<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - nft -f rules.nft exitcode 1 when file too large"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1340">1340</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>nft -f rules.nft exitcode 1 when file too large
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>nftables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>x86_64
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Gentoo
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>nft
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>pablo@netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>lukeo@partyheld.de
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Using "nftables v0.9.0 (Fearless Fosdick)" on Kernel 4.19.44 on a Gentoo Linux.

I have large IP lists (~15000 entries) across two files I include in my
"rules.nft" via "include "./ip.nft" ". I noticed that my rules are not imported
since nftables-0.8. "nft -f" quits with exit code 1 without error message.

If removing the include directive from the "rules.nft" import works and rules
are applied. 

My rule config is as follows:

        chain c_drops {
                include "./200ips.nft"
                return
        }

The content of 200ips.nft is (times 200):
ip saddr A.B.C.D log prefix "Dropping packet" group 0 drop

I noticed the threshold for my set is 140 IPs, once I go to 141 nft -f crashes.

The last message with --debug all is:

----------------        ------------------
|  0000000020  |        | message length |
| 00017 | R--- |        |  type | flags  |
|  0000000179  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------

I am sure it worked when I first time set up the rule set a year ago. I have
checked with "nft list ruleset".

Any help appreciated. 

Cheers Luke</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>