Hi, I'm still trying to find out what's going on. There is still problem with creating and deleting objects, chains and rules - no matter if I load them using nft or libnftables, because it takes less time and fails than it takes to remove element from large map. I've created two nft files. https://mega.nz/#!P6Z3WSBJ!gRwUCaWO6VtM8GnYChIgwqhq2HSkv2oQZ5UQHIZEB9w One with commands to create whole structure - create.nft, second with set of commands to delete two minor structures - most of the commands fail, some of them don't, but even commands which don't fail don't work. If I run them one by one, some of them do what they are supposed to, but some delete commands (2 and 3) don't delete element even when I run them by hand. But no one of them works when I try to run them in batch. I hope someone can have a look at it since those all problems I reported already. I wish to offer all support I can since we need to get it to work and this problem breaks out functionality we need. We are using tc filter actually but we need to move to nftables because we update whole structure dynamically. There is limit of 65535 IDs in and we can't define every object we need. So we do it by complex dynamics. It prevents us from using iptables for obvious reasons. Tc filter has its own limits and we need to implement extended functionality. I like nftables. I still think it would be much easier to help someone who knows whole structure and dependencies to address the problem than to start digging into it myself and put everything else aside. I've tried to get debug output from nft, but it crashes with SIGSEGV and generates coredump. I can provide everything needed to help address this problem too. error output from nft -f delete.nft delete.nft:2:1-58: Error: Could not process rule: No such file or directory delete element ip filter group_7933_prio { 10.4.22.0/24 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:3:1-53: Error: Could not process rule: No such file or directory delete element ip filter group_7933 { 10.4.22.0/24 } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:5:1-34: Error: Could not process rule: Device or resource busy delete chain ip filter group_7933 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:6:1-32: Error: Could not process rule: Device or resource busy delete map ip filter group_7933 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:7:1-37: Error: Could not process rule: Device or resource busy delete map ip filter group_7933_prio ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:15:1-34: Error: Could not process rule: Device or resource busy delete chain ip filter group_7938 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:16:1-32: Error: Could not process rule: Device or resource busy delete map ip filter group_7938 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ delete.nft:17:1-37: Error: Could not process rule: Device or resource busy delete map ip filter group_7938_prio ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ commands without error in batch, but without any effect too: 01. delete element ip filter subnet_map { 10.4.22.0/24 } 04. flush chain ip filter group_7933 09. delete element ip filter subnet_map { 10.5.56.160/28 } 10. delete element ip filter group_7938_prio { 10.5.56.162 } 11. delete element ip filter group_7938_prio { 10.5.56.163 } 12. delete element ip filter group_7938 { 10.5.56.162 } 13. delete element ip filter group_7938 { 10.5.56.163 } 14. flush chain ip filter group_7938 whole structure of delete.nft for quick reference: delete element ip filter subnet_map { 10.4.22.0/24 } delete element ip filter group_7933_prio { 10.4.22.0/24 } delete element ip filter group_7933 { 10.4.22.0/24 } flush chain ip filter group_7933 delete chain ip filter group_7933 delete map ip filter group_7933 delete map ip filter group_7933_prio delete element ip filter subnet_map { 10.5.56.160/28 } delete element ip filter group_7938_prio { 10.5.56.162 } delete element ip filter group_7938_prio { 10.5.56.163 } delete element ip filter group_7938 { 10.5.56.162 } delete element ip filter group_7938 { 10.5.56.163 } flush chain ip filter group_7938 delete chain ip filter group_7938 delete map ip filter group_7938 delete map ip filter group_7938_prio ---- S pozdravem / Best Regards Vaclav Zindulka
