* Rule Count limit
@ 2020-09-24 10:47 Jevin Gala
2020-09-24 17:40 ` Neal P. Murphy
0 siblings, 1 reply; 2+ messages in thread
From: Jevin Gala @ 2020-09-24 10:47 UTC (permalink / raw)
To: netfilter
Hi,
I couldn’t find much information about the limitation on adding number of rules.
I tried adding around 26000 rules and starting seeing this message :
Unable to update the kernel. Two possible causes:
1. Multiple ebtables programs were executing simultaneously. The ebtables
userspace tool doesn't by default support multiple ebtables programs running
concurrently. The ebtables option --concurrent or a tool like flock can be
used to support concurrent scripts that update the ebtables kernel tables.
2. The kernel doesn't support a certain ebtables extension, consider
recompiling your kernel or insmod the extension.
There is Free RAM while swap is fully used.
Kernel : 3.10.0-957.5.1.el7.x86_64
ebtables.x86_64 2.0.10-16.el7
--
Regards,
Jevin Gala
Virtualizor support - Softaculous Ltd.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Rule Count limit
2020-09-24 10:47 Rule Count limit Jevin Gala
@ 2020-09-24 17:40 ` Neal P. Murphy
0 siblings, 0 replies; 2+ messages in thread
From: Neal P. Murphy @ 2020-09-24 17:40 UTC (permalink / raw)
Cc: netfilter
On Thu, 24 Sep 2020 16:17:00 +0530
Jevin Gala <jevin@softaculous.com> wrote:
> Hi,
>
>
> I couldn’t find much information about the limitation on adding number of rules.
>
> I tried adding around 26000 rules and starting seeing this message :
6-8 years ago, I discovered that iptables could not reliably add more than 20k-25k rules at a time; a periodic COMMIT (IIRC) every 10k-15k rules would allow me to add hundreds of thousands of rules. So there is or was a limit to iptables' atomicity. Back then, I was comparing the efficiency of Smoothwall Express' ipbatch program and iptables-restore and needed a million rules to obtain meaningful data; ipbatch was marginally (~5%) more efficient.
N
>
>
> Unable to update the kernel. Two possible causes:
>
> 1. Multiple ebtables programs were executing simultaneously. The ebtables
>
> userspace tool doesn't by default support multiple ebtables programs running
>
> concurrently. The ebtables option --concurrent or a tool like flock can be
>
> used to support concurrent scripts that update the ebtables kernel tables.
>
> 2. The kernel doesn't support a certain ebtables extension, consider
>
> recompiling your kernel or insmod the extension.
>
>
> There is Free RAM while swap is fully used.
>
> Kernel : 3.10.0-957.5.1.el7.x86_64
>
> ebtables.x86_64 2.0.10-16.el7
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-24 17:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-24 10:47 Rule Count limit Jevin Gala
2020-09-24 17:40 ` Neal P. Murphy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox