Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453814 - Adding many iptables rules fails on archs with large NR_CPUS
Summary: Adding many iptables rules fails on archs with large NR_CPUS
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Anton Arapov
QA Contact: Martin Jenner
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-02 18:23 UTC by Bryn M. Reeves
Modified: 2018-10-19 22:03 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-21 06:56:39 UTC
Target Upstream Version:

Attachments (Terms of Use)
xt_table_info diet for rhel5 (deleted)
2008-07-02 18:31 UTC, Bryn M. Reeves
no flags Details | Diff

Description Bryn M. Reeves 2008-07-02 18:23:36 UTC
Description of problem:
Since the rule table is sized according to NR_CPUS, the code in
net/ipv4/netfilter/ip_tables.c applies an overflow check when loading new rule sets:

    /* overflow check */
    if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS - 
        return -ENOMEM;

This limits the number of rules that can be loaded on e.g. x86_64 (NR_CPUS==255)
to a lower number than the 32-bit kernel permits (NR_CPUS==32). 

Recompiling the kernel with a lower NR_CPUS allows the problem to be avoided but
is obviously not a great solution.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Anything that will load a huge number of rules works, e.g.:
1. Fill /etc/sysconfig/iptables with a very large number of rules (~250,000 -
exact number depends on size/complexity of rules)
2. Use iptables-restore to reload the rules

Actual results:
iptables-restore: line 240468 failed
iptables gets an ENOMEM from the above code in do_replace.

Works as expected.

Expected results:
The 64-bit kernel should not be more limited in this respect than the 32-bit kernel.

Additional info:
This was fixed upstream with the "xt_table_info-diet" patches:
commit 259d4e41f3ec25f22169daece42729f597b89f9a
Author: Eric Dumazet <>
Date:   Tue Dec 4 23:24:56 2007 -0800

   [NETFILTER]: x_tables: struct xt_table_info diet
   Instead of using a big array of NR_CPUS entries, we can compute the size
   needed at runtime, using nr_cpu_ids
   This should save some ram (especially on David's machines where NR_CPUS=409
   32 KB can be saved per table, and 64KB for dynamically allocated ones (beca
   of slab/slub alignements) )
   In particular, the 'bootstrap' tables are not any more static (in data
   section) but on stack as their size is now very small.
   This also should reduce the size used on stack in compat functions
   (get_info() declares an automatic variable, that could be bigger than kerne
   stack size for big NR_CPUS)
   Signed-off-by: Eric Dumazet <>
   Signed-off-by: Patrick McHardy <>
   Signed-off-by: David S. Miller <>

Comment 2 Bryn M. Reeves 2008-07-02 18:31:24 UTC
Created attachment 310838 [details]
xt_table_info diet for rhel5

I started working on a backport of this code to RHEL5 but ran out of time -
problem I was having was s390x not defining nr_cpu_ids & breaking the runtime

net/netfilter/x_tables.c: In function 'xt_alloc_table_info':
net/netfilter/x_tables.c:409: error: 'nr_cpu_ids' undeclared (first use in this
net/netfilter/x_tables.c:409: error: (Each undeclared identifier is reported
only once
net/netfilter/x_tables.c:409: error: for each function it appears in.)
make[2]: *** [net/netfilter/x_tables.o] Error 1
make[1]: *** [net/netfilter] Error 2
make[1]: *** Waiting for unfinished jobs....
net/sctp/sm_statefuns.c: In function 'sctp_eat_data':
net/sctp/sm_statefuns.c:5174: warning: unused variable 'account_value'
net/sctp/sm_make_chunk.c: In function 'sctp_unpack_cookie':
net/sctp/sm_make_chunk.c:1350: warning: initialization discards qualifiers from
pointer target type
net/sctp/ulpevent.c: In function 'sctp_ulpevent_release_owner':
net/sctp/ulpevent.c:114: warning: unused variable 'skb'
make: *** [net] Error 2
+ exit 1

Also not sure the changes are kABI safe..

Comment 3 Anton Arapov 2008-07-04 11:49:40 UTC
It's kABI safe so far. But nr_cpu_ids not the problem of s390x, kernel-2.6.18
does not have nr_cpu_ids definition at all.

/me took the bug in work-queue...

Comment 4 Anton Arapov 2008-07-04 12:27:25 UTC
disregard my notice about kABI... it's unsafe.

Note You need to log in before you can comment on or make changes to this bug.