> There should be one entry for each ruleset copy. I have 16 in > /proc/vmallocinfo, which accounts for the 8 hw threads, for two sets > (iptables, ip6tables). During a replace op, there can thus be up to > 32 (or less) in /proc/vmallocinfo for a short period of time before > it drops down to 16 again. Then, why is there no difference when booting with maxcpus=2? >>Meaning that iptables can eat more memory than displayed in >>/proc/vmallocinfo? > > Yes. xt_geoip for example also loads its database (up to 2864 MB; > though just 1x rather than foreach CPU) using vmalloc - separately > from xt_alloc_table_info. okay, that I didn't expect. Interesting though. > I am no memory manager expert, but with 32 bit, it's easy to run into > limitations near 1G (lowmem) and then 4G (max VA space). Plenty of > pitfalls on 32-bit. > > Options: > - reduce your rules unfortunately, this is not possible > - we provide ways to reduce the number of copies (since some of them > are known to be unnecessary) how can I do that? > - go 64-bit possible, within a year or so. But the firewall is needed sooner. Although there is no other way for the future of course. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
