Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote: > I am using nftables with geoip sets. > When I have larger sets in my ruleset and I want to atomically update the entire ruleset, I start with > destroy table inet filter and then continue with my new ruleset. > > When the sets are larger I now always get an error: > ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory > destroy table inet filter > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > along with the kernel message > percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left Are you using 'counter' extension on the set definition? Could yo usahre a minimal reproducer? You can omit the actual elements, its easy to autogen that.
