iptables: Resource temporarily unavailable.

iptables: Resource temporarily unavailable.

[Jan Kasprzak]

	Hello,

I have a iptables-based firewall with ~1200 IPv4 and ~950 IPv6 rules.
When I want to reload its configuration, I often get "Resource temporarily
unavailable" error from iptables.

I have a HA setup with two servers, and the error more often happens on
a server with four cores and 2 GB of RAM than on a server with two cores
and 4 GB of RAM.

I have added a band-aid fix to my startup script - sleeping for one second
and trying again when the error code from iptables is 4, and it apparently
helps. But the error messages from the startup script are still a bit ugly.
What else can I do in order to fix the problem?

	Thanks,

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list.     --Alan Cox

Re: iptables: Resource temporarily unavailable.

[Eric Dumazet]

Le jeudi 11 novembre 2010 à 16:00 +0100, Jan Kasprzak a écrit :
> 	Hello,
> 
> I have a iptables-based firewall with ~1200 IPv4 and ~950 IPv6 rules.
> When I want to reload its configuration, I often get "Resource temporarily
> unavailable" error from iptables.
> 
> I have a HA setup with two servers, and the error more often happens on
> a server with four cores and 2 GB of RAM than on a server with two cores
> and 4 GB of RAM.
> 
> I have added a band-aid fix to my startup script - sleeping for one second
> and trying again when the error code from iptables is 4, and it apparently
> helps. But the error messages from the startup script are still a bit ugly.
> What else can I do in order to fix the problem?

Hi

Please provide 

cat /proc/meminfo

Also please apply this patch :

http://git2.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=6b1686a71e3158d3c5f125260effce171cc7852b



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables: Resource temporarily unavailable.

[Patrick McHardy]

Am 11.11.2010 16:35, schrieb Eric Dumazet:
> Le jeudi 11 novembre 2010 à 16:00 +0100, Jan Kasprzak a écrit :
>> 	Hello,
>>
>> I have a iptables-based firewall with ~1200 IPv4 and ~950 IPv6 rules.
>> When I want to reload its configuration, I often get "Resource temporarily
>> unavailable" error from iptables.
>>
>> I have a HA setup with two servers, and the error more often happens on
>> a server with four cores and 2 GB of RAM than on a server with two cores
>> and 4 GB of RAM.
>>
>> I have added a band-aid fix to my startup script - sleeping for one second
>> and trying again when the error code from iptables is 4, and it apparently
>> helps. But the error messages from the startup script are still a bit ugly.
>> What else can I do in order to fix the problem?
> 
> Hi
> 
> Please provide 
> 
> cat /proc/meminfo
> 
> Also please apply this patch :
> 
> http://git2.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=6b1686a71e3158d3c5f125260effce171cc7852b

This problem is usually caused by manipulating the ruleset from multiple
iptables instances concurrently.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables: Resource temporarily unavailable.

[Jan Kasprzak]

Patrick McHardy wrote:
: Am 11.11.2010 16:35, schrieb Eric Dumazet:
: > Please provide 
: > 
: > cat /proc/meminfo

# cat /proc/meminfo 
MemTotal:        2060716 kB
MemFree:          123516 kB
Buffers:          409288 kB
Cached:           943404 kB
SwapCached:          240 kB
Active:          1020036 kB
Inactive:         541816 kB
Active(anon):     121664 kB
Inactive(anon):    92764 kB
Active(file):     898372 kB
Inactive(file):   449052 kB
Unevictable:       18432 kB
Mlocked:           18432 kB
SwapTotal:       1959804 kB
SwapFree:        1957884 kB
Dirty:                96 kB
Writeback:             0 kB
AnonPages:        227276 kB
Mapped:            76724 kB
Shmem:                92 kB
Slab:             268912 kB
SReclaimable:     116940 kB
SUnreclaim:       151972 kB
KernelStack:        1984 kB
PageTables:        10312 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     2990160 kB
Committed_AS:     398204 kB
VmallocTotal:   34359738367 kB
VmallocUsed:       33696 kB
VmallocChunk:   34358635704 kB
DirectMap4k:        4032 kB
DirectMap2M:     2093056 kB

: > Also please apply this patch :
: > 
: > http://git2.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=6b1686a71e3158d3c5f125260effce171cc7852b

	I will try it tomorrow.

: This problem is usually caused by manipulating the ruleset from multiple
: iptables instances concurrently.

	There probably can be some other iptables commands running
occasionally (automatic blacklisting of some IP addresses, enabling
traffic to authenticated laptops, etc.), but not in the chains I am
trying to modify with my firewall initscript. Can this also be a problem?

	Thanks,

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list.     --Alan Cox

Re: iptables: Resource temporarily unavailable.

[Eric Dumazet]

Le jeudi 11 novembre 2010 à 18:25 +0100, Jan Kasprzak a écrit :
> Patrick McHardy wrote:
> : Am 11.11.2010 16:35, schrieb Eric Dumazet:
> : > Please provide 
> : > 
> : > cat /proc/meminfo
> 
> # cat /proc/meminfo 
> MemTotal:        2060716 kB
> MemFree:          123516 kB
> Buffers:          409288 kB
> Cached:           943404 kB
> SwapCached:          240 kB
> Active:          1020036 kB
> Inactive:         541816 kB
> Active(anon):     121664 kB
> Inactive(anon):    92764 kB
> Active(file):     898372 kB
> Inactive(file):   449052 kB
> Unevictable:       18432 kB
> Mlocked:           18432 kB
> SwapTotal:       1959804 kB
> SwapFree:        1957884 kB
> Dirty:                96 kB
> Writeback:             0 kB
> AnonPages:        227276 kB
> Mapped:            76724 kB
> Shmem:                92 kB
> Slab:             268912 kB
> SReclaimable:     116940 kB
> SUnreclaim:       151972 kB
> KernelStack:        1984 kB
> PageTables:        10312 kB
> NFS_Unstable:          0 kB
> Bounce:                0 kB
> WritebackTmp:          0 kB
> CommitLimit:     2990160 kB
> Committed_AS:     398204 kB
> VmallocTotal:   34359738367 kB
> VmallocUsed:       33696 kB
> VmallocChunk:   34358635704 kB
> DirectMap4k:        4032 kB
> DirectMap2M:     2093056 kB
> 
> : > Also please apply this patch :
> : > 
> : > http://git2.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=6b1686a71e3158d3c5f125260effce171cc7852b
> 
> 	I will try it tomorrow.
> 

Sorry, you dont need it, since you run a 64bit kernel.


> : This problem is usually caused by manipulating the ruleset from multiple
> : iptables instances concurrently.
> 
> 	There probably can be some other iptables commands running
> occasionally (automatic blacklisting of some IP addresses, enabling
> traffic to authenticated laptops, etc.), but not in the chains I am
> trying to modify with my firewall initscript. Can this also be a problem?
> 

Yes it is a problem. iptables manipulates the whole table, not a
subtree.



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables: Resource temporarily unavailable.

[Jan Kasprzak]

Eric Dumazet wrote:
: > 	There probably can be some other iptables commands running
: > occasionally (automatic blacklisting of some IP addresses, enabling
: > traffic to authenticated laptops, etc.), but not in the chains I am
: > trying to modify with my firewall initscript. Can this also be a problem?
: 
: Yes it is a problem. iptables manipulates the whole table, not a
: subtree.

	So do you suggest I should implement some kind of user-space
locking, or is the current approach of "retry after 1 sec when it fails"
OK from the kernel point of view?

	Thanks,

-Yenya

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list.     --Alan Cox

Re: iptables: Resource temporarily unavailable.

[Michał Mirosław]

On Thu, Nov 11, 2010 at 07:03:05PM +0100, Jan Kasprzak wrote:
> Eric Dumazet wrote:
> : > 	There probably can be some other iptables commands running
> : > occasionally (automatic blacklisting of some IP addresses, enabling
> : > traffic to authenticated laptops, etc.), but not in the chains I am
> : > trying to modify with my firewall initscript. Can this also be a problem?
> : Yes it is a problem. iptables manipulates the whole table, not a
> : subtree.
> 	So do you suggest I should implement some kind of user-space
> locking, or is the current approach of "retry after 1 sec when it fails"
> OK from the kernel point of view?

You might be better off using ipset for dynamic rules.

Best Regards,
Michał Mirosław
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables: Resource temporarily unavailable.

[Eric Dumazet]

Le jeudi 11 novembre 2010 à 19:03 +0100, Jan Kasprzak a écrit :
> Eric Dumazet wrote:
> : > 	There probably can be some other iptables commands running
> : > occasionally (automatic blacklisting of some IP addresses, enabling
> : > traffic to authenticated laptops, etc.), but not in the chains I am
> : > trying to modify with my firewall initscript. Can this also be a problem?
> : 
> : Yes it is a problem. iptables manipulates the whole table, not a
> : subtree.
> 
> 	So do you suggest I should implement some kind of user-space
> locking, or is the current approach of "retry after 1 sec when it fails"
> OK from the kernel point of view?

You could implement a user-space locking, if the additional delay of the
"retry after 1 sec" is bothering you ;)




--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: iptables: Resource temporarily unavailable.

[Patrick McHardy]

On 11.11.2010 19:20, Eric Dumazet wrote:
> Le jeudi 11 novembre 2010 à 19:03 +0100, Jan Kasprzak a écrit :
>> Eric Dumazet wrote:
>> : > 	There probably can be some other iptables commands running
>> : > occasionally (automatic blacklisting of some IP addresses, enabling
>> : > traffic to authenticated laptops, etc.), but not in the chains I am
>> : > trying to modify with my firewall initscript. Can this also be a problem?
>> : 
>> : Yes it is a problem. iptables manipulates the whole table, not a
>> : subtree.
>>
>> 	So do you suggest I should implement some kind of user-space
>> locking, or is the current approach of "retry after 1 sec when it fails"
>> OK from the kernel point of view?
> 
> You could implement a user-space locking, if the additional delay of the
> "retry after 1 sec" is bothering you ;)

Indeed, that's the best solution. The kernel can't really do anything
about this since incremental ruleset updates are a two-step process.
For dumps we've added retries a while ago, for updates this seems a bit
dangerous.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html