ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

FASTSTART iptables-restore errors on openvz but numiptent is unlimited?

https://mail.forum.configserver.com/viewtopic.php?t=8931

Page 1 of 1

FASTSTART iptables-restore errors on openvz but numiptent is unlimited?

Posted: 28 Aug 2015, 20:44
by aww+
I've read previously here where numiptent limits have been blamed for FASTSTART failures when blocklists are downloaded/added

*Error* FASTSTART: (Blocklist IPv4) [iptables-restore: line 2 failed]

except my openvz contain has no limit on numiptent - what else can I check ?

numiptent 18036 18036 9223372036854775807 (third number is barrier/limit)

Code: Select all

CT           | HELD Bar% Lim%| MAXH Bar% Lim%| BAR | LIM | FAIL
-------------+---------------+---------------+-----+-----+------
     kmemsize|79.2M  15%  15%| 143M  28%  28%| 512M| 512M|    - 
  lockedpages|   -    -    - |   -    -    - | 512M| 512M|    - 
  privvmpages| 661M   -    - | 999M   -    - |   - |   - |    - 
     shmpages| 130M   -    - | 133M   -    - |   - |   - |    - 
      numproc|  68    -    - | 141    -    - |   - |   - |    - 
    physpages| 499M   -   48%| 592M   -   57%|   - |   1G|    - 
  vmguarpages|   -    -    - |   -    -    - |   - |   - |    - 
 oomguarpages| 103M   -    - | 145M   -    - |   - |   - |    - 
   numtcpsock|  15    -    - |  20    -    - |   - |   - |    - 
     numflock|   5    -    - |  14    -    - |   - |   - |    - 
       numpty|   1    -    - |   2    -    - |   - |   - |    - 
   numsiginfo|   -    -    - |  63    -    - |   - |   - |    - 
    tcpsndbuf| 351K   -    - | 572K   -    - |   - |   - |    - 
    tcprcvbuf| 240K   -    - | 320K   -    - |   - |   - |    - 
 othersockbuf| 200K   -    - | 304K   -    - |   - |   - |    - 
  dgramrcvbuf|   -    -    - |2.52K   -    - |   - |   - |    - 
 numothersock| 141    -    - | 170    -    - |   - |   - |    - 
   dcachesize|5.06M   2%   2%|7.55M   2%   2%| 256M| 256M|    - 
      numfile|1.01K   -    - |1.58K   -    - |   - |   - |    - 
    numiptent|17.6K   -    - |17.6K   -    - |   - |   - |    -

Re: FASTSTART iptables-restore errors on openvz but numiptent is unlimited?

Posted: 29 Aug 2015, 11:31
by aww+
I seem to have temporarily resolved this by decreasing CC_DROP_CIDR to 17 from 18

It decreased numiptent to 16K

(16 makes it 15K but allows too many networks in)

Maybe the container is being lied to that it is unlimited, but there is still no barrier failure count.

It would be interesting if someday LFD could instead of pre-denying all CC_DENY, do it by inspecting connections once a minute and just deny maybe the /24 of what actually connects from those listed countries.

Not sure what the overhead is of checking the Geo database ever minute against all connected IPs but it would solve the numiptent problem on even smaller servers.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited