Re: Sets update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Dňa Sun, 21 Jul 2024 13:29:44 +0100 "Kerin Millar" <kfm@xxxxxxxxxxxxx>
napísal:

> #!/bin/sh
> set -e
> tmpfile1=
> tmpfile2=
> trap 'rm -f -- "$tmpfile1" "$tmpfile2"' EXIT
> tmpfile1=$(mktemp)
> tmpfile2=$(mktemp)
> cat > "$tmpfile1"
> {
>    echo "delete element $* {"; sed 's/$/,/' "$tmpfile1"; echo "}"
>    echo "add    element $* {"; sed 's/$/,/' "$tmpfile1"; echo "}"
> } > "$tmpfile2"
> nft -f "$tmpfile2"

I play with that, i add one more "add" before "delete" and seems to
work, except after boot...

After boot the set is (obviously) empty, i try to fill it with something
as:

    curl -s https://my_local_URL | ./nft-addset.sh inet fw4 myset | nft -f-

But that fail with::

    /dev/stdin:1:1-2: Error: Could not process rule: Out of memory
    add    element inet fw4 myset {
    ^^

(The host has >6 GB of free RAM, the list has ~1700 items)

Initially i blame IP duplicates in downloaded list of IPs, but that was
unrelated to this error. When i remove the first "add" and "delete"
lines from script (thus just one "add"), it works. After initial fill it
works with all three commands (add+delete+add) on already filled set
and even when i flush that set, it still works. Only first fill (after
boot) ends with that error.

When i delete and create that set, i got "Out of memory" again, the set
is defined as::

    table inet fw4 {
	set myset {
		type ipv4_addr
		last counter
		timeout 2d
	}
    }

I tried to add "size" into it, but that doesn't help.

I roughly remember, that i read something about some memory limit in
container (i am not in container), but i am not able to find that
again to check if that is problem.

Please, what can cause that initial fill error, how i can debug/solve
it?

regards

-- 
Slavko
https://www.slavino.sk

Attachment: pgpC80xxzlUIV.pgp
Description: Digitálny podpis OpenPGP


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux