Re: Could not process rule: Cannot allocate memory

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 10 May 2024 12:51:53 +0200

On Fri, May 10, 2024 at 12:45:15PM +0200, Sven Auhagen wrote:
> On Fri, May 10, 2024 at 11:06:29AM +0200, Florian Westphal wrote:
> > Florian Westphal <fw@xxxxxxxxx> wrote:
> > > Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote:
> > > > When the sets are larger I now always get an error:
> > > > ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory
> > > > destroy table inet filter
> > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > along with the kernel message
> > > > percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left
> > > 
> > > This specific pcpu allocation failure aside, I think we need to reduce
> > > memory waste with flush op.

Agreed.

One more question below.

> > Plan is:
> > 
> > 1. Get rid of ->data[] in struct nft_trans.
> >    All nft_trans_xxx will add struct nft_trans as first
> >    member instead.
> > 
> > 2. Add nft_trans_binding.  Move binding_list head from
> >    nft_trans to nft_trans_binding.
> >    nft_trans_set and nft_trans_chain use nft_trans_binding
> >    as first member.
> >    This gets rid of struct list_head for all other types.
> > 
> > 3. Get rid of struct nft_ctx from nft_trans.
> >    As far as I can see a lot of data here is redundant,
> >    We can likely stash only struct net, u16 flags,
> >    bool report.
> >    nft_chain can be moved to the appropriate sub-trans type
> >    struct.
> 
> Here is also a minimal example to trigger the problem.

Can you still see this after Florian's patch?

> I left out the ip addresses:
> 
> destroy table inet filter
> 
> table inet filter {
> 
>     set SET1_FW_V4 {
>         type ipv4_addr;
>         flags interval;
>         counter;
>         elements = { }
>     }
> 
>     set SET2_FW_V4 {
>         type ipv4_addr;
>         flags interval;
>         counter;
>         elements = { }
>     }
> 
>     set SET3_FW_V4 {
>         type ipv4_addr;
>         flags interval;
>         counter;
>         elements = { }
>     }
> 
>     set SET4_FW_V4 {
>         type ipv4_addr;
>         flags interval;
>         counter;
>         elements = { }
>     }
> 
>     chain input {
>         type filter hook input priority 0;
>         policy accept;
> 
>         ip saddr @SET1_FW_V4 drop
>         ip saddr @SET2_FW_V4 drop
>         ip saddr @SET3_FW_V4 drop
>         ip saddr @SET4_FW_V4 drop
>     }
> }
> 