[PATCH nft,v3] mnl: continue on ENOBUFS errors when processing batch

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft,v3] mnl: continue on ENOBUFS errors when processing batch
@ 2025-08-26  9:36 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2025-08-26  9:36 UTC (permalink / raw)
  To: netfilter-devel

A user reports that:

  nft -f ruleset.nft

fails with:

  netlink: Error: Could not process rule: No buffer space available

This was triggered by:

table ip6 fule {
  set domestic_ip6 {
    type ipv6_addr
    flags dynamic,interval
    elements = $domestic_ip6
  }
  chain prerouting {
    type filter hook prerouting priority 0;
    ip6 daddr @domestic_ip6 counter
  }
}

where $domestic_ip6 contains a large number of IPv6 addresses.

This set declaration is not supported currently, because dynamic sets
with intervals are not supported, then every IPv6 address that is added
triggers an error, overruning the userspace socket buffer with lots of
NLMSG_ERROR messages.

In the particular context of batch processing, ENOBUFS is just an
indication that too many errors have occurred. The kernel cannot store
any more NLMSG_ERROR messages into the userspace socket buffer.

However, there are still NLMSG_ERROR messages in the socket buffer to be
processed that can provide a hint on what is going on.

Instead of breaking on ENOBUFS in batches, continue error processing.

After this patch, the ruleset above displays:

ruleset.nft:2367:7-18: Error: Could not process rule: Operation not supported
  set domestic_ip6 {
      ^^^^^^^^^^^^
ruleset.nft:2367:7-18: Error: Could not process rule: No such file or directory
  set domestic_ip6 {
      ^^^^^^^^^^^^

Fixes: a72315d2bad4 ("src: add rule batching support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v3: consolidate check, simply skip ENOBUFS for batch.

 src/mnl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mnl.c b/src/mnl.c
index 6684029606e5..934e5d4e79ee 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -449,7 +449,8 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
 			break;

 		ret = mnl_socket_recvfrom(nl, rcv_buf, sizeof(rcv_buf));
-		if (ret == -1)
+		/* ENOBUFS means too many errors, not all errors are displayed. */
+		if (ret == -1 && errno != ENOBUFS)
 			return -1;

 		/* Continue on error, make sure we get all acknowledgments */
-- 
2.30.2

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2025-08-26  9:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-26  9:36 [PATCH nft,v3] mnl: continue on ENOBUFS errors when processing batch Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).