Prior to this patch, nft inside a systemd-nspawn container was failing to install my ruleset (which includes a large-ish map), with the error netlink: Error: Could not process rule: Message too long strace reveals: setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [524288], 4) = -1 EPERM (Operation not permitted) This is despite the nspawn process supposedly having CAP_NET_ADMIN, and despite /proc/sys/net/core/wmem_max (in the main host namespace) being set larger than the requested size: net.core.wmem_max = 16777216 A web search reveals at least one other user having the same issue: https://old.reddit.com/r/Proxmox/comments/scnoav/lxc_container_debian_11_nftables_geoblocking/ After this patch, nft succeeds. --- src/mnl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/mnl.c b/src/mnl.c index 26f943db..ab6750c8 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -260,6 +260,13 @@ static void mnl_set_sndbuffer(const struct mnl_socket *nl, return; /* Rise sender buffer length to avoid hitting -EMSGSIZE */ + if (setsockopt(mnl_socket_get_fd(nl), SOL_SOCKET, SO_SNDBUF, + &newbuffsiz, sizeof(socklen_t)) == 0) + return; + + /* If the above fails (probably because it exceeds + * /proc/sys/net/core/wmem_max), try again with SO_SNDBUFFORCE. + * This requires CAP_NET_ADMIN. */ if (setsockopt(mnl_socket_get_fd(nl), SOL_SOCKET, SO_SNDBUFFORCE, &newbuffsiz, sizeof(socklen_t)) < 0) return; -- 2.20.1
