iptables out of memory?

Kevin D. Clark kevin_d_clark at comcast.net
Fri Jan 23 11:06:13 EST 2009


Alan Johnson writes:

> I'm using a simple `iptables -A INPUT -s $ipa -j DROP` in a script to block
> known spammers that show up in my mail log.  I created a seperate script to
> purge out some older offenders but I broke it (now fixed) and at about 123K
> blocked IPAs, I get "iptables: Memory allocation problem" messages until I
> remove some of them.
> 
> Is iptables really limited to that many records or something?  Can I tweak
> that somewhere?  The machine has plenty of RAM free.

Er....ummm....do you realize that this is a gigantic number of rules?
As a matter of comparison, the number of BGP routing prefixes in use
on the general Internet today runs at around 300k, and the machines
that handle these tables are specialized machines that are *highly*
optimized for handling these tables.

I doubt that iptables is optimized to efficiently handle tables of
this scale.  Even if you were to find a preprocessor #define in the
code that controlled the size of some internal table in the runtime,
you still wouldn't be out of the woods.

Regards,

--kevin
-- 
GnuPG ID: B280F24E                Meet me by the knuckles
alumni.unh.edu!kdc                of the skinny-bone tree.
http://kdc-blog.blogspot.com/     -- Tom Waits


More information about the gnhlug-discuss mailing list