On 08.10, Arturo Borrero Gonzalez wrote:
> Hi,
>
> I'm trying to migrate a iptables/ip6tables ruleset to nftables.
>
> I've found that the current IFNAMSIZ limitation for set names is
> annoying because there are lots of ipset sets which needs to move to
> nftables which cannot do it straight forward.
> Also, the error reporting for this is very poor (reported by the
> kernel in a generic way).
>
> This example illustrates both issues:
>
> % nft add set inet filter external_services { type ipv4_addr\; }
> <cmdline>:1:1-57: Error: Could not process rule: Numerical result out of range
> add set inet filter external_services { type ipv4_addr; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Also, I don't find any documentation apart of the source code itself :-)
>
> I would suggest:
> * check names length also in userspace to show a better error message
Sure. The root cause is the IMO poorly chosen errno code for nla policy
checks when the size is exceeded. Unfortunately that's something outside
of nf_tables and also something other applications possibly depend on.
> * enlarge set names sizes
Agreed, I think its a good idea to use 32 as for the other object types.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
