On 2016-11-29 Theodore Baschak wrote:
I'm running 4.8.{8,9,10} kernel on a couple systems, however its on Debian, and its not stock -- I've compiled packages for my infrastructure based on the coldkernel patchset we maintain. https://github.com/coldhakca/coldkernel
I'd be willing to test out something if need be.
Thanks a ton! I'm attaching as simplified a test prog I made that shows the bug. Sorry it's such a mess, I just C&P as little code as I could to trigger the bug. (My code is heavily based on a sample from perl monks, so credit to where it's due.) The code simply creates 253 icmp echo packets and sends them out to the LAN as fast as it can. The sample ignores the responses, as they aren't required to repro the bug.
Change the $subnet at the top to be any of your local LAN /24 subnets. I guess you could test a /16, might work as-is. Have no idea about ipv6.
On 4.8.8 or newer, as it is it should die with error most runs (but not all!). (I've confirmed on 4.8.8 and 4.8.10 now.)
CURIOUS!!!: If you uncomment the $single= at the top and put in any single IP on your subnet, the bug disappears!! So the bug only hits when you are scanning a large number of IPs and not a single IP! Even though in both cases it's sending the same number of icmp packets out! BIZARRE! This might rule out iptables, because AFAIK there's no rule to match "variability of hosts".
I confirmed this bug does not exist in 4.7.10 (on the same box, all else equal).
I found a bunch of icmp and net tweaks in sysfs that possibly could relate, and tweaked all of them to (near-)unlimited, but it didn't help at all. I checked and their defaults were the same as they are on 4.7.10.
Strange, my test is pretty much like: nmap -sP 192.168.101.0/24 Yet nmap runs perfectly fine. Unless it catches these errors and retries/ratelimits?
It's like something new in the kernel is trying to ping flood host scans? I'm still digging around in changelogs trying to figure it out.
If you (or anyone with 4.8.8+) can confirm the bug hits with $single off, and doesn't hit with $single on, that would be great! Also, letting me know your iptables setup would help as I still haven't ruled that out.
Thanks a ton!