Hi Thomas, Apologies for the late reply. On Fri, Aug 11, 2023 at 02:58:48PM +0200, Thomas Haller wrote: > Hi Pablo, > > On Fri, 2023-08-11 at 14:20 +0200, Pablo Neira Ayuso wrote: > > On Thu, Aug 10, 2023 at 02:30:30PM +0200, Thomas Haller wrote: > > > If the reentrant versions of the functions are available, use them > > > so > > > that libnftables is thread-safe in this regard. > > > > At netlink sequence tracking is not thread-safe, users hit EILSEQ > > errors when multiple threads recycle the same nft_ctx object. Updates > > are serialized by mutex per netns, batching is usually the way to go > > to amortize the cost of ruleset updates. > > The problem already happens when one thread is using libnftables and > another thread calls one of those libc functions at an unfortunate > moment. It doesn't require multi-threaded uses of libnftables itself. Indeed. > Also, why couldn't you have two threads, handling one netns each, with > separate nft_ctx objects? You have to have one nft_ctx per thread, that should be sufficient, this probably needs to be documented.
