[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Rule Count limit
From:       "Neal P. Murphy" <neal.p.murphy () alum ! wpi ! edu>
Date:       2020-09-24 17:40:31
Message-ID: 20200924134031.30856252 () playground
[Download RAW message or body]

On Thu, 24 Sep 2020 16:17:00 +0530
Jevin Gala <jevin@softaculous.com> wrote:

> Hi,
> 
> 
> I couldn't find much information about the limitation on adding number of rules.
> 
> I tried adding around 26000 rules and starting seeing this message :

6-8 years ago, I discovered that iptables could not reliably add more than 20k-25k \
rules at a time; a periodic COMMIT (IIRC) every 10k-15k rules would allow me to add \
hundreds of thousands of rules. So there is or was a limit to iptables' atomicity. \
Back then, I was comparing the efficiency of Smoothwall Express' ipbatch program and \
iptables-restore and needed a million rules to obtain meaningful data; ipbatch was \
marginally (~5%) more efficient.

N

> 
> 
> Unable to update the kernel. Two possible causes:
> 
> 1. Multiple ebtables programs were executing simultaneously. The ebtables
> 
> userspace tool doesn't by default support multiple ebtables programs running
> 
> concurrently. The ebtables option --concurrent or a tool like flock can be
> 
> used to support concurrent scripts that update the ebtables kernel tables.
> 
> 2. The kernel doesn't support a certain ebtables extension, consider
> 
> recompiling your kernel or insmod the extension.
> 
> 
> There is Free RAM while swap is fully used.
> 
> Kernel : 3.10.0-957.5.1.el7.x86_64
> 
> ebtables.x86_64 2.0.10-16.el7
> 
> 


[prev in list] [next in list] [prev in thread] [next in thread]