On Tue, Jul 02, 2019 at 08:30:49PM +0200, Phil Sutter wrote: > When trying to delete user-defined chains in a large ruleset, > iptables-nft aborts with "No buffer space available". This can be > reproduced using the following script: > > | #! /bin/bash > | iptables-nft-restore <( > | > | echo "*filter" > | for i in $(seq 0 200000);do > | printf ":chain_%06x - [0:0]\n" $i > | done > | for i in $(seq 0 200000);do > | printf -- "-A INPUT -j chain_%06x\n" $i > | printf -- "-A INPUT -j chain_%06x\n" $i > | done > | echo COMMIT > | > | ) > | iptables-nft -X > > The problem seems to be the sheer amount of netlink error messages sent > back to user space (one EBUSY for each chain). To solve this, set > receive buffer size depending on number of commands sent to kernel. Applied, thanks.
