309 IPv6 elements inside the anonymous set. The rule looked like:
ip6 saddr { ---list of 309 /64 IPv6 ranges separated by commas } ct
state new accept
Rule was formatted inside a chain; then referenced in the base chain
using "jump". Only after I replaced all 309 IPv6 items with a single
IPv6 term for testing did the rule load without an error using "nft -f
rule.nft" command.
I could share the rule.nft file privately over email if someone would
like to try to reproduce the error on their end.
On Sat, Jan 14, 2023 at 11:37 AM Eric <evil.function@xxxxxxxxx> wrote:
>
> Gio,
>
> Just out of curiosity, how many elements did you have? I just dug through the code, I think this is the right spot: https://git.netfilter.org/nftables/tree/src/evaluate.c#n2356 and it looks like only a lower bound (no empty sets) is enforced on anonymous sets.
>
> I then created a rule with ~540 IPv4 elements and another with 375 IPv6 elements (strange numbers because I already had a script with a bunch of IPs in it), and it created the rules just fine.
>
> Eric
>
> ------- Original Message -------
> On Friday, January 13th, 2023 at 21:05, Gio <gioflux@xxxxxxxxx> wrote:
>
>
> > thank you! this got me going into the right direction.
> >
> > It appears that I had too many IPv6 addresses inside an anonymous Set
> > - I wasn't aware there was a limit of how many elements could be
> > within a set (inside curly brackets)?
> >
> > There is no mention of a limit of how many in
> > https://wiki.nftables.org/wiki-nftables/index.php/Sets - unless I
> > missed something.
> >
> > On Fri, Jan 13, 2023 at 11:14 AM Eric evil.function@xxxxxxxxx wrote:
> >
> > > Off the top of my head, --echo and --debug all will increase the quantity of output (the latter quite a lot).
> > >
> > > Eric
> > >
> > > ------- Original Message -------
> > > On Thursday, January 12th, 2023 at 23:05, Gio gioflux@xxxxxxxxx wrote:
> > >
> > > > Hi,
> > > > I have a relatively small config.nft file with ~220 lines that I am
> > > > trying to load onto my system. When I do this I get the below error
> > > > message.
> > > >
> > > > The ruleset is very small, so I don't expect this to be a buffer
> > > > issue. Are there any recommended troubleshooting steps or perhaps a
> > > > way to load the file in a more verbose way to see in which line of the
> > > > config.nft file this error is triggered?
> > > >
> > > > Thanks.
> > > >
> > > > root@nf:~/nftables-geoip# nft -f noverbose.nft
> > > > netlink: Error: Could not process rule: Message too long
> > > > root@nf:~/nftables-geoip# wc -l noverbose.nft
> > > > 221 noverbose.nft
