rule limitations?

rule limitations?

[Nesser, Phil]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For relatively obscure reasons, I am trying to build a set of rules that run into the hundreds of thousands.  I was experimenting on a Redhat Release 5 machine with 2.6.18 kernel and 1.3.5  iptables.  I was able to load around 340k rules before getting an error of iptables-restore: line XXXXXX failed.

So I try it out on a server (much beefier, 8G ram, dual quad core 2GHz proc) running the same kernel/iptables versions.  This time it died in the same way at about 40k rules.  After some research I found a log message on Vmalloc failures, so I figured what the hell and rebuilt the server using the 64 bit version of RH 5.  Now no more vmalloc failures, but still dies at around 40k entries.

I am more than happy to build a custom kernel if that what I need to do.  I have poked around the sources and it is not obvious what needs to change.

Any help would be appreciated.

Thanks!

- - --->  Phil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGwO22a2RfHGe2XK4RAieYAJ4zyhQ9TZVfCmVIn6PQYzXP5SsSPgCfRmxW
AoW2WX8lau75nY7WzGnPpjA=
=BM8m
-----END PGP SIGNATURE-----

Re: rule limitations?

[Patrick McHardy]

Nesser, Phil wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> For relatively obscure reasons, I am trying to build a set of rules that run into the hundreds of thousands.  I was experimenting on a Redhat Release 5 machine with 2.6.18 kernel and 1.3.5  iptables.  I was able to load around 340k rules before getting an error of iptables-restore: line XXXXXX failed.
> 
> So I try it out on a server (much beefier, 8G ram, dual quad core 2GHz proc) running the same kernel/iptables versions.  This time it died in the same way at about 40k rules.  After some research I found a log message on Vmalloc failures, so I figured what the hell and rebuilt the server using the 64 bit version of RH 5.  Now no more vmalloc failures, but still dies at around 40k entries.
> 
> I am more than happy to build a custom kernel if that what I need to do.  I have poked around the sources and it is not obvious what needs to change.
> 
> Any help would be appreciated.


What error message do you get (or if its too unspecific, what does
strace show)?

Re: rule limitations?

[Jesper Dangaard Brouer]

> Nesser, Phil wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> For relatively obscure reasons, I am trying to build a set of rules that 
>> run into the hundreds of thousands.  I was experimenting on a Redhat 
>> Release 5 machine with 2.6.18 kernel and 1.3.5  iptables.  I was able to 
>> load around 340k rules before getting an error of iptables-restore: line 
>> XXXXXX failed.
>> 
>> So I try it out on a server (much beefier, 8G ram, dual quad core 2GHz 
>> proc) running the same kernel/iptables versions.  This time it died in 
>> the same way at about 40k rules.  After some research I found a log 
>> message on Vmalloc failures, so I figured what the hell and rebuilt the 
>> server using the 64 bit version of RH 5.  Now no more vmalloc failures, 
>> but still dies at around 40k entries.
>> 
>> I am more than happy to build a custom kernel if that what I need to do. 
>> I have poked around the sources and it is not obvious what needs to 
>> change.
>> 
>> Any help would be appreciated.

You are limited by vmalloc space.

See, my previous explaination:
http://lists.netfilter.org/pipermail/netfilter-devel/2006-October/025879.html

Hilsen
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------