Here's what I've done. Wrote a python script to generate a sh script:
#!/bin/sh
CHAIN='inet fw4 input'
nft -a -e add rule $CHAIN 'ip6 saddr { \
2000:0:0:0::/64, 2000:1:1:1::/64, 2000:2:2:2::/64, 2000:3:3:3::/64, 2000:4:4:4::/64, 2000:5:5:5::/64, 2000:6:6:6::/64, 2000:7:7:7::/64, \
2000:8:8:8::/64, 2000:9:9:9::/64, 2000:a:a:a::/64, 2000:b:b:b::/64, 2000:c:c:c::/64, 2000:d:d:d::/64, 2000:e:e:e::/64, 2000:f:f:f::/64, \
... for 512 addresses, 8 per script line ... \
2000:1f8:1f8:1f8::/64, 2000:1f9:1f9:1f9::/64, 2000:1fa:1fa:1fa::/64, 2000:1fb:1fb:1fb::/64, 2000:1fc:1fc:1fc::/64, 2000:1fd:1fd:1fd::/64, 2000:1fe:1fe:1fe::/64, 2000:1ff:1ff:1ff::/64, \
} ct state new accept comment "TOO MANY"'
echo "nft delete rule $CHAIN handle n"
Run that on OpenWrt 22.03 Linux kernel 5.10.146, nftables v1.0.2 (Lester Gooch), libnftnl11 - 1.2.1-2. Works just fine for me, no errors apparent and 'nft list ruleset' shows everything I'd expect.
Went to my Fedora 37 box, kernel 6.1.5, nftables v1.0.4 (Lester Gooch #3), libnftnl.x86_64 1.2.2-2.fc37@fedora. Same story, everything works fine there. (Chain used was 'inet firewalld filter_INPUT'.)
It becomes a bigger mystery, maybe old libraries for netfilter somewhere?
------- Original Message -------
On Saturday, January 14th, 2023 at 23:09, Gio <gioflux@xxxxxxxxx> wrote:
> 309 IPv6 elements inside the anonymous set. The rule looked like:
>
> ip6 saddr { ---list of 309 /64 IPv6 ranges separated by commas } ct
> state new accept
>
> Rule was formatted inside a chain; then referenced in the base chain
> using "jump". Only after I replaced all 309 IPv6 items with a single
> IPv6 term for testing did the rule load without an error using "nft -f
> rule.nft" command.
>
> I could share the rule.nft file privately over email if someone would
> like to try to reproduce the error on their end.
>
> On Sat, Jan 14, 2023 at 11:37 AM Eric evil.function@xxxxxxxxx wrote:
>
> > Gio,
> >
> > Just out of curiosity, how many elements did you have? I just dug through the code, I think this is the right spot: https://git.netfilter.org/nftables/tree/src/evaluate.c#n2356 and it looks like only a lower bound (no empty sets) is enforced on anonymous sets.
> >
> > I then created a rule with ~540 IPv4 elements and another with 375 IPv6 elements (strange numbers because I already had a script with a bunch of IPs in it), and it created the rules just fine.
> >
> > Eric
> >
> > ------- Original Message -------
> > On Friday, January 13th, 2023 at 21:05, Gio gioflux@xxxxxxxxx wrote:
> >
> > > thank you! this got me going into the right direction.
> > >
> > > It appears that I had too many IPv6 addresses inside an anonymous Set
> > > - I wasn't aware there was a limit of how many elements could be
> > > within a set (inside curly brackets)?
> > >
> > > There is no mention of a limit of how many in
> > > https://wiki.nftables.org/wiki-nftables/index.php/Sets - unless I
> > > missed something.
> > >
> > > On Fri, Jan 13, 2023 at 11:14 AM Eric evil.function@xxxxxxxxx wrote:
> > >
> > > > Off the top of my head, --echo and --debug all will increase the quantity of output (the latter quite a lot).
> > > >
> > > > Eric
> > > >
> > > > ------- Original Message -------
> > > > On Thursday, January 12th, 2023 at 23:05, Gio gioflux@xxxxxxxxx wrote:
> > > >
> > > > > Hi,
> > > > > I have a relatively small config.nft file with ~220 lines that I am
> > > > > trying to load onto my system. When I do this I get the below error
> > > > > message.
> > > > >
> > > > > The ruleset is very small, so I don't expect this to be a buffer
> > > > > issue. Are there any recommended troubleshooting steps or perhaps a
> > > > > way to load the file in a more verbose way to see in which line of the
> > > > > config.nft file this error is triggered?
> > > > >
> > > > > Thanks.
> > > > >
> > > > > root@nf:~/nftables-geoip# nft -f noverbose.nft
> > > > > netlink: Error: Could not process rule: Message too long
> > > > > root@nf:~/nftables-geoip# wc -l noverbose.nft
> > > > > 221 noverbose.nft
