From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Cristian Constantin <const.crist@googlemail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: upper limit on number of ip addresses in an NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM message
Date: Thu, 30 Sep 2021 16:00:44 +0200 [thread overview]
Message-ID: <YVXDDF324iNl7gux@salvia> (raw)
In-Reply-To: <CANCV4NNc+FETTN5t+qQqSVugJBGAQJebiCHSDX9iHqUvJUtU0w@mail.gmail.com>
On Wed, Sep 29, 2021 at 04:06:23PM +0200, Cristian Constantin wrote:
> hi!
>
> suppose new ip addresses are added to nft set using a message of type:
>
> NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM
>
> over netlink sockets; e.g. (from an strace capture):
>
> sendmsg(7, {msg_name={sa_family=AF_NETLINK, nl_pid=0,
> nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=20,
> type=NFNL_MSG_BATCH_BEGIN, flags=NLM_F_REQUEST, seq=1112598292,
> pid=2460867}, {nfgen_family=AF_UNSPEC, version=NFNETLINK_V0,
> res_id=htons(10)}, {{len=28732,
> type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM,
> flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_CREATE, seq=1112598293,
> pid=2460867}, {nfgen_family=AF_INET, version=NFNETLINK_V0,
> res_id=htons(0), [{{nla_len=13, nla_type=0x2},
> "\x68\x6f\x6e\x65\x79\x6e\x65\x74\x00"}, {{nla_len=8, nla_type=0x4},
> "\x00\x00\x00\x02"}, {{nla_len=11, nla_type=NFNETLINK_V1},
> "\x66\x69\x6c\x74\x65\x72\x00"}, {{nla_len=28676,
> nla_type=NLA_F_NESTED|0x3},
> "\x1c\x00\x01\x80\x0c\x00\x01\x80\x08\x00\x01\x00\x23\x9c\x55\x4b\x0c\x00\x04\x00\x00\x00\x00\x00\x05\x26\x5c\x00\x1c\x00\x02\x80"...}]},
> {{len=20, type=NFNL_MSG_BATCH_END, flags=NLM_F_REQUEST,
> seq=1112598294, pid=2460867}, {nfgen_family=AF_UNSPEC,
> version=NFNETLINK_V0, res_id=htons(10)}], iov_len=28772}],
> msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 28772
>
> what limits the number of ip addresses which can be pushed, using one
> write on the socket to the kernel nft set?
>
> a. the socket write buffer itself
> b. some kind of netlink specific limit; how to detect it automatically?
The upper limit is the maximum netlink message header field, which is
16-bits long.
prev parent reply other threads:[~2021-09-30 14:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 14:06 upper limit on number of ip addresses in an NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM message Cristian Constantin
2021-09-30 14:00 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVXDDF324iNl7gux@salvia \
--to=pablo@netfilter.org \
--cc=const.crist@googlemail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox