On Fri, Apr 07, 2023 at 04:21:57PM -0600, Dave Pifke wrote: > Prior to this patch, nft inside a systemd-nspawn container was failing > to install my ruleset (which includes a large-ish map), with the error > > netlink: Error: Could not process rule: Message too long > > strace reveals: > > setsockopt(3, SOL_SOCKET, SO_SNDBUFFORCE, [524288], 4) = -1 EPERM (Operation not permitted) > > This is despite the nspawn process supposedly having CAP_NET_ADMIN, > and despite /proc/sys/net/core/wmem_max (in the main host namespace) > being set larger than the requested size: > > net.core.wmem_max = 16777216 > > A web search reveals at least one other user having the same issue: > > https://old.reddit.com/r/Proxmox/comments/scnoav/lxc_container_debian_11_nftables_geoblocking/ > > After this patch, nft succeeds. Patch LGTM. May I add your Signed-off-by: tag to this patch before applying it? Thanks.
