Let say you add a new iptable rule inside an container, but this time this happen:
# iptables -I INPUT -s 123.123.123.123 -j DROP
iptables: Memory allocation problem
Where does it come from ?
You probably hit the limit of the numiptent parameter. Check its failcounts:
# egrep "failcnt|numiptent" /proc/user_beancountersIf it’s greater than zero, you have your answer.
Increase the limit
On the host you can redefine the limit (soft and hard) for a container like this:
# vzctl set VPS_ID --save --numiptent 800:1000
Here i double default values.