Re: IPtables hang system when loading over 254 IP Addresses
From: Harald Welte
Date: Thu Dec 11 2003 - 06:24:34 EST
On Mon, Dec 08, 2003 at 05:18:10PM -0700, Russell Elik Rademacher wrote:
> Hello linux-kernel,
Hi Russell!
> I was wondering if anyone have fixed or knew the slightly broken
> issue about loading the IPTables with Ingress/Egress filtering on
> 254 IP addresses or more? It basically locks up the system in
> networking level but everything else works fine.
>
The netfilter/iptables project has seperate mailinglists,
netfilter@xxxxxxxxxxxxxxxxxxx and/or netfilter-devel@xxxxxxxxxxxxxxxxxxx
are the ones you might want to contact
(http://netfilter.org/contact.html).
> Basically, if you knew about the script, APF Firewall script, I uses
> it and it make extensive uses of the IPTables to make complex
> firewall rules. But when it reaches to around 254, it just locks up
> the network system, rendering the server unaccessible. It make
> extensive uses of Ingress/Egress and I only seen it locks up when I
> make use of Egress filtering. Ingress works fine up to 400 IP
> addresses and I haven't pushed it that far past it to see how far it
> can go. But Egress, it locks it up, when combined with Ingress.
> Dunno about Egress itself in general. So...anyone might have a clue
> on this?
Maybe you should then talk to the "APF Firewall Script" author. We are
not aware of any iptables-related issues with as little as 254 rules.
--
- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
Attachment:
pgp00001.pgp
Description: PGP signature