From: Florian Westphal <fw@strlen.de>
To: Sven Auhagen <Sven.Auhagen@belden.com>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: Cannot allocate memory delete table inet filter
Date: Wed, 25 Jun 2025 16:29:13 +0200 [thread overview]
Message-ID: <aFwHuT7m7GHtmtSm@strlen.de> (raw)
In-Reply-To: <BY1PR18MB5874110CAFF1ED098D0BC4E7E07BA@BY1PR18MB5874.namprd18.prod.outlook.com>
Sven Auhagen <Sven.Auhagen@belden.com> wrote:
> we do see on occasions that we get the following error message, more so on x86 systems than on arm64:
>
> Error: Could not process rule: Cannot allocate memory delete table inet filter
>
> It is not a consistent error and does not happen all the time.
> We are on Kernel 6.6.80, seems to me like we have something along the lines of the nf_tables: allow clone callbacks to sleep problem using GFP_ATOMIC.
Yes, set element deletion (flushing) requires atomic (non-sleepable)
allocations.
> Do you have any idea what I can try out/look at?
Do you have large sets? (I suspect yes).
As for a solution, I can see two:
1). Leverage what nft_set_pipapo.c is doing and extend
this for all sets that could use the same solution.
The .walk callback for pipapo doesn't need/use rcu read locks,
and could use sleepable allocations.
all set types except rhashtable could follow this.
Then, we'd just need a way for the generic flush code to
see that the walk callback can sleep (e.g. by annotation in
set_ops).
Upside: Clean and straightforward solution.
Downside: won't work for rhashtable which runs under
rcu read lock protection.
2). Preallocate transaction elements before calling .walk
in nft_set_flush(), based on set->nelems.
2) is a bit more (w)hacky but it would work for all set types.
And I could be wrong and the alloc problem isn't related to
nft_set_flush.
next prev parent reply other threads:[~2025-06-25 14:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-25 8:00 Cannot allocate memory delete table inet filter Sven Auhagen
2025-06-25 14:29 ` Florian Westphal [this message]
2025-06-25 14:51 ` Sven Auhagen
2025-07-01 8:15 ` Sven Auhagen
2025-07-01 10:48 ` Florian Westphal
2025-07-01 21:49 ` Florian Westphal
2025-07-02 3:51 ` Sven Auhagen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aFwHuT7m7GHtmtSm@strlen.de \
--to=fw@strlen.de \
--cc=Sven.Auhagen@belden.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.