On Fri, May 10, 2024 at 11:06:29AM +0200, Florian Westphal wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote:
> > > When the sets are larger I now always get an error:
> > > ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory
> > > destroy table inet filter
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > along with the kernel message
> > > percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left
> >
> > This specific pcpu allocation failure aside, I think we need to reduce
> > memory waste with flush op.
>
> Plan is:
>
> 1. Get rid of ->data[] in struct nft_trans.
> All nft_trans_xxx will add struct nft_trans as first
> member instead.
>
> 2. Add nft_trans_binding. Move binding_list head from
> nft_trans to nft_trans_binding.
> nft_trans_set and nft_trans_chain use nft_trans_binding
> as first member.
> This gets rid of struct list_head for all other types.
>
> 3. Get rid of struct nft_ctx from nft_trans.
> As far as I can see a lot of data here is redundant,
> We can likely stash only struct net, u16 flags,
> bool report.
> nft_chain can be moved to the appropriate sub-trans type
> struct.
Here is also a minimal example to trigger the problem.
I left out the ip addresses:
destroy table inet filter
table inet filter {
set SET1_FW_V4 {
type ipv4_addr;
flags interval;
counter;
elements = { }
}
set SET2_FW_V4 {
type ipv4_addr;
flags interval;
counter;
elements = { }
}
set SET3_FW_V4 {
type ipv4_addr;
flags interval;
counter;
elements = { }
}
set SET4_FW_V4 {
type ipv4_addr;
flags interval;
counter;
elements = { }
}
chain input {
type filter hook input priority 0;
policy accept;
ip saddr @SET1_FW_V4 drop
ip saddr @SET2_FW_V4 drop
ip saddr @SET3_FW_V4 drop
ip saddr @SET4_FW_V4 drop
}
}
