<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nft stalls on EGAIN upon repeatedly flushing and populating a set"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1392">1392</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nft stalls on EGAIN upon repeatedly flushing and populating a set
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Gentoo
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>kfm@plushkava.net
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=580" name="attach_580" title="bash script that reproduces the issue filed">attachment 580</a> <a href="attachment.cgi?id=580&action=edit" title="bash script that reproduces the issue filed">[details]</a></span>
bash script that reproduces the issue filed

Recently, I was assisting somebody in the course of adjusting some scripts that
generate an ipset consisting of IPv6 bogons, so as to use native nftables sets.
While testing on my own machine, I found that nft appeared to sporadically
hang.

Upon further investigation, I found that the process - which entails one
"flush" and one "add element" command - was being carried out rapidly at first,
only to encounter difficulties if repeated without flushing and recomposing the
underlying table entirely. The attached script acts as a reproducer. Here is
some sample output from my machine:

  [0]: Iteration #1
  [1]: Iteration #2
  [429]: Iteration #3
  [845]: Iteration #4

This means that the set was populated in a second or less (good), only to take
approximately 428 seconds on the second attempt (very bad). A single CPU core
is pegged throughout the second - and all subsequent - iterations. Some casual
stracing implies that there is some issue communicating with netlink. An EAGAIN
occurs, followed by a long stall.

Also, at one point, the following error appeared in my terminal, though I have
not been able to reproduce it:

  netlink: Error: Could not process rule: No space left on device

This machine is using the following components:

  Linux 5.4.6
  glibc-2.29
  libmnl-1.0.4
  libnfnetlink-1.0.1
  libnftnl-1.1.5
  nftables-0.9.3

My expectation is that repeated adjustment of the set be as efficient as it is
upon the first population, and that the overall reliability is commensurate
with that of ipset.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>