rule limitations?
Patrick McHardy
kaber at trash.net
Wed Aug 29 20:53:15 CEST 2007
Nesser, Phil wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> For relatively obscure reasons, I am trying to build a set of rules that run into the hundreds of thousands. I was experimenting on a Redhat Release 5 machine with 2.6.18 kernel and 1.3.5 iptables. I was able to load around 340k rules before getting an error of iptables-restore: line XXXXXX failed.
>
> So I try it out on a server (much beefier, 8G ram, dual quad core 2GHz proc) running the same kernel/iptables versions. This time it died in the same way at about 40k rules. After some research I found a log message on Vmalloc failures, so I figured what the hell and rebuilt the server using the 64 bit version of RH 5. Now no more vmalloc failures, but still dies at around 40k entries.
>
> I am more than happy to build a custom kernel if that what I need to do. I have poked around the sources and it is not obvious what needs to change.
>
> Any help would be appreciated.
What error message do you get (or if its too unspecific, what does
strace show)?
More information about the netfilter-devel
mailing list