On Wed, Feb 02, 2005 at 11:52:58PM +0100, Olaf Hering wrote:
> > I don't have time to look now [I'm running for the door],
> > but that's possibly the vmalloc() limit of 64M (67108864) ?
>
> maybe.
> ->size is a userprovided value, havent looked closely at iptables
> source. It seems we have to live with this limitation.
The problem is two-fold. netfilter tries to allocate some data
per-CPU and does
vmalloc(sizeof(struct ipt_table_info)
+ SMP_ALIGN(tmp.size) * NR_CPUS);
At 3445 rules, tmp.size is 524272 (why does it want that much memory? I
would expect the only data that's per-CPU is the packet and byte
counters).
In some of our kernel configurations, NR_CPUS is 128 or even more,
and we run into a vmalloc limit here.
vmalloc wants to allocate an arrays of struct page pointers, and on
a 64bit platform this means you're limited to 131072 / 8 = 16384
pages, or 67108864 bytes. In the example Olaf H posted, we fail at
128 + 524272 * 128 = 67108992 bytes, i.e. 16385 pages.
So I guess it all boils down to why netfilter needs 150-odd bytes
per rule and CPU.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@xxxxxxx | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
|