ip_conntrack hashsize problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sergey Alexanov <freak@volia.net>
To: netfilter@lists.netfilter.org
Subject: ip_conntrack hashsize problem
Date: Tue, 06 Feb 2007 17:33:41 +0200	[thread overview]
Message-ID: <45C89FD5.4020508@volia.net> (raw)

Hello all,

can anybody suggest me in the following issue:

# grep ip_conntrack /etc/modprobe.conf
options ip_conntrack hashsize=2097152

# modprobe ip_conntrack
# lsmod | grep ip_conntrack
ip_conntrack           53924  0

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16777216
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2097152

looking fine..

but if i try to insert above 16000 rules with connection tracking i 
getting an error:

# iptables-restore < ./firewall.sav
iptables-restore: line 16386 failed

# wc -l ./firewall.sav
16387 ./firewall.sav

but with the less set of rules:
# wc -l ./firewall.sav
4099 ./firewall.sav

applying ruleset:
# iptables-restore < ./firewall.sav
and checking by
#iptables -t mangle -L -n
ewerything is fine

firewall.sav filled by something like that:
# cat ./firewall.sav | less
*mangle
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -s xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto gnutella -j MARK 
--set-mark 0x4d7bf0008

[.skipped.]

-A POSTROUTING -d xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -s xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -d xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
-A POSTROUTING -s xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
COMMIT

just 32 rules foreach ip address in xx.yy.240/23 cidr block.

additional info:

# cat /proc/meminfo
MemTotal:      1035276 kB
MemFree:         32848 kB
Buffers:         32428 kB
Cached:         899432 kB
SwapCached:          0 kB
Active:         614192 kB
Inactive:       326368 kB
HighTotal:      130752 kB
HighFree:         1404 kB
LowTotal:       904524 kB
LowFree:         31444 kB
SwapTotal:     2072344 kB
SwapFree:      2072344 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        8716 kB
Mapped:           4668 kB
Slab:            36892 kB
SReclaimable:    27720 kB
SUnreclaim:       9172 kB
PageTables:        840 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   2589980 kB
Committed_AS:    31660 kB
VmallocTotal:   118776 kB
VmallocUsed:     18516 kB
VmallocChunk:   100096 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     2048 kB

# uname -srp
Linux 2.6.19.2 i686

# lsmod
Module                  Size  Used by
ipt_layer7             13060  3840
ip_conntrack           53924  1 ipt_layer7
iptable_mangle          3328  1
ip_tables              13528  1 iptable_mangle
autofs4                22148  2
dm_mod                 59668  0
video                  16260  0
button                  7056  0
battery                10500  0
asus_acpi              16152  0
ac                      5508  0
shpchp                 39852  0
i2c_i801                8588  0
8139too                27904  0
e100                   36744  0
mii                     6272  2 8139too,e100
sk98lin               160736  0
floppy                 60892  0
ext3                  138248  1
jbd                    60072  1 ext3
ata_piix               15880  2
sd_mod                 21888  3

im very appreciate if anybody help or suggest me with this problem
thanks.

-- 
Sergey Alexanov
SA1215-RIPE
freak@volia.net

next             reply	other threads:[~2007-02-06 15:33 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-06 15:33 Sergey Alexanov [this message]
2007-02-06 17:11 ` ip_conntrack hashsize problem Jan Engelhardt
2007-02-06 17:37   ` Sergey Alexanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45C89FD5.4020508@volia.net \
    --to=freak@volia.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.