* ip_conntrack hashsize problem
@ 2007-02-06 15:33 Sergey Alexanov
2007-02-06 17:11 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Sergey Alexanov @ 2007-02-06 15:33 UTC (permalink / raw)
To: netfilter
Hello all,
can anybody suggest me in the following issue:
# grep ip_conntrack /etc/modprobe.conf
options ip_conntrack hashsize=2097152
# modprobe ip_conntrack
# lsmod | grep ip_conntrack
ip_conntrack 53924 0
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16777216
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2097152
looking fine..
but if i try to insert above 16000 rules with connection tracking i
getting an error:
# iptables-restore < ./firewall.sav
iptables-restore: line 16386 failed
# wc -l ./firewall.sav
16387 ./firewall.sav
but with the less set of rules:
# wc -l ./firewall.sav
4099 ./firewall.sav
applying ruleset:
# iptables-restore < ./firewall.sav
and checking by
#iptables -t mangle -L -n
ewerything is fine
firewall.sav filled by something like that:
# cat ./firewall.sav | less
*mangle
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto openft -j MARK
--set-mark 0x4d7bf000b
-A POSTROUTING -s xx.yy.240.0 -m layer7 --l7proto openft -j MARK
--set-mark 0x4d7bf000b
-A POSTROUTING -d xx.yy.240.0 -m layer7 --l7proto gnutella -j MARK
--set-mark 0x4d7bf0008
[.skipped.]
-A POSTROUTING -d xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK
--set-mark 0x4d7bf1ff2
-A POSTROUTING -s xx.yy.241.255 -m layer7 --l7proto edonkey -j MARK
--set-mark 0x4d7bf1ff2
-A POSTROUTING -d xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
-A POSTROUTING -s xx.yy.241.255 -j MARK --set-mark 0x4d7bf1ff9
COMMIT
just 32 rules foreach ip address in xx.yy.240/23 cidr block.
additional info:
# cat /proc/meminfo
MemTotal: 1035276 kB
MemFree: 32848 kB
Buffers: 32428 kB
Cached: 899432 kB
SwapCached: 0 kB
Active: 614192 kB
Inactive: 326368 kB
HighTotal: 130752 kB
HighFree: 1404 kB
LowTotal: 904524 kB
LowFree: 31444 kB
SwapTotal: 2072344 kB
SwapFree: 2072344 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 8716 kB
Mapped: 4668 kB
Slab: 36892 kB
SReclaimable: 27720 kB
SUnreclaim: 9172 kB
PageTables: 840 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
CommitLimit: 2589980 kB
Committed_AS: 31660 kB
VmallocTotal: 118776 kB
VmallocUsed: 18516 kB
VmallocChunk: 100096 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
Hugepagesize: 2048 kB
# uname -srp
Linux 2.6.19.2 i686
# lsmod
Module Size Used by
ipt_layer7 13060 3840
ip_conntrack 53924 1 ipt_layer7
iptable_mangle 3328 1
ip_tables 13528 1 iptable_mangle
autofs4 22148 2
dm_mod 59668 0
video 16260 0
button 7056 0
battery 10500 0
asus_acpi 16152 0
ac 5508 0
shpchp 39852 0
i2c_i801 8588 0
8139too 27904 0
e100 36744 0
mii 6272 2 8139too,e100
sk98lin 160736 0
floppy 60892 0
ext3 138248 1
jbd 60072 1 ext3
ata_piix 15880 2
sd_mod 21888 3
im very appreciate if anybody help or suggest me with this problem
thanks.
--
Sergey Alexanov
SA1215-RIPE
freak@volia.net
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack hashsize problem
2007-02-06 15:33 ip_conntrack hashsize problem Sergey Alexanov
@ 2007-02-06 17:11 ` Jan Engelhardt
2007-02-06 17:37 ` Sergey Alexanov
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2007-02-06 17:11 UTC (permalink / raw)
To: Sergey Alexanov; +Cc: netfilter
On Feb 6 2007 17:33, Sergey Alexanov wrote:
> can anybody suggest me in the following issue:
>
> # grep ip_conntrack /etc/modprobe.conf
> options ip_conntrack hashsize=2097152
>
> # modprobe ip_conntrack
> # lsmod | grep ip_conntrack
> ip_conntrack 53924 0
>
> # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16777216
> # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
> 2097152
>
> looking fine..
>
> but if i try to insert above 16000 rules with connection tracking i getting an
> error:
"number of rules" is completely different to "ip_conntrack_max".
Jan
--
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack hashsize problem
2007-02-06 17:11 ` Jan Engelhardt
@ 2007-02-06 17:37 ` Sergey Alexanov
0 siblings, 0 replies; 3+ messages in thread
From: Sergey Alexanov @ 2007-02-06 17:37 UTC (permalink / raw)
Cc: netfilter
Jan Engelhardt пишет:
> On Feb 6 2007 17:33, Sergey Alexanov wrote:
>
>>can anybody suggest me in the following issue:
>>
>># grep ip_conntrack /etc/modprobe.conf
>>options ip_conntrack hashsize=2097152
>>
>># modprobe ip_conntrack
>># lsmod | grep ip_conntrack
>>ip_conntrack 53924 0
>>
>># cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
>>16777216
>># cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
>>2097152
>>
>>looking fine..
>>
>>but if i try to insert above 16000 rules with connection tracking i getting an
>>error:
>
>
> "number of rules" is completely different to "ip_conntrack_max".
>
>
>
> Jan
Jan, im not completely understand what you mean...
i try to aplly large set of rules without connection tracking,
# wc -l ./firewall2.sav
32771 ./firewall2.sav
#less ./firewall2.sav
*mangle
-A PREROUTING -p tcp -d xx.yy.240.0 --dport 80 -j MARK --set-mark 80
-A PREROUTING -p tcp -s xx.yy.240.0 --sport 80 -j MARK --set-mark 80
[..skipped..]
-A PREROUTING -p tcp -d xx.yy.255.255 --dport 82 -j MARK --set-mark 82
-A PREROUTING -p tcp -s xx.yy.255.255 --sport 82 -j MARK --set-mark 82
COMMIT
and whooalah:
# iptables-restore < ./firewall2.sav
without errors and warnings
# iptables -t mangle -L -n | wc -l
32782
in addition to connection tracking issues,
in messages log file arised following warning all time when i try to
apply ruleset with connection tracking:
kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to
increase size.
unfortunately i dont have strong knowledge about tuning memory
allocation and kernel hacking.. :(
--
Sergey Alexanov
SA1215-RIPE
freak@volia.net
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-02-06 17:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-06 15:33 ip_conntrack hashsize problem Sergey Alexanov
2007-02-06 17:11 ` Jan Engelhardt
2007-02-06 17:37 ` Sergey Alexanov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.