On Thu, Mar 05, 2020 at 11:15:36AM +0100, Florian Westphal wrote: > nft will loop forever if the kernel doesn't support an expression: > > 1. nft_expr_type_get() appends the family specific name to the module list. > 2. -EAGAIN is returned to nfnetlink, nfnetlink calls abort path. > 3. abort path sets ->done to true and calls request_module for the > expression. > 4. nfnetlink replays the batch, we end up in nft_expr_type_get() again. > 5. nft_expr_type_get attempts to append family-specific name. This > one already exists on the list, so we continue > 6. nft_expr_type_get adds the generic expression name to the module > list. -EAGAIN is returned, nfnetlink calls abort path. > 7. abort path encounters the family-specific expression which > has 'done' set, so it gets removed. > 8. abort path requests the generic expression name, sets done to true. > 9. batch is replayed. > > If the expression could not be loaded, then we will end up back at 1), > because the family-specific name got removed and the cycle starts again. > > Note that userspace can SIGKILL the nft process to stop the cycle, but > the desired behaviour is to return an error after the generic expr name > fails to load the expression. Applied, thanks Florian.
