* What happens if the machine runs out of memory while adding new nftables sets atomically?
@ 2024-02-06 10:47 Anton
2024-02-06 11:12 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 10:47 UTC (permalink / raw)
To: netfilter
Hi folks,
While experimenting with adding nftables sets on memory-constrained
devices, I have run into OOM conditions. Currently many embedded
devices such as routers are balancing on the verge of not enough
memory if using nft sets (at least interval sets).
I know that there has been progress on the front of reducing memory
footprint, but it's not yet in the nftables versions supplied by the
distributions, so for now I have to work with the current state of
things.
To be on the safe side, currently my scripts add sets separately from
adding rules and removing sets. I'd like to ask the devs, is it safe
under these conditions to attempt performing all these actions in one
atomic operation? Is previous firewall configuration guaranteed to be
successfully restored if the operation runs into OOM?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
2024-02-06 10:47 What happens if the machine runs out of memory while adding new nftables sets atomically? Anton
@ 2024-02-06 11:12 ` Florian Westphal
2024-02-06 12:15 ` Anton
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2024-02-06 11:12 UTC (permalink / raw)
To: Anton; +Cc: netfilter
Anton <anton.khazan@gmail.com> wrote:
> To be on the safe side, currently my scripts add sets separately from
> adding rules and removing sets. I'd like to ask the devs, is it safe
> under these conditions to attempt performing all these actions in one
> atomic operation? Is previous firewall configuration guaranteed to be
> successfully restored if the operation runs into OOM?
Old config is removed after new transaction went through, not before.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
2024-02-06 11:12 ` Florian Westphal
@ 2024-02-06 12:15 ` Anton
2024-02-06 12:15 ` Anton
0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 12:15 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
Thank you. And a followup question: is new config guaranteed to be
removed if the operation runs into OOM?
On Tue, Feb 6, 2024 at 1:12 PM Florian Westphal <fw@strlen.de> wrote:
> Old config is removed after new transaction went through, not before.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
2024-02-06 12:15 ` Anton
@ 2024-02-06 12:15 ` Anton
2024-02-06 12:18 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 12:15 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
(and new sets as well...)
On Tue, Feb 6, 2024 at 2:15 PM Anton <anton.khazan@gmail.com> wrote:
>
> Thank you. And a followup question: is new config guaranteed to be
> removed if the operation runs into OOM?
>
> On Tue, Feb 6, 2024 at 1:12 PM Florian Westphal <fw@strlen.de> wrote:
> > Old config is removed after new transaction went through, not before.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-02-06 12:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-06 10:47 What happens if the machine runs out of memory while adding new nftables sets atomically? Anton
2024-02-06 11:12 ` Florian Westphal
2024-02-06 12:15 ` Anton
2024-02-06 12:15 ` Anton
2024-02-06 12:18 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.