Linux iptables 规则数量限制取决于系统内存和 CPU 资源。在较旧的系统上,可能会出现规则数量限制的情况。但是,在现代系统上,通常不会有太多问题。
可以通过修改 /etc/sysctl.conf 文件中的以下值来增加 iptables 规则数量:
# Max number of memory map areas a process may have
vm.max_map_count = 262144
# Max number of file descriptors a process may have
fs.file-max = 65535
# Max number of IPv4 netfilter rules a process may add or remove
net.ipv4.netfilter.ip_conntrack_max = 131072
# Max number of packets per second that all processes combined may queue to the kernel network stack.
net.core.netdev_max_backlog = 100000
修改这些值后,必须重新加载 sysctl.conf 文件才能使更改生效:
$ sudo sysctl -p /etc/sysctl.conf