ip_conntrack hashsize problem

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Sergey Alexanov <freak@volia.net>
To: netfilter@lists.netfilter.org
Subject: ip_conntrack hashsize problem
Date: Tue, 06 Feb 2007 17:33:41 +0200	[thread overview]
Message-ID: <45C89FD5.4020508@volia.net> (raw)

Hello all,

can anybody suggest me in the following issue:

# grep ip_conntrack /etc/modprobe.conf
options ip_conntrack hashsize=2097152

# modprobe ip_conntrack
# lsmod | grep ip_conntrack
ip_conntrack           53924  0

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16777216
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2097152

looking fine..

but if i try to insert above 16000 rules with connection tracking i 
getting an error:

# iptables-restore < ./firewall.sav
iptables-restore: line 16386 failed

# wc -l ./firewall.sav
16387 ./firewall.sav

but with the less set of rules:
# wc -l ./firewall.sav
4099 ./firewall.sav

applying ruleset:
# iptables-restore < ./firewall.sav
and checking by
#iptables -t mangle -L -n
ewerything is fine

firewall.sav filled by something like that:
# cat ./firewall.sav | less
*mangle
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -s xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto gnutella -j MARK 
--set-mark 0x4d7bf0008

[.skipped.]

-A POSTROUTING -d xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -s xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -d xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
-A POSTROUTING -s xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
COMMIT

just 32 rules foreach ip address in xx.yy.240/23 cidr block.

additional info:

# cat /proc/meminfo
MemTotal:      1035276 kB
MemFree:         32848 kB
Buffers:         32428 kB
Cached:         899432 kB
SwapCached:          0 kB
Active:         614192 kB
Inactive:       326368 kB
HighTotal:      130752 kB
HighFree:         1404 kB
LowTotal:       904524 kB
LowFree:         31444 kB
SwapTotal:     2072344 kB
SwapFree:      2072344 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        8716 kB
Mapped:           4668 kB
Slab:            36892 kB
SReclaimable:    27720 kB
SUnreclaim:       9172 kB
PageTables:        840 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   2589980 kB
Committed_AS:    31660 kB
VmallocTotal:   118776 kB
VmallocUsed:     18516 kB
VmallocChunk:   100096 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     2048 kB

# uname -srp
Linux 2.6.19.2 i686

# lsmod
Module                  Size  Used by
ipt_layer7             13060  3840
ip_conntrack           53924  1 ipt_layer7
iptable_mangle          3328  1
ip_tables              13528  1 iptable_mangle
autofs4                22148  2
dm_mod                 59668  0
video                  16260  0
button                  7056  0
battery                10500  0
asus_acpi              16152  0
ac                      5508  0
shpchp                 39852  0
i2c_i801                8588  0
8139too                27904  0
e100                   36744  0
mii                     6272  2 8139too,e100
sk98lin               160736  0
floppy                 60892  0
ext3                  138248  1
jbd                    60072  1 ext3
ata_piix               15880  2
sd_mod                 21888  3

im very appreciate if anybody help or suggest me with this problem
thanks.

-- 
Sergey Alexanov
SA1215-RIPE
freak@volia.net

next             reply	other threads:[~2007-02-06 15:33 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-06 15:33 Sergey Alexanov [this message]
2007-02-06 17:11 ` ip_conntrack hashsize problem Jan Engelhardt
2007-02-06 17:37   ` Sergey Alexanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45C89FD5.4020508@volia.net \
    --to=freak@volia.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox