netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* What happens if the machine runs out of memory while adding new nftables sets atomically?
@ 2024-02-06 10:47 Anton
  2024-02-06 11:12 ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 10:47 UTC (permalink / raw)
  To: netfilter

Hi folks,

While experimenting with adding nftables sets on memory-constrained
devices, I have run into OOM conditions. Currently many embedded
devices such as routers are balancing on the verge of not enough
memory if using nft sets (at least interval sets).

I know that there has been progress on the front of reducing memory
footprint, but it's not yet in the nftables versions supplied by the
distributions, so for now I have to work with the current state of
things.

To be on the safe side, currently my scripts add sets separately from
adding rules and removing sets. I'd like to ask the devs, is it safe
under these conditions to attempt performing all these actions in one
atomic operation? Is previous firewall configuration guaranteed to be
successfully restored if the operation runs into OOM?

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
  2024-02-06 10:47 What happens if the machine runs out of memory while adding new nftables sets atomically? Anton
@ 2024-02-06 11:12 ` Florian Westphal
  2024-02-06 12:15   ` Anton
  0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2024-02-06 11:12 UTC (permalink / raw)
  To: Anton; +Cc: netfilter

Anton <anton.khazan@gmail.com> wrote:
> To be on the safe side, currently my scripts add sets separately from
> adding rules and removing sets. I'd like to ask the devs, is it safe
> under these conditions to attempt performing all these actions in one
> atomic operation? Is previous firewall configuration guaranteed to be
> successfully restored if the operation runs into OOM?

Old config is removed after new transaction went through, not before.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
  2024-02-06 11:12 ` Florian Westphal
@ 2024-02-06 12:15   ` Anton
  2024-02-06 12:15     ` Anton
  0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 12:15 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

Thank you. And a followup question: is new config guaranteed to be
removed if the operation runs into OOM?

On Tue, Feb 6, 2024 at 1:12 PM Florian Westphal <fw@strlen.de> wrote:
> Old config is removed after new transaction went through, not before.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
  2024-02-06 12:15   ` Anton
@ 2024-02-06 12:15     ` Anton
  2024-02-06 12:18       ` Florian Westphal
  0 siblings, 1 reply; 5+ messages in thread
From: Anton @ 2024-02-06 12:15 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

(and new sets as well...)

On Tue, Feb 6, 2024 at 2:15 PM Anton <anton.khazan@gmail.com> wrote:
>
> Thank you. And a followup question: is new config guaranteed to be
> removed if the operation runs into OOM?
>
> On Tue, Feb 6, 2024 at 1:12 PM Florian Westphal <fw@strlen.de> wrote:
> > Old config is removed after new transaction went through, not before.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: What happens if the machine runs out of memory while adding new nftables sets atomically?
  2024-02-06 12:15     ` Anton
@ 2024-02-06 12:18       ` Florian Westphal
  0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2024-02-06 12:18 UTC (permalink / raw)
  To: Anton; +Cc: Florian Westphal, netfilter

Anton <anton.khazan@gmail.com> wrote:
> > Thank you. And a followup question: is new config guaranteed to be
> > removed if the operation runs into OOM?

Yes, all changes are backed out again.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-02-06 12:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 10:47 What happens if the machine runs out of memory while adding new nftables sets atomically? Anton
2024-02-06 11:12 ` Florian Westphal
2024-02-06 12:15   ` Anton
2024-02-06 12:15     ` Anton
2024-02-06 12:18       ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).