<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - nf_tables writers starve readers"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1693">1693</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>nf_tables writers starve readers
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>kernel
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>phil@nwl.cc
</td>
</tr></table>
<p>
<div>
<pre>If kernel's ruleset is modified, all processes currently fetching (parts of)
the ruleset receive EINTR. Current (v1.0.7 at least) nftables tool reacts to
this signal by dropping anything fetched so far and restarting.
Given a sufficiently large ruleset and a sufficiently small modification
interval, an nftables process trying to list the ruleset will block forever.
Here's a simple reproducer:
| # init
| iptables-nft -N foo
| (
| echo "*filter";
| for ((i = 0; i < 100000; i++)); do
| echo "-A foo -m comment --comment \"rule $i\" -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-nft-restore --noflush
|
| # flood
| while true; do
| iptables-nft -A foo -j ACCEPT
| iptables-nft -D foo -j ACCEPT
| done
This should pretty reliably starve calls to 'nft list ruleset'. Depending on
the system, one might even insert 'sleep' calls into the "flood"-loop.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>