[FW-1] How we fixed "FW-I/LINUX kmalloc" problem

Wed, 31 Oct 2001 08:23:29 -0800 

We've tried to replace our NOKIA FW-I box with LINUX one [FW-I v4.1 SP4 +
RedHat 6.2  2.2.19 kernel].

Installation was pretty strainforward, but every time when we tried to
install policy from our management station we got few messages in
/var/log/messages:

/var/log/messages.4:Oct  5 14:29:42 fw kernel: kmalloc: Size (786540) too
large
/var/log/messages.4:Oct  5 14:29:42 fw kernel: kmalloc: Size (786636) too
large
/var/log/messages.4:Oct  5 14:29:42 fw kernel: kmalloc: Size (789660) too
large

Our policy contains about 90 rules & 400 objects with few VPN.

Short search with Google  pointed us to a few  letters with the same
problems, but didn't help to solve the problem.
(for instance, "[FW1] Strange things in RH62 + Fw1-41-Sp2( kmalloc: Size
(275548) too large )" thread on
http://www.firewall-1.org/2001-01/maillist.html)

According to skl1314 from Check Point SecureKnowledge, "solution is
currently not available. Issue under investigation".

But this search helped me to understand what is exactly the problem:
FW-1 call "kmalloc" function in order to get block of memory. But linux's
kmalloc [kernels 2.2.x  & 2.4.x]  knows to allocate memory in blocks 2K,4K,
... 128K only.
And FW-1 in our case  wants to get ~800 K memory.

The solution:

I fixed slab.c in order to increase kmalloc limit from 128K to 1280K.
Diff from orig slab.c  for kernel 2.2.19  is below:

298c298
< #define       SLAB_OBJ_MAX_ORDER      8       /* 32 pages */
---
> #define       SLAB_OBJ_MAX_ORDER      5       /* 32 pages */
301c301
< #define       SLAB_MAX_GFP_ORDER      8       /* 32 pages */
---
> #define       SLAB_MAX_GFP_ORDER      5       /* 32 pages */
345,347d344
<       {262144,        NULL},
<       {524288,        NULL},
<       {1048576,       NULL},
370,374c367
<       "size-131072",
<       "size-262144",
<       "size-524288",
<       "size-1048576"
<
---
>       "size-131072"


After compiling & installing new kernel we're able to install fw policy
without any problem.

P.S.: our current problem is "ISAKMP AddNegotiation: try to handle too many
negotiations" in /var/log/messages.
According to Resolution 2093  from Nokia Support  Knowledge Base  it's
pretty old [FW-1 v4.0] problem - the fw-1 table for ISAKMP connections
limited by 100 entries.
We haven't found solution till now... :-(


Regards,
Vitaly Karasik
Unix System Administrator
NDS Israel

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Reply via email to