Hi,
I'm trying to migrate a iptables/ip6tables ruleset to nftables.
I've found that the current IFNAMSIZ limitation for set names is
annoying because there are lots of ipset sets which needs to move to
nftables which cannot do it straight forward.
Also, the error reporting for this is very poor (reported by the
kernel in a generic way).
This example illustrates both issues:
% nft add set inet filter external_services { type ipv4_addr\; }
<cmdline>:1:1-57: Error: Could not process rule: Numerical result out of range
add set inet filter external_services { type ipv4_addr; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Also, I don't find any documentation apart of the source code itself :-)
I would suggest:
* check names length also in userspace to show a better error message
* enlarge set names sizes
best regards
PD: Just updated
http://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets with
info about the name length.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
