From: Olaf Kirch <okir@suse.de>
To: Olaf Hering <olh@suse.de>
Cc: "Bill Rugolsky Jr." <brugolsky@telemetry-investments.com>,
netdev@oss.sgi.com
Subject: Re: limited number if iptable rules on 64bit hosts
Date: Thu, 3 Feb 2005 12:19:39 +0100 [thread overview]
Message-ID: <20050203111939.GI31570@suse.de> (raw)
In-Reply-To: <20050202225258.GA15563@suse.de>
On Wed, Feb 02, 2005 at 11:52:58PM +0100, Olaf Hering wrote:
> > I don't have time to look now [I'm running for the door],
> > but that's possibly the vmalloc() limit of 64M (67108864) ?
>
> maybe.
> ->size is a userprovided value, havent looked closely at iptables
> source. It seems we have to live with this limitation.
The problem is two-fold. netfilter tries to allocate some data
per-CPU and does
vmalloc(sizeof(struct ipt_table_info)
+ SMP_ALIGN(tmp.size) * NR_CPUS);
At 3445 rules, tmp.size is 524272 (why does it want that much memory? I
would expect the only data that's per-CPU is the packet and byte
counters).
In some of our kernel configurations, NR_CPUS is 128 or even more,
and we run into a vmalloc limit here.
vmalloc wants to allocate an arrays of struct page pointers, and on
a 64bit platform this means you're limited to 131072 / 8 = 16384
pages, or 67108864 bytes. In the example Olaf H posted, we fail at
128 + 524272 * 128 = 67108992 bytes, i.e. 16385 pages.
So I guess it all boils down to why netfilter needs 150-odd bytes
per rule and CPU.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
next prev parent reply other threads:[~2005-02-03 11:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-02 13:38 limited number if iptable rules on 64bit hosts Olaf Hering
2005-02-02 22:25 ` Olaf Hering
2005-02-02 22:38 ` Bill Rugolsky Jr.
2005-02-02 22:52 ` Olaf Hering
2005-02-03 11:19 ` Olaf Kirch [this message]
2005-02-03 18:48 ` David S. Miller
2005-02-03 18:59 ` Olaf Hering
2005-02-03 19:00 ` David S. Miller
2005-02-03 19:33 ` Bart De Schuymer
2005-02-03 21:35 ` Bill Rugolsky Jr.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050203111939.GI31570@suse.de \
--to=okir@suse.de \
--cc=brugolsky@telemetry-investments.com \
--cc=netdev@oss.sgi.com \
--cc=olh@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).