# iptables: Memory allocation problem.

## redsmayday

I have a gentoo server running CSF. I cannot restart the csf by csf -r after I added country deny such as "FR,DE", and keep getting

```
iptables: Memory allocation problem.

iptables: Memory allocation problem.

iptables: Memory allocation problem.

Error: FASTSTART: (TCP_OUT IPv4) [] [iptables-restore: line 17 failed]. Try rest                          arting csf with FASTSTART disabled, at line 4735

```

Server memory is as following:

```

  16597188 K total memory

      6995852 K used memory

      2721840 K active memory

      3871436 K inactive memory

      9601336 K free memory

       349092 K buffer memory

      5938516 K swap cache

      2047844 K total swap

            0 K used swap

      2047844 K free swap

      3156973 non-nice user cpu ticks

       375900 nice user cpu ticks

      2113409 system cpu ticks

   5918899468 idle cpu ticks

      1320304 IO-wait cpu ticks

      5460220 IRQ cpu ticks

      6684823 softirq cpu ticks

            0 stolen cpu ticks

     15861626 pages paged in

    315324943 pages paged out

            0 pages swapped in

            0 pages swapped out

   3182143506 interrupts

   3346516201 CPU context switches

   1521864963 boot time

      2623257 forks

```

Server support supports CentOS, but not gentoo told me as following,

I added a value in the grub config in /etc/default/grub

From :

```
GRUB_CMDLINE_LINUX_DEFAULT=""
```

To :

```
GRUB_CMDLINE_LINUX_DEFAULT="quiet vmalloc=384M"
```

Now grub need to be rebuild to apply the new rules.

Unfortunately, we do not support Gentoo as operating system and we don't want to take the risk to broke your system.

In the file it's write to perform this command to update the changes : grub2-mkconfig -o /boot/grub2/grub.cfg

Since we do not support this OS, i don't want to take the chance to run this command.

I found this article https://wiki.gentoo.org/wiki/GRUB2 with the same command.

I can't guarantee you that it will work or not. We do not work with gentoo.

Try to contact a Gentoo expert to know exactly if the command can be run without any issues before.

If it works, the server should be rebooted after the changes to apply the new value.

Unfortunately, we can't help you more than that on this issue, it's a related to kernel OS that we do not support.

Could any professionals can tell me if above memory solutions is good for my gentoo server or not, thank you.

[Moderator edit: added [code] tags to preserve output layout. -Hu]

----------

## bunder

I'm not familiar with CSF, but iptables memory allocation issues can sometimes stem from having too many open connections with conntrack enabled.  Or possibly too many rules.  I had issues a few years back with a "basic" iptables setup with 60K rules, wound up having to consolidate with ipset.

edit: the grub kernel line change you want to make should be fine.

----------

## redsmayday

 *bunder wrote:*   

> I'm not familiar with CSF, but iptables memory allocation issues can sometimes stem from having too many open connections with conntrack enabled.  Or possibly too many rules.  I had issues a few years back with a "basic" iptables setup with 60K rules, wound up having to consolidate with ipset.
> 
> edit: the grub kernel line change you want to make should be fine.

 

Thank you very much bunder for your reply. Will ask the server support to help me to apply the changes for the memory. 

Plus: I could not fine the "basic" iptables from your previous posts, would you pls share me the link.

----------

## bunder

it was a custom script i wrote, with a fairly extensive block list...  but iptables rules are processed one at a time until it finds a match or hits the end of the chain, and the more rules you need the longer it takes to process.  ipset speeds up that process by having one rule with a faster match lookup.  conntrack also takes up a fair bit of memory, but only when you're managing many thousands of connections.  i think you should have plenty of memory for that though.

----------

## redsmayday

I see, thank you bunder very much for your help. Will try and see.

----------

## redsmayday

edit: the grub kernel line change you want to make should be fine.[/quote]

Hi bunder, this memory size change do you think is reversible, say if the system goes wrong, we can change this line back to what is was "GRUB_CMDLINE_LINUX_DEFAULT=""", and system will go back to the status of before memory changing status? Thank you very much!

----------

## bunder

Sure, you can change the value or remove it then grub-mkconfig and reboot.

----------

## redsmayday

 *bunder wrote:*   

> Sure, you can change the value or remove it then grub-mkconfig and reboot.

 

Hi bunder, the change has been applied by my server provider after getting your confirmation and backup. Really appreciate your help!

----------

