From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f66.google.com (mail-ot1-f66.google.com [209.85.210.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84481241139 for ; Wed, 4 Mar 2026 17:50:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.66 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772646659; cv=none; b=qrvm3EWpkVDHME9bWv2RPS4Z7VYJuXHROE2kiMkGDvjagBLYE+7Xt1NH9xA1hZ2uMt+SWqUjHz0eun0h/1IBAA/Ai3wA+YdAwHlhqbxqvJzu4xWNeWftDBm18NziIBmFQeudb3+G86STmowWVv+0kN97BKoUs8F6swO40/hJW8Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772646659; c=relaxed/simple; bh=2Mvgz7k4MBiBihmZ6pwsyf3yLPFdtGpxts4opu+Urhc=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=qu9cNpfXyHZeQALUdd2+6ijOoiffkthW+zqZaPCROOgpiVinC996x+hQoPo98pMISrbSUYDjM5Ld9yXGXu4yB+iBQkc9eesup2MKUM9fhukFGMC/jmAoib9UxfpYvJsFCDjz9l4e3JmAWfclm3jShtddGrA9ohfFfHb2QA0Okfw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Jj5yJcfG; arc=none smtp.client-ip=209.85.210.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Jj5yJcfG" Received: by mail-ot1-f66.google.com with SMTP id 46e09a7af769-7d598f60eeaso5116436a34.2 for ; Wed, 04 Mar 2026 09:50:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1772646657; x=1773251457; darn=vger.kernel.org; h=content-disposition:mime-version:reply-to:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=WNMYYOJfjMKLq9zkyVGgSwjqMf4o4L892jbKOFVkLGk=; b=Jj5yJcfGd6YfE8j9dPMK0uQP/S4LJKknSdI+oP/6HEDa0drHxa17k+pc3fQ3lIFTLn 2cJ4ph7OCRpTFrsu/QOvizcz64eqXkE05nUFv4ySFEtRAzyswxAm/HOXeWj8phapvH3k kjrp/gTgS/NoeHauR0D5QFcCuI7Qsv3zgUqIjsri6la4yMehPa31+TeHC6vV/OTXCird /V5hDW2Ee5KK4QEFm5hhNz3fOuWXwyigMd3RfmB2HrZn3vMrGPLvJWLg2UukZup4YMal 6zqMtvews5Vz+R6WSZLTSIWk3Oi8Q/xHww/Dr4jULQtfmoDJnxvcSxdtqFzlnuzcVoI1 srBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772646657; x=1773251457; h=content-disposition:mime-version:reply-to:message-id:subject:cc:to :from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WNMYYOJfjMKLq9zkyVGgSwjqMf4o4L892jbKOFVkLGk=; b=iF7etn2dEEwAC8FlJ0izZFz7OP3wfzM4U7qJjMfEYbVMo+XuGKC9wvxYy5FmkQwfsb v7Jxe1iIKEzo7VCdRMp13QkRkwn1x4kaIZb+1qXDkPE6CpqQuOYQfZt7e7C7yNlC/+LN vphOFhhuI+yFQst5l85NEfth8VwkIjmTKf0VgUYs9SBt8PYd2fzvRzoQ/dYXM0Kp2ab0 ckERS184xp28f5AOvOiNDF9jYk+R26o54f+1lMr6zw867tegCokKgawMT6r0xKfIOJFH jGA82MsbpgSIOgRV7eW9Wbkhk41gBZxWXwT5QPTSDaLooYkdR7YzheiiuOzaeQJgm7CT N8Jw== X-Forwarded-Encrypted: i=1; AJvYcCVnLewLuB4LEMWFlhMds95jEaG8jvkmwtke59jq0Un6F+QssxyLrWUGrLP4/aegyXcVSjgqFvQAJ917umw=@vger.kernel.org X-Gm-Message-State: AOJu0YwbLIBszcoitm3WpAH95YgmmCql4DmTqheRzu2xCvM/o3siFqiz VmxjUaAXaThpxSr17Kf5ogeXL8kSxuD0LGUkgkN7D/qKnuEM3kSDgz9jYN9WvKOQz50= X-Gm-Gg: ATEYQzxj5k6ONMvlxHSxmsb7AJpmkls1ln9ezTOdqshXzhvElNzKgsa44S+PlTSzkvW g9/DHqhBeQXfffY+NKF/AKPorg+hq3t3eXIG7Bm8rDjVixqg/NfYgUjErRWMkoIqFy5P2QILQmZ v6+6GYurUS7riR6R9ZSaxwmZDEdDOQcYWROwpkNo0O2VYqJ85YMONsBKVAfbwJo5aosJmRuT817 0vPJUn0zqzl94t693zHEmlcW3UeYbhZfONA2lslHoqwAUcfXPXo0q9TZ4aD6c/KXKf8DVoDssw4 OrxQndTJBsaDI95+LzyUb3EpSQi4E3Pks5jcqM6pX03Xo6MxVKyI7XtqSeuYCIutb0UUk6ahXeP NJZ1yTMPXZB5TYux15VweyWYqn3jjWzD2XRLUJNvZ3AcjBTcBj+vFmSrSCCPZV8kyAEkSjwcRil wZWNgy6w== X-Received: by 2002:a05:6830:3901:b0:7cf:d1ed:f9ff with SMTP id 46e09a7af769-7d6d38f9810mr1782147a34.34.1772646657516; Wed, 04 Mar 2026 09:50:57 -0800 (PST) Received: from 20HS2G4 ([2a09:bac1:76c0:540::281:54]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7d586626abfsm15735411a34.14.2026.03.04.09.50.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 09:50:56 -0800 (PST) Date: Wed, 4 Mar 2026 11:50:54 -0600 From: Chris Arges To: Pablo Neira Ayuso , Florian Westphal , stable@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Kroah-Hartman Cc: lwn@lwn.net, jslaby@suse.cz, kernel-team@cloudflare.com, netfilter-devel@vger.kernel.org Subject: [REGRESSION] 6.18.14 netfilter/nftables consumes way more memory Message-ID: Reply-To: 2026022652-lyricist-washtub-eeb4@gregkh Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, We've noticed significant slab unreclaimable memory increase after upgrading from 6.18.12 to 6.18.15. Other memory values look fairly close, but in my testing slab unreclaimable goes from 1.7 GB to 4.9 GB on machines. Our use case is having nft rules like below, but adding them to 1000s of network namespaces. This is essentially running `nft -f` for all these namespaces every minute. ``` table inet service_1234567 { } delete table inet service_1234567 table inet service_1234567 { chain input { type filter hook prerouting priority filter; policy accept; ip saddr @account.ip_list drop } set account.ip_list { type ipv4_addr flags interval auto-merge } } add element inet service_1234567 account.ip_list { /* add 1000s of CIDRs here */ } ``` I suspect this is related to: - 36ed9b6e3961 (upstream 7e43e0a1141deec651a60109dab3690854107298) - netfilter: nft_set_rbtree: translate rbtree to array for binary search I'm still digging into this, and plan on reverting commits and seeing if memory usage goes back to nominal in production. I don't have a trivial reproducer unfortunately. Happy to run some additional tests, and I can easily apply patches on top of linux-6.18.y to run in a test environment. We are using userspace nftables 1.1.3, but had to apply the patch mentioned in this thread: https://lore.kernel.org/all/e6b43861cda6953cc7f8c259e663b890e53d7785.camel@sapience.com/ In order to solve the other regression we encountered. Thanks, --chris