Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-10-2009, 03:20 PM
|
#1
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Rep:
|
Rather huge IPtables chain, iptables: Memory allocation problem.
I'm trying to import a rather gigantic list of IP ranges into iptables.
It's 22 thousand lines.
I get to about 17K, and iptables starts spitting out:
iptables: Memory allocation problem.
I assume this is because i've exhausted some memory limit in iptables.
Is there a method of getting around this?
Thanks!
|
|
|
09-10-2009, 06:34 PM
|
#2
|
Member
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488
Rep:
|
I'm not sure exactly how you are attempting to import the rules, but suspect that a change in approach or breaking the import into smaller "chunks" may prove better results.
Are you able to create multiple distinct imports?
|
|
|
09-10-2009, 09:55 PM
|
#3
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
Basically, i've taken a pre-existing list, and converted it to a series of "iptables -A ...." commands.
Each of these 22000 lines is another command similar to "iptables -A chainname -m iprange --src-range 1.2.3.4-5.6.7.8 -j DROP
|
|
|
09-11-2009, 07:10 AM
|
#4
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
this actually brings me to another question....
Is there a better way to add rules via a script?
Also, some more information.
That error was produced when i was testing the import on my workstation. Which is rather beefy, quad core, 8gb of memory. Running FC11.
The target of this whole project is a much lower end machine, running Smoothwall Express 3. I have not tried the import there yet.
|
|
|
09-11-2009, 07:30 AM
|
#5
|
Member
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488
Rep:
|
hmmm, odd. I wrote a loop that created a single rule for IPs x.y.1-254.1-254 on a test box that made it from x.y.1-129.z without issue when I last checked. It is a RHEL5.x install, single cpu, maybe 512MB RAM... 128*254 would put last count above 32512 rules. I will check in later and update.
Have you tried creating 2 or 3 scripts out of your rules and running them individually?
|
|
|
09-11-2009, 08:41 AM
|
#6
|
Member
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488
Rep:
|
Looks like I hit a snag. Not able to create a rule beyond rule 55399 on the filter table. I can still write to the nat table though... I just wrote a single rule for each IP x.y.1-32.1-254 as a test without any problems on nat PREROUTING chain while filter chains will not accept any more. I guess it is possible that you are hitting a similar ceiling, but sooner...
Hope this helps.
Any way to consolidate some of the rules?
|
|
|
09-11-2009, 09:13 AM
|
#7
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
Quote:
Originally Posted by rayfordj
Any way to consolidate some of the rules?
|
I'm looking into that now.
The original list, has every singe entry listed as a range. Even if it's one IP. I think that at the very least, i should be able to hack out the non-range ranges, and replace them with single entry rules. I may also be able to take the ranges, and convert them from a range format, to an ip/subnet format. Say, change 1.2.3.0-1.2.3.255 to 1.2.3.0/24
If i change that around, i should be able to add the rules without the -m iprange option. Which may (or... may not) help with resources.
|
|
|
09-11-2009, 10:06 AM
|
#8
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
working on my importer a bit, and i realized something.
I was off by a bit on my list length. A quick look at the number of lines, made me think that i was looking at 22K lines. I looked more closely today, and it's actually... 226K lines.
I have, however, made some improvements, and i'm no longer using the iprange module. I'm testing the import now, we'll see what happens.
|
|
|
09-11-2009, 12:34 PM
|
#9
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
tried breaking the adds up into multiple lists, it was no help. is it possible to increase the available memory to iptables?
|
|
|
09-11-2009, 03:55 PM
|
#10
|
Member
Registered: Feb 2004
Distribution: Fedora 19
Posts: 73
Original Poster
Rep:
|
it was all in my method.
i seem to have gotten around the issue.
It wasnt iptables causing the problem, rather, bash.
I was adding all of these rules via a bash script.
I chagned my importer to output an iptables-restore formatted file, and now it imports no sweat.
Thanks for the input!
|
|
|
09-11-2009, 04:30 PM
|
#11
|
Member
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488
Rep:
|
Thanks for the followup!
|
|
|
All times are GMT -5. The time now is 05:33 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|