On Wed, Sep 29, 2021 at 04:06:23PM +0200, Cristian Constantin wrote: > hi! > > suppose new ip addresses are added to nft set using a message of type: > > NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM > > over netlink sockets; e.g. (from an strace capture): > > sendmsg(7, {msg_name={sa_family=AF_NETLINK, nl_pid=0, > nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=20, > type=NFNL_MSG_BATCH_BEGIN, flags=NLM_F_REQUEST, seq=1112598292, > pid=2460867}, {nfgen_family=AF_UNSPEC, version=NFNETLINK_V0, > res_id=htons(10)}, {{len=28732, > type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM, > flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_CREATE, seq=1112598293, > pid=2460867}, {nfgen_family=AF_INET, version=NFNETLINK_V0, > res_id=htons(0), [{{nla_len=13, nla_type=0x2}, > "\x68\x6f\x6e\x65\x79\x6e\x65\x74\x00"}, {{nla_len=8, nla_type=0x4}, > "\x00\x00\x00\x02"}, {{nla_len=11, nla_type=NFNETLINK_V1}, > "\x66\x69\x6c\x74\x65\x72\x00"}, {{nla_len=28676, > nla_type=NLA_F_NESTED|0x3}, > "\x1c\x00\x01\x80\x0c\x00\x01\x80\x08\x00\x01\x00\x23\x9c\x55\x4b\x0c\x00\x04\x00\x00\x00\x00\x00\x05\x26\x5c\x00\x1c\x00\x02\x80"...}]}, > {{len=20, type=NFNL_MSG_BATCH_END, flags=NLM_F_REQUEST, > seq=1112598294, pid=2460867}, {nfgen_family=AF_UNSPEC, > version=NFNETLINK_V0, res_id=htons(10)}], iov_len=28772}], > msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 28772 > > what limits the number of ip addresses which can be pushed, using one > write on the socket to the kernel nft set? > > a. the socket write buffer itself > b. some kind of netlink specific limit; how to detect it automatically? The upper limit is the maximum netlink message header field, which is 16-bits long.