Re: [REGRESSION] 6.18.14 netfilter/nftables consumes way more memory

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Chris Arges <carges@cloudflare.com>
Cc: Florian Westphal <fw@strlen.de>,
	stable@vger.kernel.org, linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	lwn@lwn.net, jslaby@suse.cz, kernel-team@cloudflare.com,
	netfilter-devel@vger.kernel.org
Subject: Re: [REGRESSION] 6.18.14 netfilter/nftables consumes way more memory
Date: Fri, 6 Mar 2026 13:22:41 +0100	[thread overview]
Message-ID: <aarHEfdMXDJ-Wq3V@chamomile> (raw)
In-Reply-To: <aamvQTTZu4-chpsS@20HS2G4>

[-- Attachment #1: Type: text/plain, Size: 1511 bytes --]

Hi Chris,

On Thu, Mar 05, 2026 at 10:28:49AM -0600, Chris Arges wrote:
> I noticed after I sent, thanks for fixing.
> > Hi,
> > 
> > On Wed, Mar 04, 2026 at 11:50:54AM -0600, Chris Arges wrote:
> > > Hello,
> > > 
> > > We've noticed significant slab unreclaimable memory increase after upgrading
> > > from 6.18.12 to 6.18.15. Other memory values look fairly close, but in my
> > > testing slab unreclaimable goes from 1.7 GB to 4.9 GB on machines.
> > 
> > From where are you collecting these memory consumption numbers?
> > 
> 
> These numbers come from the cgroup's memory.stat:
> ```
> $ cat /sys/fs/cgroup/path/to/service/memory.stat | grep slab
> slab_reclaimable 35874232
> slab_unreclaimable 5343553056
> slab 5379427288
> ```
> 
> > > Our use case is having nft rules like below, but adding them to 1000s of
> > > network namespaces. This is essentially running `nft -f` for all these
> > > namespaces every minute.
> > 
> > Those numbers for only 1000? That is too little number of entries for
> > such increase in memory usage that you report.
> > 
> 
> For this workload that I suspect (since its in the cgroup) it has the following
> characteristics:
> - 1000s of namespaces
> - 1000s of CIDRs in ip list per namespace
> - Updating everything frequently (<1m)

I see what is going on, my resize logic is not correct. This is
increasing the size for each new transaction, then the array is
getting larger and larger on each transaction update.

Could you please give a try to this patch?

Thanks.

[-- Attachment #2: fix.patch --]
[-- Type: text/x-diff, Size: 458 bytes --]

diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 853ff30a208c..4462ac48fdfa 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -646,7 +646,7 @@ static int nft_array_may_resize(const struct nft_set *set)
 	struct nft_array *array;
 
 	if (!priv->array_next) {
-		array = nft_array_alloc(nelems + NFT_ARRAY_EXTRA_SIZE);
+		array = nft_array_alloc(nelems);
 		if (!array)
 			return -ENOMEM;

next prev parent reply	other threads:[~2026-03-06 12:22 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-04 17:50 [REGRESSION] 6.18.14 netfilter/nftables consumes way more memory Chris Arges
2026-03-04 21:26 ` Pablo Neira Ayuso
2026-03-04 21:27   ` Pablo Neira Ayuso
2026-03-05 16:28     ` Chris Arges
2026-03-06 12:22       ` Pablo Neira Ayuso [this message]
2026-03-06 12:25         ` Pablo Neira Ayuso
2026-03-06 18:20           ` Chris Arges
2026-03-07  0:15             ` Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:853ff30a208 dfblob:4462ac48fdf )
 OR (
bs:"Re: [REGRESSION] 6.18.14 netfilter/nftables consumes way more memory" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aarHEfdMXDJ-Wq3V@chamomile \
    --to=pablo@netfilter.org \
    --cc=carges@cloudflare.com \
    --cc=fw@strlen.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=jslaby@suse.cz \
    --cc=kernel-team@cloudflare.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lwn@lwn.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox