Hello.
I have a problem with recent kernels. Due to delayed ipset destroy I'm
unable to destroy ipset that was recently in use by another
(destroyed) ipset. It is demonstrated by this example:
#!/bin/bash
set -x
ipset create qwe1 list:set
ipset create asd1 hash:net
ipset add qwe1 asd1
ipset add asd1 1.1.1.1
ipset destroy qwe1
ipset list asd1 -t
ipset destroy asd1
Second ipset destroy reports an error "ipset v7.21: Set cannot be
destroyed: it is in use by a kernel component".
If this command is repeated after a short delay, it deletes ipset
without any problems.
It seems it could be fixed with that kernel module patch:
Index: linux-6.7.9/net/netfilter/ipset/ip_set_core.c
===================================================================
--- linux-6.7.9.orig/net/netfilter/ipset/ip_set_core.c
+++ linux-6.7.9/net/netfilter/ipset/ip_set_core.c
@@ -1241,6 +1241,9 @@ static int ip_set_destroy(struct sk_buff
u32 flags = flag_exist(info->nlh);
u16 features = 0;
+ /* Wait for flush to ensure references are cleared */
+ rcu_barrier();
+
read_lock_bh(&ip_set_ref_lock);
s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
&i);
If you have any suggestions on how this problem should be approached
please let me know. Thanks.
