Re: Are there nft set limits?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It might be included in one of the intervals, which is why grep doesn't see it.
Try this:

nft get element inet my_table badips { 198.199.104.80 }


On Thu, Feb 8, 2024 at 5:22 PM Xavier B. <somenxavier@xxxxxxxxxx> wrote:
>
> Hi,
>
> I have an artix instance with nfttables there. I have several rules (attached file) but mainly I have a set of ip addresses I want to ban:
>
> table inet my_table {
>
>    set badips {
>        type ipv4_addr
>        flags interval
>        auto-merge
>        elements = {1.0.147.18 }
>    }
>
> chain my_input {
>                 ...
>                 ip saddr @badips drop comment "[nftables] Block ban IP"
>                 ...
>         }
> ...
> }
>
> Until now, when I add some new IP to my badips set, everything is fine, but today is not:
>
> # nft add element inet my_table badips { 198.199.104.80 }
> # nft list ruleset | grep 198.199.104.80
> #
>
> As you can see "nft list ruleset | grep 198.199.104.80" produces no output, which means that this IP is not added in badips set.
>
> So, I suspect nft has a theoric limit size of number of elements of a set. Is it true? Or not? If it is, what limit is that?
>
> Thanks in advance,
> Xavier





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux