On Fri, May 10, 2024 at 12:51:53PM +0200, Pablo Neira Ayuso wrote:
> On Fri, May 10, 2024 at 12:45:15PM +0200, Sven Auhagen wrote:
> > On Fri, May 10, 2024 at 11:06:29AM +0200, Florian Westphal wrote:
> > > Florian Westphal <fw@xxxxxxxxx> wrote:
> > > > Sven Auhagen <sven.auhagen@xxxxxxxxxxxx> wrote:
> > > > > When the sets are larger I now always get an error:
> > > > > ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory
> > > > > destroy table inet filter
> > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > > > along with the kernel message
> > > > > percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left
> > > >
> > > > This specific pcpu allocation failure aside, I think we need to reduce
> > > > memory waste with flush op.
>
> Agreed.
>
> One more question below.
>
> > > Plan is:
> > >
> > > 1. Get rid of ->data[] in struct nft_trans.
> > > All nft_trans_xxx will add struct nft_trans as first
> > > member instead.
> > >
> > > 2. Add nft_trans_binding. Move binding_list head from
> > > nft_trans to nft_trans_binding.
> > > nft_trans_set and nft_trans_chain use nft_trans_binding
> > > as first member.
> > > This gets rid of struct list_head for all other types.
> > >
> > > 3. Get rid of struct nft_ctx from nft_trans.
> > > As far as I can see a lot of data here is redundant,
> > > We can likely stash only struct net, u16 flags,
> > > bool report.
> > > nft_chain can be moved to the appropriate sub-trans type
> > > struct.
> >
> > Here is also a minimal example to trigger the problem.
>
> Can you still see this after Florian's patch?
I double checked and it works fine now with Florian's Patch.
Also removing the counter is mitigating the issue as well.
>
> > I left out the ip addresses:
> >
> > destroy table inet filter
> >
> > table inet filter {
> >
> > set SET1_FW_V4 {
> > type ipv4_addr;
> > flags interval;
> > counter;
> > elements = { }
> > }
> >
> > set SET2_FW_V4 {
> > type ipv4_addr;
> > flags interval;
> > counter;
> > elements = { }
> > }
> >
> > set SET3_FW_V4 {
> > type ipv4_addr;
> > flags interval;
> > counter;
> > elements = { }
> > }
> >
> > set SET4_FW_V4 {
> > type ipv4_addr;
> > flags interval;
> > counter;
> > elements = { }
> > }
> >
> > chain input {
> > type filter hook input priority 0;
> > policy accept;
> >
> > ip saddr @SET1_FW_V4 drop
> > ip saddr @SET2_FW_V4 drop
> > ip saddr @SET3_FW_V4 drop
> > ip saddr @SET4_FW_V4 drop
> > }
> > }
> >
