-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Receive: netlink receive: recvmsg: no buffer space available #103
Comments
@mdlayher any thoughts? |
Unfortunately I don't have any more info. I've never run into this error in my work and only chose to implement the option because it appeared in a list in the man pages. |
Ok thanks, I'll see if I can capture and minify a repro for this. I assume without that there's basically nothing to look at 😄 I am running my code on two different Debian releases, 10 and sid, and see the error frequently on both. (I've modified my calling code to consider |
I took a look at the mailing list thread you mentioned above and it seems to indicate that userspace cannot keep up with the kernel's messages. When I wrote my netlink code, simplicity and correctness were the primary goals. I know there are some outstanding work items related to OS thread locking and etc that can slow things down, but since I haven't run into them in my use cases, it's low priority work for me. You could try |
That's the part that I don't really understand--it makes sense to fall behind when processing individual packets in userspace as the thread indicates, but I'm just sending ~100 rules to the kernel in one batch and waiting for an ACK batch back. It seems like it should be hard to fall behind on that? I suppose it's related to how the ACK includes handles for rules that are created.
This is the case already: Lines 92 to 98 in 26bcabf
true for me.
Here's a super simplified reproduction that just puts a bunch of On my laptop it reaches ENOBUFS at 138
Does it make sense that this library is unable to acknowledge 150
|
Thanks for the repro program. On my machine, it prints:
My guess would be that due to the I’m not yet sure what the best way to fix this is:
|
Seems reasonable to me. |
Thanks for looking into the netdev source. Since we're dealing with the kernel I suppose it makes sense that packets would get dropped instead of buffered when using I found the specific message for adding rules and noticed that it has both ECHO and ACK flags masked in: Line 132 in 7127d9d
So I decided to do a little bit of testing with the above
Then I adjusted the repro to include 8 verdicts per rule,
So it seems like ACK isn't the only problem, especially as rule complexity is increased. ECHO is a larger contributor towards read buffer space. Frustratingly, I've noticed this unrelated work that depends on the ECHO responses: #88 Maybe there's need for configurability if the masking is being changed? So folks that want ECHO on each frame can keep it. I only care about knowing if the whole batch was accepted as a unit. (I also toyed with adding calls like |
Thanks for the details! How does the |
When using When using
I don't fully understand when In summary, nft(8) doesn't handle this error at all, but it doesn't use ACK or ECHO by default either, so it generally avoids the issue overall. |
Thanks for the details! Sounds like removing the ACK and ECHO flags is the best choice to make, then. Is there any downside to that I’m not seeing? Would you be interested in sending a PR that removes them? |
I'm closing this as stale. I ignore the error in my program and have had no further issues since then. |
Hello, I've been using this library to repeatedly 'replace' a table with ~50 rules, and one thing I've noticed is that certain patterns seem to trigger this cryptic message:
Receive: netlink receive: recvmsg: no buffer space available
The cryptic part is that it doesn't seem related to the overall size of the table, but rather the presence of certain rules (jumps, etc).
Even so, the flush seems to take effect anyway; the changes are reflected in the kernel after receiving the message.
I found some info on ENOBUFS here: https://netfilter.vger.kernel.narkive.com/cwzlgk8d/why-no-buffer-space-available and noticed that the golang netlink library has an option exposed to help the error: https://github.com/mdlayher/netlink/blob/c5f8ab79aa345dcfcf7f14d746659ca1b80a0ecc/conn.go#L437
I patched my local checkout of google/nftables/conn.go to include this line:
after:
and it seems to fix the error.. I don't know enough at this point to understand the implications of using that option, or why it might not be desired, so I decided to start with a ticket instead of a PR.
Has anyone else seen this message?
The text was updated successfully, but these errors were encountered: