netfilter buglog - Oct 2023 - [Bug 1712] New: Deleting a nft chain immediately after flushing references to it does not always work

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

            Bug ID: 1712
           Summary: Deleting a nft chain immediately after flushing
                    references to it does not always work
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: cwm at epust.dk

Consider this script:

  #!/bin/bash
  nft flush ruleset
  nft table inet filter
  nft add chain inet filter mychain1
  nft add chain inet filter mychain2
  nft add rule inet filter mychain2 ip daddr vmap { 1.1.1.1 : goto mychain1 }

  nft flush chain inet filter mychain2
  # sleep 1
  nft delete chain inet filter mychain1

Most of the times when I run this script, the last call to nft fails with:

  Error: Could not process rule: Device or resource busy
  delete chain inet filter mychain1

If I uncomment the "sleep 1", it always seems to work.

If I put the flush and delete commands in a file to be executed atomically
(which is what I really want), it does not work either.

I have tried to run it in two different environments with the same result:

* Kernel 5.15.75 nft version 1.0.2 (Windows WSL)
* Kernel 5.15.0 nft version 0.9.3 (Ubuntu)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/f7cb1e50/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I run this script with:

while [ 1 ]; do bash test.sh; done

I trigger no error.

I am testing 5.15.135 -stable release.

Please do not that using 'nft' from a shell script. This is discouraged,
use
nft -f instead.

# cat file.nft
flush ruleset
table inet filter
add chain inet filter mychain1
add chain inet filter mychain2
add rule inet filter mychain2 ip daddr vmap { 1.1.1.1 : goto mychain1 }
# nft -f file.nft

I also tested with:

while [ 1 ]; do nft -f test.nft; done

and no spurious error is shown.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/a0c5c326/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/7f483fae/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

--- Comment #2 from cwm at epust.dk ---
Thanks for looking into this so quickly!

It is the delete that fails. So your second test should be like this:

# cat file.txt
flush ruleset
table inet filter
add chain inet filter mychain1
add chain inet filter mychain2
add rule inet filter mychain2 ip daddr vmap { 1.1.1.1 : goto mychain1 }
# cat file1.txt
flush chain inet filter mychain2
delete chain inet filter mychain1
# nft -f file.txt
# nft -f file1.txt
file1.txt:2:1-34: Error: Could not process rule: Device or resource busy
delete chain inet filter mychain1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/6e5d9d40/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

cwm at epust.dk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cwm at epust.dk

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231006/d7c1d43e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

Simon G. Trajkovski <neuroarmitage at proton.me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neuroarmitage at proton.me

--- Comment #3 from Simon G. Trajkovski <neuroarmitage at proton.me> ---
tested with Fresh 5.15 Stable Kernel and that work fine.

--
banana pi - opensource router with hardware acceleration!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231007/f2c83aee/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1712

--- Comment #4 from cwm at epust.dk ---
Ok, I just tried with a Debian 12 with kernel version 6.1.52 and nft version
1.0.6 and there it also worked without issues.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231007/19d0b1ff/attachment.html>