Bug 453814
| Summary: | Adding many iptables rules fails on archs with large NR_CPUS | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bryn M. Reeves <bmr> | ||||
| Component: | kernel | Assignee: | Anton Arapov <anton> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Martin Jenner <mjenner> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 5.2 | CC: | nobody, tao, tgraf | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-07-21 06:56:39 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 310838 [details]
xt_table_info diet for rhel5
I started working on a backport of this code to RHEL5 but ran out of time -
problem I was having was s390x not defining nr_cpu_ids & breaking the runtime
num_possible_cpus():
net/netfilter/x_tables.c: In function 'xt_alloc_table_info':
net/netfilter/x_tables.c:409: error: 'nr_cpu_ids' undeclared (first use in this
function)
net/netfilter/x_tables.c:409: error: (Each undeclared identifier is reported
only once
net/netfilter/x_tables.c:409: error: for each function it appears in.)
make[2]: *** [net/netfilter/x_tables.o] Error 1
make[1]: *** [net/netfilter] Error 2
make[1]: *** Waiting for unfinished jobs....
net/sctp/sm_statefuns.c: In function 'sctp_eat_data':
net/sctp/sm_statefuns.c:5174: warning: unused variable 'account_value'
net/sctp/sm_make_chunk.c: In function 'sctp_unpack_cookie':
net/sctp/sm_make_chunk.c:1350: warning: initialization discards qualifiers from
pointer target type
net/sctp/ulpevent.c: In function 'sctp_ulpevent_release_owner':
net/sctp/ulpevent.c:114: warning: unused variable 'skb'
make: *** [net] Error 2
+ exit 1
Also not sure the changes are kABI safe..
It's kABI safe so far. But nr_cpu_ids not the problem of s390x, kernel-2.6.18 does not have nr_cpu_ids definition at all. /me took the bug in work-queue... disregard my notice about kABI... it's unsafe. |
Description of problem: Since the rule table is sized according to NR_CPUS, the code in net/ipv4/netfilter/ip_tables.c applies an overflow check when loading new rule sets: /* overflow check */ if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - SMP_CACHE_BYTES) return -ENOMEM; This limits the number of rules that can be loaded on e.g. x86_64 (NR_CPUS==255) to a lower number than the 32-bit kernel permits (NR_CPUS==32). Recompiling the kernel with a lower NR_CPUS allows the problem to be avoided but is obviously not a great solution. Version-Release number of selected component (if applicable): 2.6.18-* How reproducible: 100% Steps to Reproduce: Anything that will load a huge number of rules works, e.g.: 1. Fill /etc/sysconfig/iptables with a very large number of rules (~250,000 - exact number depends on size/complexity of rules) 2. Use iptables-restore to reload the rules Actual results: x86_64: iptables-restore: line 240468 failed iptables gets an ENOMEM from the above code in do_replace. i686: Works as expected. Expected results: The 64-bit kernel should not be more limited in this respect than the 32-bit kernel. Additional info: This was fixed upstream with the "xt_table_info-diet" patches: commit 259d4e41f3ec25f22169daece42729f597b89f9a Author: Eric Dumazet <dada1> Date: Tue Dec 4 23:24:56 2007 -0800 [NETFILTER]: x_tables: struct xt_table_info diet Instead of using a big array of NR_CPUS entries, we can compute the size needed at runtime, using nr_cpu_ids This should save some ram (especially on David's machines where NR_CPUS=409 32 KB can be saved per table, and 64KB for dynamically allocated ones (beca of slab/slub alignements) ) In particular, the 'bootstrap' tables are not any more static (in data section) but on stack as their size is now very small. This also should reduce the size used on stack in compat functions (get_info() declares an automatic variable, that could be bigger than kerne stack size for big NR_CPUS) Signed-off-by: Eric Dumazet <dada1> Signed-off-by: Patrick McHardy <kaber> Signed-off-by: David S. Miller <davem>