[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault

On 11/23/18 1:08 PM, Eike Lohmann wrote:
> 
> Hi Arturo,
> 
> thanks for your quick reply.
> 
> Like described in my example, there is no reference to C_TestChain.
> 

I reproduced your steps, and I had multiple issues because your steps
try to delete stuff with external references.

If you don't give me any other information, this is a fail in your
ruleset/workflow a not a bug in nftables.

arturo@endurance:~ $ cat t.nft
#!/usr/sbin/nft -f
# Skeleton for nftables

flush ruleset

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0;
    }
}
arturo@endurance:~ $ cat t2.nft
add chain filter vpn_master
add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; }
add rule filter vpn_master ip saddr vmap @J_TestMap
add chain filter C_TestChain
add set filter M_TestMasterSet {type ipv4_addr ; flags interval ;
elements={ 172.21.138.0/29 } ;}
add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ;
elements={ 172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;}
add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain }
add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain }
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
@M_TestMasterSet accept
add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
@S_TestSlaveSet accept
add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr
@M_TestMasterSet accept

arturo@endurance:~ $ cat t3.nft
flush set filter M_TestMasterSet
flush set filter S_TestSlaveSet
flush map filter J_TestMap
flush chain filter C_TestChain
delete set filter M_TestMasterSet
delete set filter S_TestSlaveSet

arturo@endurance:~ $ sudo nft -f t.nft
arturo@endurance:~ $ sudo nft -f t2.nft
arturo@endurance:~ $ sudo nft -f t3.nft
t3.nft:6:1-34: Error: Could not process rule: Device or resource busy
delete set filter M_TestMasterSet
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
t3.nft:7:1-33: Error: Could not process rule: Device or resource busy
delete set filter S_TestSlaveSet
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
arturo@endurance:~ 1 $ sudo nft list ruleset
table ip filter {
	map J_TestMap {
		type ipv4_addr : verdict
		flags interval
		elements = { 172.21.138.0/29 : jump C_TestChain, 172.21.138.8/29 :
jump C_TestChain,
			     172.21.138.16/28 : jump C_TestChain, 172.21.138.32/29 : jump
C_TestChain }
	}

	set M_TestMasterSet {
		type ipv4_addr
		flags interval
		elements = { 172.21.138.0/29 }
	}

	set S_TestSlaveSet {
		type ipv4_addr
		flags interval
		elements = { 172.21.138.8/29, 172.21.138.16/28,
			     172.21.138.32/29 }
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain vpn_master {
		ip saddr vmap @J_TestMap
	}

	chain C_TestChain {
		ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet accept
		ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet accept
		ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet accept
	}
}
Reply to: