[Bug 1693] New: nf_tables writers starve readers
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Jul 9 23:33:27 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1693
Bug ID: 1693
Summary: nf_tables writers starve readers
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: phil at nwl.cc
If kernel's ruleset is modified, all processes currently fetching (parts of)
the ruleset receive EINTR. Current (v1.0.7 at least) nftables tool reacts to
this signal by dropping anything fetched so far and restarting.
Given a sufficiently large ruleset and a sufficiently small modification
interval, an nftables process trying to list the ruleset will block forever.
Here's a simple reproducer:
| # init
| iptables-nft -N foo
| (
| echo "*filter";
| for ((i = 0; i < 100000; i++)); do
| echo "-A foo -m comment --comment \"rule $i\" -j ACCEPT"
| done
| echo "COMMIT"
| ) | iptables-nft-restore --noflush
|
| # flood
| while true; do
| iptables-nft -A foo -j ACCEPT
| iptables-nft -D foo -j ACCEPT
| done
This should pretty reliably starve calls to 'nft list ruleset'. Depending on
the system, one might even insert 'sleep' calls into the "flood"-loop.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230709/c1bb4dd5/attachment.html>
More information about the netfilter-buglog
mailing list