[SOLVED] Rather huge IPtables chain, iptables: Memory allocation problem.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
hmmm, odd. I wrote a loop that created a single rule for IPs x.y.1-254.1-254 on a test box that made it from x.y.1-129.z without issue when I last checked. It is a RHEL5.x install, single cpu, maybe 512MB RAM... 128*254 would put last count above 32512 rules. I will check in later and update.
Have you tried creating 2 or 3 scripts out of your rules and running them individually?
Looks like I hit a snag. Not able to create a rule beyond rule 55399 on the filter table. I can still write to the nat table though... I just wrote a single rule for each IP x.y.1-32.1-254 as a test without any problems on nat PREROUTING chain while filter chains will not accept any more. I guess it is possible that you are hitting a similar ceiling, but sooner...
I'm looking into that now.
The original list, has every singe entry listed as a range. Even if it's one IP. I think that at the very least, i should be able to hack out the non-range ranges, and replace them with single entry rules. I may also be able to take the ranges, and convert them from a range format, to an ip/subnet format. Say, change 220.127.116.11-18.104.22.168 to 22.214.171.124/24
If i change that around, i should be able to add the rules without the -m iprange option. Which may (or... may not) help with resources.
working on my importer a bit, and i realized something.
I was off by a bit on my list length. A quick look at the number of lines, made me think that i was looking at 22K lines. I looked more closely today, and it's actually... 226K lines.
I have, however, made some improvements, and i'm no longer using the iprange module. I'm testing the import now, we'll see what happens.