[Bug 1340] New: nft -f rules.nft exitcode 1 when file too large
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri May 24 08:58:24 CEST 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1340
Bug ID: 1340
Summary: nft -f rules.nft exitcode 1 when file too large
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Gentoo
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: lukeo at partyheld.de
Using "nftables v0.9.0 (Fearless Fosdick)" on Kernel 4.19.44 on a Gentoo Linux.
I have large IP lists (~15000 entries) across two files I include in my
"rules.nft" via "include "./ip.nft" ". I noticed that my rules are not imported
since nftables-0.8. "nft -f" quits with exit code 1 without error message.
If removing the include directive from the "rules.nft" import works and rules
are applied.
My rule config is as follows:
chain c_drops {
include "./200ips.nft"
return
}
The content of 200ips.nft is (times 200):
ip saddr A.B.C.D log prefix "Dropping packet" group 0 drop
I noticed the threshold for my set is 140 IPs, once I go to 141 nft -f crashes.
The last message with --debug all is:
---------------- ------------------
| 0000000020 | | message length |
| 00017 | R--- | | type | flags |
| 0000000179 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 0a 00 | | extra header |
---------------- ------------------
I am sure it worked when I first time set up the rule set a year ago. I have
checked with "nft list ruleset".
Any help appreciated.
Cheers Luke
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190524/01353bf7/attachment.html>
More information about the netfilter-buglog
mailing list