Re: nftables character limits?

Gio <gioflux@xxxxxxxxx> · Wed, 11 Jan 2023 21:04:51 -0500

Circling back on this as I never heard back.

Looks like there is a hardcoding of "comment" limit to 127 characters
and also there cannot be multiple comment lines? Any reason for this
very small limit? could this be removed please? I'm using comments for
specific security references.

Here's a NFT config you can use to reproduce this bug (I don't
consider 127 char limit a feature):

table inet filter {
        chain input {
                 type filter hook input priority 0; policy drop;

                 # accept any localhost traffic
                 iif lo accept

                 # accept traffic originated from us
                 ct state established,related accept

                 # accept neighbour discovery otherwise IPv6 connectivity breaks
                 icmpv6 type { nd-neighbor-solicit, nd-router-advert,
nd-neighbor-advert } accept

        }
    chain root0 {
        comment "version:
KM3Xi-8BOkAvcGxhY2VyL3Byb2QvaG9tZS9zZWNvcHMtbmV0LWFjbC1wbGFjZXIvc25hcHNob3RzL3BhcnRpdGlvbj1zc2QvQgYIzMr7nQZKBgj9y_udBlIGCL7L-50GWgYIzMr7nQZqBgjpzvudBnIGCPXP-50GegYIy7v7nQaCAQYIuM37nQaKAQYIps_7nQaSAQYI58j7nQY="
        comment "Policy name: host"
        comment "Restrictions enabled"
}

----
error
root@nf:~# nft -f verb.nft
verb.nft:16:17-235: Error: comment too long, 128 characters maximum allowed
        comment "version:
KM3Xi-8BOkAvcGxhY2VyL3Byb2QvaG9tZS9zZWNvcHMtbmV0LWFjbC1wbGFjZXIvc25hcHNob3RzL3BhcnRpdGlvbj1zc2QvQgYIzMr7nQZKBgj9y_udBlIGCL7L-50GWgYIzMr7nQZqBgjpzvudBnIGCPXP-50GegYIy7v7nQaCAQYIuM37nQaKAQYIps_7nQaSAQYI58j7nQY="

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
verb.nft:18:9-38: Error: You can only specify this once. This
statement is duplicated.
        comment "Restrictions enabled"
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
verb.nft:20:1-1: Error: syntax error, unexpected end of file
}
^

On Thu, Dec 23, 2021 at 3:10 AM Gio <gioflux@xxxxxxxxx> wrote:
>
> I'm writing a script that converts firewall policies from one platform
> format to .nft format to use inside VMs.
>
> During conversion of data from one format to another I need to
> consider maximum character limits in fields like comments, chain
> names, etc.
>
> I have not been able to find a central place documenting the maximum
> character limits for certain fields, the only reference I found so far
> "Set names must be 16 characters or less" from
> https://wiki.nftables.org/wiki-nftables/index.php/Sets
>
> Are there any better places or could someone help fill in the blanks
> for me, for example are there any limits on how long of a string
> `comment` may be?