On Tue, Jul 3, 2012 at 2:05 PM, Marcin Cieslak saper@saper.info wrote:
Leslie Carr lcarr@wikimedia.org wrote:
When in a firewall filter, packets are rejected (which sends an ICMP rejected notice), the routing engine can receive too many of these requests, causing the routing engine to "choke" on its backlog of requests.
Leslie, thanks for excellent update! Was is something similar to ICMP storm caused by unreachables (similar to the problems caused by subnet-directed packets in the old days) that even ICMP rate limiting didn't help?
Sadly ICMP rate limiting only counts for ICMP packets incoming to RE, outgoing packets are processed and created before any filters kick in.
//Saper
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l