Linux kernel, iptables and vmalloc size

Question

We have been having problems with iptables on a few of our Linux boxes where it seems the shear number of rules being loaded causes a vmalloc error (vmap allocation for size 3506176 failed: use vmalloc= to increase size.) to appear in dmesg and any additional rules stop being loaded.

After much research we increased the vmalloc size from 128MB to 512MB and rebooted and that has temporarily fixed the issue. It seems though that a 64-bit kernel doesn't have this issue(?). I checked my CentOS 6 box (64 bit) and it has VmallocTotal: 34,359,738,367 kB (!).

So my question is, would a 32bit PAE kernel also solve this issue? It would be much easier to change kernels than the OS across multiple sites...

Thanks, Jak

Answer 1

A 32-bit PAE kernel will not solve this issue, because the issue stems from allocation fragmentation in the vmalloc space. In x86-64, the vmalloc space is very large (much larger than the physical RAM size), so you don't get into a situation where it is sufficiently fragmented for allocation failures to occur. In 32-bit, however, the vmalloc space is much-much smaller - a hew hundred MB. Moving to PAE doesn't make this virtual allocation space any larger.

A workaround for your problem, if you would like to remain in 32-bit, is to modify the kernel so that iptables allocates from a pre-allocated vmalloc space, thus, avoiding the fragmentation caused by other callers to vmalloc (although, there's no guarantee that this would solve your problem perfectly, as it depends on the profile of how iptables allocates memory with respect to what you do with it, which is unknown in this question's scope).

Answer 2

You can use a 64 bit kernel with a 32 bit userspace - this would give you the advantages of an enormous vmalloc arena with only a kernel change.