With respect to the 'long' identifiers, is it possible that the code reads only so much of the 'token', then reads (treats) the rest of it as the next 'token'? I think I encountered something like this recently in something (but not nftables). If this is the case, it could explain the 'numeric range' error....
Should the code should use a global identifier length so they all have the same length limit (if it doesn't already)?
N
On Wed, 23 Aug 2017 14:58:23 -0700
Jeff Kletsky <jmk@xxxxxxxxxx> wrote:
> At least working with the HEAD version of nftables v0.7, current library
> versions, and kernel 4.9,
> the limits on identifier length that I have determined empirically (I
> have not examined the code):
>
> * chain, set -- 31 characters
> * table -- (not examined, but *guessing* 31 characters as well)
>
> * define -- limit in excess of 65 characters
>
> The error message when the limit is exceeded for the "in-kernel" chain
> and set identifiers is similar to
>
> nftables.conf:3:1-14: Error: Could not process rule: Numerical
> result out of range
> flush ruleset
> ^^^^^^^^^^^^^^
>
> where the line identified has nothing to do with the offending identifier
> (it is the first "actionable" statement of the file)
>
> HTH someone else
>
>
> Jeff
>
>
>
> ~/build/nftables$ git log -1
> commit d74eed8c9649e9278b69f2cd0fd92f71e3e19cfb (HEAD -> master, tag:
> 2017-08-19, origin/master, origin/HEAD)
> Author: Varsha Rao <rvarsha016@xxxxxxxxx>
> Date: Wed Aug 16 19:48:17 2017 +0530
>
>
> ~/build/libmnl$ git log -1
> commit fbe0f33b45abd585eb9f52cb56d751a750667dc6 (HEAD -> master, tag:
> 2017-08-19, origin/master, origin/HEAD)
> Author: Guillaume Nault <g.nault@xxxxxxxxxxxx>
> Date: Wed Aug 3 12:52:34 2016 +0200
>
>
> ~/build/libnftnl$ git log -1
> commit d58998312375de0865091cfc5d00ddd271d9a44c (HEAD -> master, tag:
> 2017-08-19)
> Author: Eric Leblond <eric@xxxxxxxxx>
> Date: Thu Jul 6 13:58:27 2017 +0100
>
> (my libnftl is presently two commits behind origin/master)
>
>
> kernel 4.9.28-38
>
>
>
>
> $ cat nftables.conf
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> table inet global {
>
> define
> identifier123456789212345678931234567894123456789512345678961234. = one
> define
> identifier123456789212345678931234567894123456789512345678961234_ = one
>
>
> chain prerouting12345678921234567893. {
> type filter hook prerouting priority -175
> }
>
> chain prerouting12345678921234567893_ {
> type filter hook prerouting priority -50
> }
>
> set identifier12345678921234567893. {
> type inet_service
> }
>
> set identifier12345678921234567893_ {
> type inet_service
> }
>
> }
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
