Bug in recent kernel's ipmon?

From: Fred Souza <fred_at_storming.org> Date: Fri, 12 Dec 2003 16:54:10 -0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:33 UTC

Hello,

  I just upgraded my system this night, with fresh sources. And I just
  noticed a strange change in the way ipmon logs stuff. I installed and
  booted the new kernel at about 3:50am, and then proceeded to
  recompiling world. Note how this weird change happens exactly when I
  boot the new kernel. At about noon today, I rebooted the system once
  again, and the strange logging behaviour is still there. Here's the
  output:

Dec 12 00:50:48 torment ipmon[253]: 00:50:48.129245 tun0 _at_1:19 b 68.122.5.64,1642 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 
Dec 12 00:50:51 torment ipmon[253]: 00:50:51.036378 tun0 _at_1:19 b 68.122.5.64,1642 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 
Dec 12 00:50:57 torment ipmon[253]: 00:50:56.759340 tun0 _at_1:19 b 68.122.5.64,1642 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 

  [snip]

Dec 12 00:57:18 torment ipmon[253]: 00:57:17.953080 tun0 _at_1:19 b 68.122.5.64,1753 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 
Dec 12 00:57:21 torment ipmon[253]: 00:57:20.892857 tun0 _at_1:19 b 68.122.5.64,1753 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 
Dec 12 00:57:25 torment ipmon[253]: 00:57:24.179407 tun0 _at_1:19 b 68.122.5.64,1670 -> a.b.c.d,12140 PR tcp len 20 40 -AR IN 
Dec 12 00:57:27 torment ipmon[253]: 00:57:26.774064 tun0 _at_1:19 b 68.122.5.64,1753 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 
Dec 12 00:57:39 torment ipmon[253]: 00:57:38.962248 tun0 _at_1:19 b 68.122.5.64,1753 -> a.b.c.d,12140 PR tcp len 20 48 -S IN 

  [snip - the new kernel is booted up here. Take a look at the
  interface's (tun0) name]

Dec 12 04:00:04 torment ipmon[268]: 04:00:04.084573 tun056069 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1499 PR tcp len 20 40 -AR IN 
Dec 12 04:03:05 torment ipmon[268]: 04:03:05.138846 tun03228173440 _at_2:8 b 220.97.211.160,3872 -> a.b.c.d,1434 PR udp len 20 404 IN 
Dec 12 04:11:25 torment ipmon[268]: 04:11:25.125725 tun03228173440 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1987 PR tcp len 20 40 -AR IN 
Dec 12 04:20:42 torment ipmon[268]: 04:20:42.321850 tun03228173440 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1159 PR tcp len 20 40 -AR IN 
Dec 12 11:52:27 torment ipmon[268]: 11:52:26.272993 tun078315520 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1292 PR tcp len 20 40 -AR IN 
Dec 12 11:55:15 torment ipmon[268]: 11:55:15.177658 tun034055 _at_1:19 b 200.165.219.199,1025 -> a.b.c.d,1925 PR tcp len 20 40 -AR IN 
Dec 12 12:08:03 torment ipmon[268]: 12:08:03.582678 tun018553 _at_1:19 b 200.208.28.213,80 -> a.b.c.d,31048 PR tcp len 20 40 -AR IN 
Dec 12 12:08:16 torment ipmon[268]: 12:08:16.514720 tun05895 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1815 PR tcp len 20 40 -AR IN 
Dec 12 12:14:05 torment ipmon[268]: 12:14:04.350558 tun03228173440 _at_1:19 b 64.48.134.14,0 -> a.b.c.d,8000 PR tcp len 20 40 -S IN 
Dec 12 12:14:48 torment ipmon[268]: 12:14:48.121531 tun03228173440 _at_1:19 b 200.165.219.199,1025 -> a.b.c.d,1438 PR tcp len 20 40 -AR IN 
Dec 12 12:19:02 torment ipmon[268]: 12:19:02.406130 tun03228173440 _at_1:19 b 64.48.134.14,0 -> a.b.c.d,8080 PR tcp len 20 40 -S IN 
Dec 12 12:24:46 torment ipmon[268]: 12:24:45.470273 tun03228173440 _at_1:19 b 200.165.219.199,1025 -> a.b.c.d,1910 PR tcp len 20 40 -AR IN 
Dec 12 12:27:55 torment ipmon[268]: 12:27:54.571752 tun03228173440 _at_1:19 b 200.165.219.199,1025 -> a.b.c.d,1140 PR tcp len 20 40 -AR IN 
Dec 12 15:26:41 torment ipmon[255]: 15:26:40.945140 tun011137 _at_1:19 b 218.89.171.57,8868 -> a.b.c.d,33067 PR tcp len 20 44 -AS IN 
Dec 12 15:26:44 torment ipmon[255]: 15:26:44.212810 tun011137 _at_1:19 b 218.89.171.57,8868 -> a.b.c.d,33067 PR tcp len 20 44 -AS IN 
Dec 12 15:28:32 torment ipmon[255]: 15:28:31.753987 tun016646 _at_1:19 b 200.165.143.85,1025 -> a.b.c.d,1601 PR tcp len 20 40 -AR IN 

  Also notice how sometimes the (apparently random) number after tun0
  duplicates. And that it even "returned" once. I tried finding the
  error under src/contrib/ipfilter, but couldn't seem to find it. Maybe
  it's something in the kernel-side ipfilter code?

  Thanks in advance,
  Fred

-- 
"idiot box, n:
        The part of the envelope that tells a person where to place
        the stamp when they can't quite figure it out for themselves."
		-- "Sniglets", Rich Hall & Friends