[20200313]net_ratelimit 38 callbacks suppressed.txt

--//检查linux服务器发现如上信息。
#  dmesg |grep -C4 "net_ratelimit"

TCP: too many of orphaned sockets
net_ratelimit: 56 callbacks suppressed
TCP: too many of orphaned sockets
TCP: too many of orphaned sockets
TCP: too many of orphaned sockets

martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
net_ratelimit: 23 callbacks suppressed
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00
martian source 192.168.XXX.YY from 192.166.1.126, on dev eth3
ll header: 00:10:e0:57:7d:85:00:23:89:a3:c9:1f:08:00

net_ratelimit: N callbacks suppressed表示内核阻止了N条syslog消息，这是因为系统重复的日志过多(频率过高)，太快输出，被内核
中的net_ratelimit()限制了syslog消息。

https://bani.com.br/2015/06/linux-getting-rid-of-net_ratelimit-n-callbacks-suppressed-messages/

Linux has a mechanism to avoid a DoS attack – with regard to logging – called rate limit. Every message logged by the
kernel (including its modules), with printk(), is checked if it's allowed to be actually printed through this
mechanism.

The limits can be configured by tuning the files /proc/sys/kernel/printk_ratelimit and
/proc/sys/kernel/printk_ratelimit_burst. In my machine, the values for these files are 5 and 10, respectively, meaning:
It's allowed 10 messages every 5 seconds. Exceeding this will make the kernel discard the message and print something
like "ratelimit N: callbacks suppressed".

--//#  sysctl kernel/printk_ratelimit_burst
--//kernel.printk_ratelimit_burst = 10

However, the networking code in the kernel has its own limit configuration. They obey the same logic above, they use a
different path just to allow independence from the generic logging functions. The files are:
/proc/sys/net/core/message_cost and /proc/sys/net/core/message_burst. They are similar to their generic "parents"
mentioned above.

The message_cost file contains the interval and message_burst contains the maximum number of messages allowed in that
interval.

To disable this mechanism and allow every message to be logged, simply set the interval to 0:

# sysctl -w net.core.message_cost=0
--//我们服务器设置：
--//#  sysctl net/core/message_cost net/core/message_burst
--//net.core.message_cost = 5
--//net.core.message_burst = 10

Write "net.core.message_cost=0" to /etc/sysctl.d/some-file to make this change persistent to reboots.

This will make the message "net_ratelimit: N callbacks suppressed" go away. It's up to you do disable this mechanism.
Sometimes it's just necessary, right?

--//另外rh6.X之前的版本，dmesg的输出都没有时间戳，建议加上，不然看到也不知道什么时候发生的。
# cat /sys/module/printk/parameters/time
N

# echo Y > /sys/module/printk/parameters/time

--//简单验证是否有效就是：
# tcpdump -i eth0 host 111.111.111.111;cat /proc/uptime
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

165827663.47 3766099753.68 ----//cat /proc/uptime 输出的信息。

# dmesg | tail -2
[165750081.554266] device eth0 entered promiscuous mode
[165750082.398471] device eth0 left promiscuous mode

--//165827663.47-165750082 = 77581.47
--//缺点就是时间戳我不知道如何转换.
--// cat /proc/uptime看到的秒数，与写入kernel ring buffer的时间戳存在很大的偏差。那位知道为什么?
--//实际上网上链接许多转换程序可以讲都是错误的,有时间探究看看。