rule limitations?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For relatively obscure reasons, I am trying to build a set
of rules that run into the hundreds of thousands.  I was
experimenting on a Redhat Release 5 machine with 2.6.18
kernel and 1.3.5  iptables.  I was able to load around 340k
rules before getting an error of iptables-restore: line
XXXXXX failed.

So I try it out on a server (much beefier, 8G ram, dual quad
core 2GHz proc) running the same kernel/iptables versions. 
This time it died in the same way at about 40k rules.  After
some research I found a log message on Vmalloc failures, so
I figured what the hell and rebuilt the server using the 64
bit version of RH 5.  Now no more vmalloc failures, but
still dies at around 40k entries.

I am more than happy to build a custom kernel if that what I
need to do.  I have poked around the sources and it is not
obvious what needs to change.

Any help would be appreciated.

Thanks!

- - --->  Phil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGwO22a2RfHGe2XK4RAieYAJ4zyhQ9TZVfCmVIn6PQYzXP5SsSPgCf
RmxW
AoW2WX8lau75nY7WzGnPpjA=
=BM8m
-----END PGP SIGNATURE-----

Nesser, Phil wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> For relatively obscure reasons, I am trying to build a
set of rules that run into the hundreds of thousands.  I was
experimenting on a Redhat Release 5 machine with 2.6.18
kernel and 1.3.5  iptables.  I was able to load around 340k
rules before getting an error of iptables-restore: line
XXXXXX failed.
> 
> So I try it out on a server (much beefier, 8G ram, dual
quad core 2GHz proc) running the same kernel/iptables
versions.  This time it died in the same way at about 40k
rules.  After some research I found a log message on Vmalloc
failures, so I figured what the hell and rebuilt the server
using the 64 bit version of RH 5.  Now no more vmalloc
failures, but still dies at around 40k entries.
> 
> I am more than happy to build a custom kernel if that
what I need to do.  I have poked around the sources and it
is not obvious what needs to change.
> 
> Any help would be appreciated.


What error message do you get (or if its too unspecific,
what does
strace show)?

> Nesser, Phil wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> For relatively obscure reasons, I am trying to
build a set of rules that 
>> run into the hundreds of thousands.  I was
experimenting on a Redhat 
>> Release 5 machine with 2.6.18 kernel and 1.3.5 
iptables.  I was able to 
>> load around 340k rules before getting an error of
iptables-restore: line 
>> XXXXXX failed.
>> 
>> So I try it out on a server (much beefier, 8G ram,
dual quad core 2GHz 
>> proc) running the same kernel/iptables versions. 
This time it died in 
>> the same way at about 40k rules.  After some
research I found a log 
>> message on Vmalloc failures, so I figured what the
hell and rebuilt the 
>> server using the 64 bit version of RH 5.  Now no
more vmalloc failures, 
>> but still dies at around 40k entries.
>> 
>> I am more than happy to build a custom kernel if
that what I need to do. 
>> I have poked around the sources and it is not
obvious what needs to 
>> change.
>> 
>> Any help would be appreciated.

You are limited by vmalloc space.

See, my previous explaination:
http://lists.netfilter.org/pipermai
l/netfilter-devel/2006-October/025879.html

Hilsen
   Jesper Brouer

--
------------------------------------------------------------
-------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimize
r.dk
------------------------------------------------------------
-------