Re: [nftables 0.9.2 | kernel 4.19.93] flowtable - number of devices limited (7)?

[ѽ҉ᶬḳ℠ <vtol@xxxxxxx>]

On 19/03/2020 11:33, Pablo Neira Ayuso wrote:
> On Wed, Mar 18, 2020 at 12:37:28PM +0000, ѽ҉ᶬḳ℠ wrote:
> > When exceeding the number of devices > 7 NFT prints:
> >
> > Illegal instruction
> >
> > This does not print the error:
> >
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-lan }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-guest }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-mgt }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan3, lan4, br-mgt, br-guest }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan3, br-mgt, br-guest, br-mgt }; }
> >
> > But this prints the error:
> >
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-lan, br-mgt }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-guest, br-lan }; }
> > flowtable ft             { hook ingress priority 0; devices = {
> > pppoe-wan, lan0, lan1, lan2, lan3, lan4, br-mgt, br-guest }; }
> Linux kernel >= 5.5 removes this cap, from there on the maximum number
> of devices is 256.

Thanks for the feedback/info.

What I noticed too:

* wildcard device naming (e.g. lan*, br-*) does not work
* nft fails silently to start at boot time if a device stated in the
flowtable rule is not available at the time nft is invoked during boot
process, e.g. pppoe-wan (not uncommon for CPE routers)