ip_conntrack hashsize problem

ip_conntrack hashsize problem

[Sergey Alexanov]

Hello all,

can anybody suggest me in the following issue:

# grep ip_conntrack /etc/modprobe.conf
options ip_conntrack hashsize=2097152

# modprobe ip_conntrack
# lsmod | grep ip_conntrack
ip_conntrack           53924  0

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16777216
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2097152

looking fine..

but if i try to insert above 16000 rules with connection tracking i 
getting an error:

# iptables-restore < ./firewall.sav
iptables-restore: line 16386 failed

# wc -l ./firewall.sav
16387 ./firewall.sav

but with the less set of rules:
# wc -l ./firewall.sav
4099 ./firewall.sav

applying ruleset:
# iptables-restore < ./firewall.sav
and checking by
#iptables -t mangle -L -n
ewerything is fine

firewall.sav filled by something like that:
# cat ./firewall.sav | less
*mangle
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -s xx.yy.240.0 -m layer7 --l7proto openft -j MARK 
--set-mark 0x4d7bf000b
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto gnutella -j MARK 
--set-mark 0x4d7bf0008

[.skipped.]

-A POSTROUTING -d xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -s xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK 
--set-mark 0x4d7bf1ff2
-A POSTROUTING -d xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
-A POSTROUTING -s xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
COMMIT

just 32 rules foreach ip address in xx.yy.240/23 cidr block.

additional info:

# cat /proc/meminfo
MemTotal:      1035276 kB
MemFree:         32848 kB
Buffers:         32428 kB
Cached:         899432 kB
SwapCached:          0 kB
Active:         614192 kB
Inactive:       326368 kB
HighTotal:      130752 kB
HighFree:         1404 kB
LowTotal:       904524 kB
LowFree:         31444 kB
SwapTotal:     2072344 kB
SwapFree:      2072344 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        8716 kB
Mapped:           4668 kB
Slab:            36892 kB
SReclaimable:    27720 kB
SUnreclaim:       9172 kB
PageTables:        840 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   2589980 kB
Committed_AS:    31660 kB
VmallocTotal:   118776 kB
VmallocUsed:     18516 kB
VmallocChunk:   100096 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     2048 kB

# uname -srp
Linux 2.6.19.2 i686

# lsmod
Module                  Size  Used by
ipt_layer7             13060  3840
ip_conntrack           53924  1 ipt_layer7
iptable_mangle          3328  1
ip_tables              13528  1 iptable_mangle
autofs4                22148  2
dm_mod                 59668  0
video                  16260  0
button                  7056  0
battery                10500  0
asus_acpi              16152  0
ac                      5508  0
shpchp                 39852  0
i2c_i801                8588  0
8139too                27904  0
e100                   36744  0
mii                     6272  2 8139too,e100
sk98lin               160736  0
floppy                 60892  0
ext3                  138248  1
jbd                    60072  1 ext3
ata_piix               15880  2
sd_mod                 21888  3

im very appreciate if anybody help or suggest me with this problem
thanks.

-- 
Sergey Alexanov
SA1215-RIPE
freak@volia.net

Re: ip_conntrack hashsize problem

[Jan Engelhardt]

On Feb 6 2007 17:33, Sergey Alexanov wrote:
> can anybody suggest me in the following issue:
>
> # grep ip_conntrack /etc/modprobe.conf
> options ip_conntrack hashsize=2097152
>
> #  modprobe ip_conntrack
> #  lsmod | grep ip_conntrack
> ip_conntrack           53924  0
>
> # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16777216
> # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
> 2097152
>
> looking fine..
>
> but if i try to insert above 16000 rules with connection tracking i getting an
> error:

"number of rules" is completely different to "ip_conntrack_max".



Jan
-- 

Re: ip_conntrack hashsize problem

[Sergey Alexanov]

Jan Engelhardt пишет:
> On Feb 6 2007 17:33, Sergey Alexanov wrote:
> 
>>can anybody suggest me in the following issue:
>>
>># grep ip_conntrack /etc/modprobe.conf
>>options ip_conntrack hashsize=2097152
>>
>>#  modprobe ip_conntrack
>>#  lsmod | grep ip_conntrack
>>ip_conntrack           53924  0
>>
>># cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
>>16777216
>># cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
>>2097152
>>
>>looking fine..
>>
>>but if i try to insert above 16000 rules with connection tracking i getting an
>>error:
> 
> 
> "number of rules" is completely different to "ip_conntrack_max".
> 
> 
> 
> Jan

Jan, im not completely understand what you mean...

i try to aplly large set of rules without connection tracking,
# wc -l ./firewall2.sav
32771 ./firewall2.sav

#less ./firewall2.sav
*mangle
-A PREROUTING -p tcp -d xx.yy.240.0 --dport 80 -j MARK --set-mark 80
-A PREROUTING -p tcp -s xx.yy.240.0 --sport 80 -j MARK --set-mark 80
[..skipped..]
-A PREROUTING -p tcp -d xx.yy.255.255 --dport 82 -j MARK --set-mark 82
-A PREROUTING -p tcp -s xx.yy.255.255 --sport 82 -j MARK --set-mark 82
COMMIT

and whooalah:
# iptables-restore < ./firewall2.sav

without errors and warnings

# iptables -t mangle -L -n | wc -l
32782


in addition to connection tracking issues,
in messages log file arised following warning all time when i try to 
apply ruleset with connection tracking:

kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to 
increase size.

unfortunately i dont have strong knowledge about tuning memory 
allocation and kernel hacking.. :(


-- 
Sergey Alexanov
SA1215-RIPE
freak@volia.net