Hi Pablo,
I found this testcase already contain the rules.
I can reproduce it with your nf branch.
# uname -r
5.5.0-rc2+
# cat testcases/flowtable/0009deleteafterflush_0:
#!/bin/bash
set -e
$NFT add table x
$NFT add chain x y
$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;}
$NFT add rule x y flow add @f
$NFT flush chain x y
sleep 1
$NFT delete flowtable x f
It is not easy to reproduce it without the sleep 1 between flush chain and delete the flowtable.
The flowtable delete maybe early than rule destroy because the operation is the flush chain
but not delete rule directly .
Without my patch:
# ./run-tests.sh testcases/flowtable/0009deleteafterflush_0
I: using nft binary ./../../src/nft
W: [FAILED] testcases/flowtable/0009deleteafterflush_0: got 1
Error: Could not process rule: Device or resource busy
delete flowtable x f
^^^^^^^^^^^^^^^^^^^^^
I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
Add with my fixes patch: I run this 50 times all result is OK
# ./run-tests.sh testcases/flowtable/0009deleteafterflush_0
I: using nft binary ./../../src/nft
I: [OK] testcases/flowtable/0009deleteafterflush_0
I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
So which branch did you test with this patch?
BR
wenxu
On 12/31/2019 8:45 AM, wenxu wrote:
>
> 在 2019/12/31 4:02, Pablo Neira Ayuso 写道:
>> On Mon, Dec 30, 2019 at 09:25:36PM +0800, wenxu wrote:
>>> Hi pablo,
>>>
>>> How about this patch?
>> This test still fails after a second run with this patch:
>>
>> ./run-tests.sh testcases/flowtable/0009deleteafterflush_0
>> I: using nft binary ./../../src/nft
>>
>> W: [FAILED] testcases/flowtable/0009deleteafterflush_0: got 1
>> Error: Could not process rule: Device or resource busy
>> delete flowtable x f
>
> Hi pablo,
>
>
> I did the same test for testcase 0009deleteafterflush_0, It is okay even there is no this patch in my tree.
>
> ++ which nft
> + NFT=/usr/sbin/nft
> + /usr/sbin/nft add table x
> + /usr/sbin/nft add chain x y
> + /usr/sbin/nft add flowtable x f '{' hook ingress priority '0;' devices = '{' lo '};}'
> + /usr/sbin/nft add rule x y flow add @f
> + /usr/sbin/nft flush chain x y
>
> + /usr/sbin/nft delete flowtable x f
>
>
> This patch fix the problem that there are nft_flow_offload rules, when flush the rules or chain which will lead the use counter double decrease and overflow.
>
> nft add rule firewall ftb-all ct zone 1 ip protocol tcp flow offload @f
> nft add rule firewall ftb-all ct zone 1 ip protocol udp flow offload @f
>
> This testcase does not have any nft_flow_offload rules. So this testcase don't cover the problem I want to fixes.
>
>
> Ps:
>
> I test the nf-next tree, this testcase have the problem, I think it should be another new problem. I will check it.
>
>
