<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - nft -f rules.nft exitcode 1 when file too large"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1340">1340</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>nft -f rules.nft exitcode 1 when file too large

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Gentoo

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>major

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>lukeo@partyheld.de

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Using "nftables v0.9.0 (Fearless Fosdick)" on Kernel 4.19.44 on a Gentoo Linux.

I have large IP lists (~15000 entries) across two files I include in my

"rules.nft" via "include "./ip.nft" ". I noticed that my rules are not imported

since nftables-0.8. "nft -f" quits with exit code 1 without error message.

If removing the include directive from the "rules.nft" import works and rules

are applied. 

My rule config is as follows:

        chain c_drops {

                include "./200ips.nft"

                return

        }

The content of 200ips.nft is (times 200):

ip saddr A.B.C.D log prefix "Dropping packet" group 0 drop

I noticed the threshold for my set is 140 IPs, once I go to 141 nft -f crashes.

The last message with --debug all is:

----------------        ------------------

|  0000000020  |        | message length |

| 00017 | R--- |        |  type | flags  |

|  0000000179  |        | sequence number|

|  0000000000  |        |     port ID    |

----------------        ------------------

| 00 00 0a 00  |        |  extra header  |

----------------        ------------------

I am sure it worked when I first time set up the rule set a year ago. I have

checked with "nft list ruleset".

Any help appreciated. 

Cheers Luke</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>