On Tue, Jul 02, 2019 at 07:26:15PM +0200, Pablo Neira Ayuso wrote: > On Tue, Jul 02, 2019 at 05:12:01PM +0200, Phil Sutter wrote: > > When trying to delete user-defined chains in a large ruleset, > > iptables-nft aborts with "No buffer space available". This can be > > reproduced using the following script: > > > > | #! /bin/bash > > | iptables-nft-restore <( > > | > > | echo "*filter" > > | for i in $(seq 0 200000);do > > | printf ":chain_%06x - [0:0]\n" $i > > | done > > | for i in $(seq 0 200000);do > > | printf -- "-A INPUT -j chain_%06x\n" $i > > | printf -- "-A INPUT -j chain_%06x\n" $i > > | done > > | echo COMMIT > > | > > | ) > > | iptables-nft -X > > > > Note that calling 'iptables-nft -F' before the last call avoids the > > issue. Also, correct behaviour is indicated by a different error > > message, namely: > > > > | iptables v1.8.3 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain chain_000000 > > > > The used multiplier value is a result of trial-and-error, it is the > > first one which eliminated the ENOBUFS condition. > > This is triggering a lots of errors (ack messages) to userspace. > > Could you estimate the buffer size based on the number of commands? > > mnl_batch_talk() is called before iterating over the list of commands, > so this number is already in place. Then, pass it to > mnl_nft_socket_sendmsg(). > > I'd suggest you add a mnl_set_rcvbuffer() too. You could assume that > getpagesize() is the maximum size for an acknoledgment. Ah, I didn't get that kernel reply depends on number of commands sent, not batch size. Thanks for your tip, this seems to work fine! Thanks, Phil
