Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote: > On Wed, May 08, 2024 at 02:15:26PM +0200, Florian Westphal wrote: > > Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote: > > > I am using nftables with geoip sets. > > > When I have larger sets in my ruleset and I want to atomically update the entire ruleset, I start with > > > destroy table inet filter and then continue with my new ruleset. > > > > > > When the sets are larger I now always get an error: > > > ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory > > > destroy table inet filter > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > > along with the kernel message > > > percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left > > > > Are you using 'counter' extension on the set definition? > > Yes I do and I just tested it, when I remove the counter it works without issues. > > > > > Could yo usahre a minimal reproducer? You can omit the actual > > elements, its easy to autogen that. > > I just saw your patch, do you still want me to send a reproducer? In that case I guess the patch will help as the pcpu area should grow. But I think it might still make sense, could probably extend on of the test cases we have with a huge-set+counter+flush op.
