Jan Engelhardt пишет:
On Feb 6 2007 17:33, Sergey Alexanov wrote:
can anybody suggest me in the following issue:
# grep ip_conntrack /etc/modprobe.conf
options ip_conntrack hashsize=2097152
# modprobe ip_conntrack
# lsmod | grep ip_conntrack
ip_conntrack 53924 0
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16777216
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2097152
looking fine..
but if i try to insert above 16000 rules with connection tracking i getting an
error:
"number of rules" is completely different to "ip_conntrack_max".
Jan
Jan, im not completely understand what you mean...
i try to aplly large set of rules without connection tracking,
# wc -l ./firewall2.sav
32771 ./firewall2.sav
#less ./firewall2.sav
*mangle
-A PREROUTING -p tcp -d xx.yy.240.0 --dport 80 -j MARK --set-mark 80
-A PREROUTING -p tcp -s xx.yy.240.0 --sport 80 -j MARK --set-mark 80
[..skipped..]
-A PREROUTING -p tcp -d xx.yy.255.255 --dport 82 -j MARK --set-mark 82
-A PREROUTING -p tcp -s xx.yy.255.255 --sport 82 -j MARK --set-mark 82
COMMIT
and whooalah:
# iptables-restore < ./firewall2.sav
without errors and warnings
# iptables -t mangle -L -n | wc -l
32782
in addition to connection tracking issues,
in messages log file arised following warning all time when i try to
apply ruleset with connection tracking:
kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to
increase size.
unfortunately i dont have strong knowledge about tuning memory
allocation and kernel hacking.. :(
--
Sergey Alexanov
SA1215-RIPE
freak@xxxxxxxxx
