On Sat, 13 Apr 2024, keltargw wrote: > I have a problem with recent kernels. Due to delayed ipset destroy I'm > unable to destroy ipset that was recently in use by another (destroyed) > ipset. It is demonstrated by this example: > > #!/bin/bash > set -x > > ipset create qwe1 list:set > ipset create asd1 hash:net > ipset add qwe1 asd1 > ipset add asd1 1.1.1.1 > > ipset destroy qwe1 > ipset list asd1 -t > ipset destroy asd1 > > Second ipset destroy reports an error "ipset v7.21: Set cannot be > destroyed: it is in use by a kernel component". > If this command is repeated after a short delay, it deletes ipset > without any problems. > > It seems it could be fixed with that kernel module patch: > > Index: linux-6.7.9/net/netfilter/ipset/ip_set_core.c > =================================================================== > --- linux-6.7.9.orig/net/netfilter/ipset/ip_set_core.c > +++ linux-6.7.9/net/netfilter/ipset/ip_set_core.c > @@ -1241,6 +1241,9 @@ static int ip_set_destroy(struct sk_buff > u32 flags = flag_exist(info->nlh); > u16 features = 0; > > + /* Wait for flush to ensure references are cleared */ > + rcu_barrier(); > + > read_lock_bh(&ip_set_ref_lock); > s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), > &i); > > If you have any suggestions on how this problem should be approached > please let me know. I'd better solve it in the list type itself: your patch unnecessarily slows down all set destroy operations. Best regards, Jozsef -- E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
