On Tue, Jul 02, 2019 at 08:03:19PM +0200, Phil Sutter wrote:
> When trying to delete user-defined chains in a large ruleset,
> iptables-nft aborts with "No buffer space available". This can be
> reproduced using the following script:
>
> | #! /bin/bash
> | iptables-nft-restore <(
> |
> | echo "*filter"
> | for i in $(seq 0 200000);do
> | printf ":chain_%06x - [0:0]\n" $i
> | done
> | for i in $(seq 0 200000);do
> | printf -- "-A INPUT -j chain_%06x\n" $i
> | printf -- "-A INPUT -j chain_%06x\n" $i
> | done
> | echo COMMIT
> |
> | )
> | iptables-nft -X
>
> The problem seems to be the sheer amount of netlink error messages sent
> back to user space (one EBUSY for each chain). To solve this, set
> receive buffer size depending on number of commands sent to kernel.
LGTM. One more change, make sure you reset:
nlbuffsiz = 0
from nft_restart().
Thanks.
P.S: It would be good a follow up to place this global variables into
the nft_handle object at some point.
