[Bug 1464] New: Trying to populate a set raises a netlink error "Could not process rule: No space left on device"

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Sep 13 03:34:35 CEST 2020


https://bugzilla.netfilter.org/show_bug.cgi?id=1464

            Bug ID: 1464
           Summary: Trying to populate a set raises a netlink error "Could
                    not process rule: No space left on device"
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: kfm at plushkava.net

This bug is somewhat related to bug 1392. As explained there, I was unable to
atomically re-populate a set by issuing a "flush set" command followed by an
"add element" command within the same command stream. Eventually this was
resolved by upgrading to nftables commit 40ef308.

However, in the inital report, I had also mentioned that executing my script
would occasionally result in the following error:-

  netlink: Error: Could not process rule: No space left on device

I had hoped that this issue would never arise again. Unfortunately, today it
has. Whenever it has happened before, flushing the ruleset has always sufficed
as a workaround. For now, I have chosen not to do this because the affected
host is in a state whereby I can reliably reproduce this.

The script in question downloads the IPv4 bogons list from Team Cymru and tries
to populate a specific set. On the last occasion that I ran it, it emptied the
set but failed to add the given elements, before printing the above-mentioned
error. After realising this, I reduced my script to just the part that tries to
populate the set and tried it again. Hence, the test case looks like this:-

  tmpfile=/tmp/tmp.lWZWu0uSkn
  nft -f - <<-EOF
      flush set ip raw bogons
      add element ip raw bogons {
          $(grep -v '^#' "$tmpfile" | paste -d, -s -)
      }
  EOF

The temp file is a copy of the "fullbogons-ipv4.txt" file that I last
downloaded. At this point, I am able to reproduce the error by running the
above code, despite the fact that it has worked correctly for weeks up until
now.

The definition of the set is currently as follows:-

  table ip raw {
    set bogons {
      type ipv4_addr
      flags interval,timeout
      timeout 4h5m
    }
  }

Some components have changed since I last commented on bug 1392. Here is what I
am running now:

  * Linux 5.8.8 (I upgraded from the 5.7 series)
  * nftables commit c156232
  * libnftnl commit 99be0e6

I shall attach the exact command stream, along with some additional
information.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200913/420c421a/attachment.html>


More information about the netfilter-buglog mailing list