LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-07-2011, 04:46 AM   #1
mr51m0n
LQ Newbie
 
Registered: Nov 2008
Posts: 17

Rep: Reputation: 0
What is the maximum number of iptables rules on 32Bit 2.6 kernel?


Hi

I have a strange problem when trying to insert more than 25561 rules with iptables (according to iptables -nvL | wc)

My setup is, that I insert the first 25500 rules with iptables-restore command, the others with the normal iptables command.

Even something simple like

Code:
# iptables -I INPUT -j ACCEPT
iptables: Memory allocation problem.
fails.

The machine is a quite up to date server with 28 NICs and 6GB of RAM, running Kernel 2.6.34.10 (32Bit).

I boot with vmalloc="512M" kernel parameter, this results in:

Code:
# cat /proc/meminfo | grep malloc
VmallocTotal:     524288 kB
VmallocUsed:      244720 kB
VmallocChunk:     120644 kB

Does anyboy have an idea? I should be able to insert a lot of more rules!

Thanks, mr51m0n
 
Old 11-08-2011, 02:52 AM   #2
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Perhaps a bash issue rather than an iptables issue judging by this thread:
http://www.linuxquestions.org/questi...roblem-754229/
 
Old 11-08-2011, 03:08 AM   #3
mr51m0n
LQ Newbie
 
Registered: Nov 2008
Posts: 17

Original Poster
Rep: Reputation: 0
Hi fukawi2

Yes, that may be the issue with this iptables -I ... command. But even if I add some more lines to my "iptables-save" file, it fails between 27500 and 28000 rules:

Code:
# iptables-restore /root/iptables-save.out
iptables-restore: line 28005 failed
At line 28005 is the COMMIT. I started with 25000 rules, this went fine, then, I added 500 rules and tried again and added 500 rules and tried again... until 28000 rules, then it fails.

Do you think it is not a memory problem? But what then?

Thanks!
 
Old 11-08-2011, 03:10 AM   #4
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
What is the state of memory on the box? (Not just vmalloc)
 
Old 11-08-2011, 03:30 AM   #5
mr51m0n
LQ Newbie
 
Registered: Nov 2008
Posts: 17

Original Poster
Rep: Reputation: 0
Code:
# free -m
             total       used       free     shared    buffers     cached
Mem:          6014        723       5291          0          8         84
-/+ buffers/cache:        629       5385
Swap:         2047          0       2047
What I don't know exactly is what the impact of PAE is in this situation..
 
Old 11-08-2011, 08:40 PM   #6
jefro
Guru
 
Registered: Mar 2008
Posts: 11,105

Rep: Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362
http://download.swsoft.com/virtuozzo...Mgmt/18786.htm

If that helps in your situation. Seems others have failed about 3000.

Last edited by jefro; 11-08-2011 at 08:51 PM.
 
Old 11-08-2011, 08:54 PM   #7
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
May I ask your thinking behind setting your vmalloc to 512M? On both my home and work desktops, it is much larger:

Work (Debian, 16gb RAM)
Code:
VmallocTotal:   34359738367 kB
VmallocUsed:      151320 kB
VmallocChunk:   34359579644 kB
Home (ArchLinux, 8gb RAM)
Code:
VmallocTotal:   34359738367 kB
VmallocUsed:      155640 kB
VmallocChunk:   34359536416 kB
 
Old 11-12-2011, 05:04 AM   #8
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
Quote:
Originally Posted by fukawi2 View Post
May I ask your thinking behind setting your vmalloc to 512M? On both my home and work desktops, it is much larger:
Because it's a 32 bit machine.
 
Old 11-12-2011, 05:56 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Having 25561 rules seems excessive to me in the first place. What must be expressed using that much rules? If there is no way you can make your rule set more efficient then know there's another way to express complex IP address and ports based rulesets with one single iptables rule called ipset.
 
Old 11-13-2011, 09:16 PM   #10
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Quote:
Originally Posted by TimothyEBaldwin View Post
Because it's a 32 bit machine.
I don't understand... You have 6gb of RAM, but you said you're running a PAE kernel also.
(I haven't used a PAE kernel for a long time, and I'm unfamiliar with vmalloc)
 
Old 11-14-2011, 01:33 AM   #11
mr51m0n
LQ Newbie
 
Registered: Nov 2008
Posts: 17

Original Poster
Rep: Reputation: 0
The machine has some 28 interfaces and has a lot of useful and a lot of unuseful rules on it (That's how it is). And most of the rules have a log rule as well.

However, I guess IP sets do sound interesting!

With 6G of RAM you need a PAE kernel to use all of it, as 32Bit can't address more than around 4G.

Thanks!
 
Old 11-14-2011, 03:15 AM   #12
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Quote:
Originally Posted by mr51m0n View Post
With 6G of RAM you need a PAE kernel to use all of it, as 32Bit can't address more than around 4G.
I understand that, but you seem to have severely reduced your vmalloc value, when you have lots of RAM to start with.
 
Old 11-14-2011, 11:15 PM   #13
mr51m0n
LQ Newbie
 
Registered: Nov 2008
Posts: 17

Original Poster
Rep: Reputation: 0
actually I raised vmalloc to 512M from its default 128M. The problem is also that a standard 32Bit Linux Kernel can only use 1G of the machines RAM, even if you'd have 16G or so... There are some hacks with which you can use 2G or even 3G for the kernel. But it seems that you can only use them when disabling PAE..

However, when raising vmalloc even more, say to 640M, the kernel has too less memory and the system gets very unstable or doesn't even boot.
 
Old 11-14-2011, 11:18 PM   #14
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Well iptables (netfilter) runs in-kernel so you need to be able to fit everything into RAM. If you're hitting the limits of what you can fit into the RAM that's addressable with 32-bits, my best guess is that you need to move to a 64-bit installation to be able to make full and proper use of the RAM you have available.
 
Old 11-15-2011, 12:31 AM   #15
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I don't remember what the limit is, but kernel processes have different restrictions, which IIRC are smaller than user processes.

You might want to google for "Dans Guardian mysql" for another technique for handling such a large number of filter rules.

Also look at iplist if you have a list of thousands of IP addresses to block: http://sourceforge.net/projects/iplist/

Last edited by jschiwal; 11-15-2011 at 12:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
32bit Tomcat on 64bit RHEL - Maximum heapsize ??? dlugasx Linux - Server 1 07-20-2011 09:00 AM
Set iptables rules from Kernel Module saurabhchokshi Programming 5 05-01-2009 11:10 PM
"Maximum number of CPUs" option when compiling kernel prejudged_fire Linux - Kernel 4 08-28-2008 06:56 PM
Maximum number of mounts kutty_prasad Linux - Newbie 1 01-16-2007 07:44 AM
maximum number of HDs gr00ve Linux - Hardware 2 09-05-2004 06:43 AM


All times are GMT -5. The time now is 12:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration