On Wed, Aug 21, 2019 at 1:13 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> wrote: > > mnl_genid_get can fail and in this case not update the genid which leads > > to a busy loop that never recovers. > > > > To avoid that check the return value and abort __nft_build_cache > > if mnl_genid_get fails. > > mnl_genid_get() aborts in case there is an error from mnl_talk in > iptables.git master branch. > > See > commit e5cab728c40be88c541f68e4601d39178c36111f > nft: exit in case we can't fetch current genid > > So I don't think this change is needed. Thanks Florian for pointing me in the right direction. I have applied this fix on top of 1.8.3 and it makes my -N calls work again. iptables -L calls once a system is in the bad state behave as you outlined in your patch. ubuntu@autopkgtest:~/iptables-1.8.3$ iptables -L iptables v1.8.3 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root) ubuntu@autopkgtest:~/iptables-1.8.3$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Thank you so much Florian! Adding that to the soon to be released Ubuntu version of iptables 1.8.3.
