Re: How many rules were supported iptables?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMm.innocenti@cineca.it at <-
MPaul C Diem at ->

Reply to this message
Author: Jesper Dangaard Brouer
Date:  
To: Peter
CC: 이근수, netfilter-devel, Jesper Dangaard Brouer
Subject: Re: How many rules were supported iptables?


On Fri, 20 Oct 2006, Peter wrote:

> ??? <kslee109@???> wrote:
>
<cut>
>> ...
>> Do 10,000 rules operate safely?? Or Some rules dont operate normally??
>> If some rules dont operate normally, how many rules iptables does
>> support??
>>
> It's the 4 MB in total size of rules. (This is the maximum size of a
> chunc of data copy from userspace to kernel space in one syscall)


It is NOT true, that there exist a 4 MB size limit of rules.

Its quite easy to disprove. I have made some tests where I can transfer a
ruleset of 13 Mb, between userspace and kernel (howto see ruleset size
see note#1).

The ruleset consists of 12256 chains and 59239 rules. Regarding
performance issues: I have constructed the ruleset as a subnet-tree, where
a worst-case match result in touching max 45 rules. Throughput wise with
this ruleset, I can route 94Mbit/s through the Linux box on a 100Mbit/s
netcard.

Problem: The execution time of iptables take around 14 seconds. This is
caused by the way iptables/libiptc parse the ruleset blob, in libiptc.c
function iptcc_find_chain_by_offset. We should actually fix this... I
have raised this issue before on the list, but the discussion died...

The real limit:

To test the limits of iptables, I also tried to load a ruleset with 24878
chains and 120250 rules, with a ruleset blob size around 30Mb. (Iptables
init function now takes 70 seconds!!!). With a ruleset that large iptables
actually gave up and reported:

"Memory allocation problem" (errno:12)

And the kernel syslog reported:

"kernel: allocation failed: out of vmalloc space - use vmalloc=<size> to increase size."

This error, is caused by, that the kernel cannot allocate enough vmalloc
memory. Propably just before it swaps the rulesets. (This can be
increased at boot time vmalloc=xxx and the available vmalloc memory can
be seen in /proc/meminfo).


Cheers,
Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------


Notes:

Note#1:
The easies way to see the size of the ruleset blob is to compile libiptc
with -DIPTC_DEBUG2 and look at the filesize of
/tmp/libiptc-so_get_entries.blob and /tmp/libiptc-so_set_replace.blob).




This message was posted to the following mailing lists:
Netfilter Development
Mailing List Info | Nearby Messages		<-Re: RFC1812 and CLUSTERIPRE: How many rules were supported iptables?->
Mailing List Archives by the Free Network Group administrated by Federico Sevilla IIILurker (version 2.1)