2173801 – nft memory leak and OOM

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2173801 - nft memory leak and OOM

Summary: nft memory leak and OOM

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	nftables
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Phil Sutter
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-28 01:35 UTC by Jonathan Maxwell
Modified:	2023-03-07 16:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-07 16:15:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-149976	0	None	None	None	2023-02-28 01:37:01 UTC

Internal Links: 2173764

Description Jonathan Maxwell 2023-02-28 01:35:40 UTC

Description of problem:

After running:

for a in {1..35000}
do
	echo table: $a
	nft add table inet t$a 
}
done

# nft list ruleset

crashes with an OOM:

[  439.325304] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-0.slice/session-3.scope,task=nft,pid=36764,uid=0
[  439.327470] Out of memory: Killed process 36764 (nft) total-vm:7576616kB, anon-rss:3475380kB, file-rss:4kB, shmem-rss:0kB, UID:0 pgtables:14864kB oom_score_adj:0

Version-Release number of selected component (if applicable):

RHEL 9.2
nftables-1.0.4-10.el9_1.x86_64

How reproducible:

Always.

Actual results:

Adding 35K tables results in nft command crash due to OOM.

Expected results:

No OOM.

Additional info:

Likely a memory leak in nft.

Comment 1 Phil Sutter 2023-03-03 18:42:43 UTC

Creating 35000 tables in one go (much quicker than individual calls) like so:

for ((i=0;i<35000;i++)); do echo "add table inet t$i"; done | nft -f -

takes 27s and the running nft command uses 17.2GB of RES memory at most.

Listing is a tad more expensive, 'nft list ruleset' eats at most 17.4GB RES
memory.

These numbers are identical with nft from RHEL9.2 and upstream.

Trying to compare this against iptables-nft:

# time ((echo '*filter'; for ((i=0;i<35000;i++)); do echo ":c$i - [0:0]"; done; echo 'COMMIT') | iptables-restore)

real	0m0.280s
user	0m0.261s
sys	0m0.116s

# iptables-save | wc -l
35007

# time iptables-save >/dev/null

real	0m0.176s
user	0m0.067s
sys	0m0.108s

# time iptables -X

real	0m0.171s
user	0m0.033s
sys	0m0.132s

The comparison is unfair though since we can't add tables with iptables (the
few it uses are added implicitly if needed). So adjust the nftables testcase to
only create chains:

# time (for ((i=0;i<35000;i++)); do echo "add chain ip filter c$i"; done | nft -f -)

real	0m0.319s
user	0m0.266s
sys	0m0.107s

# time nft list ruleset | wc -l
105001

real	0m0.173s
user	0m0.070s
sys	0m0.204s

# time nft flush ruleset

real	0m0.013s
user	0m0.001s
sys	0m0.011s

These numbers are much better. This is because nft assumes few tables,
therefore each table object is rather fat in user space. Also when adding a
chain, it fetches all tables from the kernel. This is why adding a chain with
many tables present is slow.

Fixing the latter is a pretty simple change, though adding an excessive amount
of tables is really uncommon and I don't expect this to happen outside of a
crafted test case.

Comment 2 Phil Sutter 2023-03-07 16:15:38 UTC

Closing this for now as there is no memory leak but adding 35k tables is merely
unexpectedly heavy. Feel free to reopen in case you have a valid use-case for a
significant amount of tables. Upstream didn't optimize for that case because it
doesn't know of any.

Note You need to log in before you can comment on or make changes to this bug.