross Reference; sys/net/core/utils.c,
It calls sys/lib/ratelimit.c -- ___ratelimit()

You might want to investigate your "martian source",
but if you ignore it I guess, the ratelimit will handle the logs
(it is usually a good idea to fix unknown log sources tho).

In your case it appears like your Martian Packets are,

An incoming or outgoing packet whose source or destination address is in the range 127.0.0.0/8, which is reserved for loopback within the host.

120,758

Antonius Bloch

Hi there. I'd love to share, but "Deny by default". If you can't tie the information I'm spilling on Stack Exchange then you can't use it to triangulate an attack on the systems I'm responsible for. I'm careful with what I post, but you can never be too careful, can you?

Updated on September 18, 2022

Comments

Antonius Bloch almost 2 years

I'm trying to tune Snort performance on a Debian based router. I was seeing stuff like:

snort packet recv contents failure: No buffer space available

So I upped the buffers to 8M and when that didn't work I tried 16M, per the tuning guide at http://fasterdata.es.net/fasterdata/host-tuning/linux/:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# Increase TCP Buffers to 16 MB
sysctl -w net.core.rmem_default='16777216'
sysctl -w net.core.wmem_default='16777216'
sysctl -w net.core.rmem_max='16777216'
sysctl -w net.core.wmem_max='16777216'
sysctl -w net.ipv4.tcp_wmem='1048576 4194304 16777216'
sysctl -w net.ipv4.tcp_rmem='1048576 4194304 16777216'
sysctl -w net.core.netdev_max_backlog='30000'
exit 0

Now I don't see the "no buffer space" log entry, but I've got a new one:

net_ratelimit: 44 callbacks suppressed

The only other messages from the same time frame are these martians, maybe that's what's being suppressed?

Jun  4 07:09:36 ilium ntpd_intres[3575]: host name not found: 0.us.pool.ntp.org
Jun  4 14:17:36 ilium kernel: [25743.259951] net_ratelimit: 44 callbacks suppressed
Jun  4 14:17:36 ilium kernel: [25743.259955] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:36 ilium kernel: [25743.259956] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:17:58 ilium kernel: [25765.055449] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:17:58 ilium kernel: [25765.055451] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:18:43 ilium kernel: [25809.998978] martian source 216.59.11.21 from 127.0.0.1, on dev eth0
Jun  4 14:18:43 ilium kernel: [25809.998980] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:24:11 ilium kernel: [26138.700143] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:24:11 ilium kernel: [26138.700145] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00
Jun  4 14:28:42 ilium kernel: [26409.130701] martian source 216.59.11.71 from 127.0.0.1, on dev eth0
Jun  4 14:28:42 ilium kernel: [26409.130703] ll header: 00:30:48:7c:f8:10:00:24:c4:49:8d:00:08:00