Eric, thank you a lot! Your suggestion solved my issue.
For anyone interested, I will describe this situation in more details.
My nftables configuration consists of the main file (basically, it
contains all logic and then includes child files which contain only
single set per each). Set-files are written as follows:
table netdev filter {
set mySet {
typeof ip saddr
flags interval
elements = { lots-of-entries-here, ...,
i-had-913-entries-when-problem-happened }
}
}
As were mentioned by Eric, to workaround this issue all you need is to
create "smaller 'add' pieces". Given that, we will have set-files look
like this:
add element netdev filter mySet { lots-of-entries-here }
...
add element netdev filter mySet { i-had-913-entries-when-problem-happened }
Also you might want to add this line to the beginning of the file to
ensure your set will be clean from removed entries (i.e. after set file
was regenerated by a 3rd party script):
flush set netdev filter mySet
On 3/26/23 18:18, Eric wrote:
On Sunday, March 26th, 2023 at 02:46, Serg <seentr@xxxxxxxxxxxx> wrote:
Today I have encountered strange behaviour of the `nft -cf` - I receive
an error message with an exit code 1. The error message is
"internal:0:0-0: Error: Could not process rule: File exists".
My configuration consist of several files and I have found one that
causing this error - it is set with a list of networks in CIDR format.
The file is pretty big - it takes 15K on its own (it does not contains
any rules at all, just a single set).
Hi Serg,
The only reference to "File exists" I could find was in the test linked
below, so maybe that's a starting point.
https://git.netfilter.org/nftables/tree/tests/shell/testcases/sets/0057set_create_fails_0
That leads me to search for NFT_MNL_ACK_MAXSIZE, and into
https://git.netfilter.org/nftables/tree/src/mnl.c
where the mnl_batch_talk function has a socket receive buffer of that
size. It could indeed be that your set contents are just to large and
you need to break it into several smaller "add" pieces???
Eric
