iptables out of memory?
Tom Buskey
tom at buskey.name
Fri Jan 23 11:25:40 EST 2009
On Fri, Jan 23, 2009 at 11:06 AM, Kevin D. Clark
<kevin_d_clark at comcast.net>wrote:
>
> Alan Johnson writes:
>
> > I'm using a simple `iptables -A INPUT -s $ipa -j DROP` in a script to
> block
> > known spammers that show up in my mail log. I created a seperate script
> to
> > purge out some older offenders but I broke it (now fixed) and at about
> 123K
> > blocked IPAs, I get "iptables: Memory allocation problem" messages until
> I
> > remove some of them.
> >
> > Is iptables really limited to that many records or something? Can I
> tweak
> > that somewhere? The machine has plenty of RAM free.
>
> Er....ummm....do you realize that this is a gigantic number of rules?
> As a matter of comparison, the number of BGP routing prefixes in use
> on the general Internet today runs at around 300k, and the machines
> that handle these tables are specialized machines that are *highly*
> optimized for handling these tables.
>
> I doubt that iptables is optimized to efficiently handle tables of
> this scale. Even if you were to find a preprocessor #define in the
> code that controlled the size of some internal table in the runtime,
> you still wouldn't be out of the woods.
>
Given all this, would it be possible to use something like denyhosts to
block IPs?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090123/ad427845/attachment.html
More information about the gnhlug-discuss
mailing list