IPtables hang system when loading over 254 IP Addresses

IPtables hang system when loading over 254 IP Addresses

[Russell "Elik" Rademacher]

Hello linux-kernel,

  I was wondering if anyone have fixed or knew the slightly broken issue about loading the IPTables with Ingress/Egress filtering on 254 IP addresses or more?  It basically locks up the system in networking level but everything else works fine.

  Reason I asking is that I have quite a few servers with 256 to 300 IP addresses on it, which is mainly for the SSL or anonymous access. So..don't flame me for the gross IP misallocation on single server. :)

  Basically, if you knew about the script, APF Firewall script, I uses it and it make extensive uses of the IPTables to make complex firewall rules.  But when it reaches to around 254, it just locks up the network system, rendering the server unaccessible.  It make extensive uses of Ingress/Egress and I only seen it locks up when I make use of Egress filtering. Ingress works fine up to 400 IP addresses and I haven't pushed it that far past it to see how far it can go.  But Egress, it locks it up, when combined with Ingress.  Dunno about Egress itself in general.  So...anyone might have a clue on this?

  This is on 2.4.x series kernel.

-- 
Best regards,
Russell "Elik" Rademacher
Freelance Remote System Adminstrator/Tech Support    

Re: IPtables hang system when loading over 254 IP Addresses

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1771 bytes --]

On Mon, Dec 08, 2003 at 05:18:10PM -0700, Russell Elik Rademacher wrote:
> Hello linux-kernel,

Hi Russell!

>   I was wondering if anyone have fixed or knew the slightly broken
>   issue about loading the IPTables with Ingress/Egress filtering on
>   254 IP addresses or more?  It basically locks up the system in
>   networking level but everything else works fine.
> 

The netfilter/iptables project has seperate mailinglists,
netfilter@lists.netfilter.org and/or netfilter-devel@lists.netfilter.org
are the ones you might want to contact
(http://netfilter.org/contact.html).

>   Basically, if you knew about the script, APF Firewall script, I uses
>   it and it make extensive uses of the IPTables to make complex
>   firewall rules.  But when it reaches to around 254, it just locks up
>   the network system, rendering the server unaccessible.  It make
>   extensive uses of Ingress/Egress and I only seen it locks up when I
>   make use of Egress filtering. Ingress works fine up to 400 IP
>   addresses and I haven't pushed it that far past it to see how far it
>   can go.  But Egress, it locks it up, when combined with Ingress.
>   Dunno about Egress itself in general.  So...anyone might have a clue
>   on this?

Maybe you should then talk to the "APF Firewall Script" author.  We are
not aware of any iptables-related issues with as little as 254 rules.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]