[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914429: nftables: Delete and Flush lead to device or resource busy with segmentation fault

Hi Arturo,

we broke it down with less steps, hopefully not confusing.

Please try this:

table ip filter {
    chain FORWARD {
        type filter hook forward priority 0; policy accept;
        jump vpn_master
    }

    map J_TestMap {
        type ipv4_addr : verdict
        flags interval
        elements = { 172.21.138.0/29 : jump C_TestChain }
    }

    chain vpn_master {
        ip saddr vmap @J_TestMap
    }

    chain C_TestChain {
    }
}

# nft flush map filter J_TestMap
# nft flush chain filter C_TestChain
# nft delete chain filter C_TestChain
Error: Could not process rule: Device or resource busy
delete chain filter C_TestChain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft list ruleset
table ip filter {
    map J_TestMap {
        type ipv4_addr : verdict
        flags interval
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
        jump vpn_master
    }

    chain vpn_master {
        ip saddr vmap @J_TestMap
    }

    chain C_TestChain {
    }
}

This problem happens only if we flash the J_TestMap!

If we delete the elements of  J_TestMap, we can delete the chain C_TestChain!


Background:

We want to have many elements in our maps and we want to flash it, instead of
deleting every element.

Right now in iptables we have >100k ACCEPT Rules organised in a binary tree
build with chains.
https://people.netfilter.org/hawk/presentations/nfws2008/nfws2008_userday_iptables_scale.pdf

100k rules in nftables also organised in a binary tree makes the command "nft
list ruleset" take over 1,5min to print all rule to the command line. (Maybe you
can help here too?)

So we are looking how we can reduce the ruleset with maps and sets using ranges etc.

Best Regards, Eike



Am 23.11.18 um 13:13 schrieb Arturo Borrero Gonzalez:
> On 11/23/18 1:08 PM, Eike Lohmann wrote:
>> Hi Arturo,
>>
>> thanks for your quick reply.
>>
>> Like described in my example, there is no reference to C_TestChain.
>>
> I reproduced your steps, and I had multiple issues because your steps
> try to delete stuff with external references.
>
> If you don't give me any other information, this is a fail in your
> ruleset/workflow a not a bug in nftables.
>
> arturo@endurance:~ $ cat t.nft
> #!/usr/sbin/nft -f
> # Skeleton for nftables
>
> flush ruleset
>
> table ip filter {
>     chain FORWARD {
>         type filter hook forward priority 0;
>     }
> }
> arturo@endurance:~ $ cat t2.nft
> add chain filter vpn_master
> add map filter J_TestMap { type ipv4_addr : verdict ; flags interval ; }
> add rule filter vpn_master ip saddr vmap @J_TestMap
> add chain filter C_TestChain
> add set filter M_TestMasterSet {type ipv4_addr ; flags interval ;
> elements={ 172.21.138.0/29 } ;}
> add set filter S_TestSlaveSet {type ipv4_addr ; flags interval ;
> elements={ 172.21.138.8/29, 172.21.138.16/28, 172.21.138.32/29 } ;}
> add element filter J_TestMap { 172.21.138.0/29 : jump C_TestChain }
> add element filter J_TestMap { 172.21.138.8/29 : jump C_TestChain }
> add element filter J_TestMap { 172.21.138.16/28 : jump C_TestChain }
> add element filter J_TestMap { 172.21.138.32/29 : jump C_TestChain }
> add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
> @M_TestMasterSet accept
> add rule filter C_TestChain ip saddr @M_TestMasterSet ip daddr
> @S_TestSlaveSet accept
> add rule filter C_TestChain ip saddr @S_TestSlaveSet ip daddr
> @M_TestMasterSet accept
>
> arturo@endurance:~ $ cat t3.nft
> flush set filter M_TestMasterSet
> flush set filter S_TestSlaveSet
> flush map filter J_TestMap
> flush chain filter C_TestChain
> delete set filter M_TestMasterSet
> delete set filter S_TestSlaveSet
>
> arturo@endurance:~ $ sudo nft -f t.nft
> arturo@endurance:~ $ sudo nft -f t2.nft
> arturo@endurance:~ $ sudo nft -f t3.nft
> t3.nft:6:1-34: Error: Could not process rule: Device or resource busy
> delete set filter M_TestMasterSet
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> t3.nft:7:1-33: Error: Could not process rule: Device or resource busy
> delete set filter S_TestSlaveSet
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> arturo@endurance:~ 1 $ sudo nft list ruleset
> table ip filter {
> 	map J_TestMap {
> 		type ipv4_addr : verdict
> 		flags interval
> 		elements = { 172.21.138.0/29 : jump C_TestChain, 172.21.138.8/29 :
> jump C_TestChain,
> 			     172.21.138.16/28 : jump C_TestChain, 172.21.138.32/29 : jump
> C_TestChain }
> 	}
>
> 	set M_TestMasterSet {
> 		type ipv4_addr
> 		flags interval
> 		elements = { 172.21.138.0/29 }
> 	}
>
> 	set S_TestSlaveSet {
> 		type ipv4_addr
> 		flags interval
> 		elements = { 172.21.138.8/29, 172.21.138.16/28,
> 			     172.21.138.32/29 }
> 	}
>
> 	chain FORWARD {
> 		type filter hook forward priority 0; policy accept;
> 	}
>
> 	chain vpn_master {
> 		ip saddr vmap @J_TestMap
> 	}
>
> 	chain C_TestChain {
> 		ip saddr @M_TestMasterSet ip daddr @M_TestMasterSet accept
> 		ip saddr @M_TestMasterSet ip daddr @S_TestSlaveSet accept
> 		ip saddr @S_TestSlaveSet ip daddr @M_TestMasterSet accept
> 	}
> }
>
>
>
Reply to: