iptables out of memory?
Ben Scott
dragonhawk at gmail.com
Thu Jan 22 17:43:19 EST 2009
On Thu, Jan 22, 2009 at 5:19 PM, Alan Johnson <alan at datdec.com> wrote:
Let's do the important thing first:
> Is there a way to specify multiple IPAs on a single rule?
Generally speaking, this sort of thing is done by aggregation of
individual nodes into netblocks. You may have to knock out some
potentially innocent systems, but if you're blocking mail by IP
address and TCP connection you've prolly already accepted that.
> ... at about 123K blocked IPAs ...
Just to make sure: You mean 123,000 distinct iptables rule entries?
> Is iptables really limited to that many records or something?
Wouldn't surprise me. That's a freaking huge pile of firewall rules.
It seems others have experienced this:
http://www.google.com/search?q=(iptables+OR+netfilter)+%22number+of+rules%22
Alternative firewall engines are suggested which I am not familiar with.
> Can I tweak that somewhere?
Almost certainly. It's Free Software. Whether you can do that
without modifying the kernel source and rebuilding... I dunno. ;-)
> The machine has plenty of RAM free.
I doubt it's simple RAM. For one, CPU time will start to matter
with that many rules, and no matter how fast your CPU, doing 123,000
distinct compares for each and every packet received is going to drag
things down. There may also be limits (arbitrary, practical, or
algorithmical) on internal kernel memory structures.
-- Ben
More information about the gnhlug-discuss
mailing list