Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Mar 04, 2026 at 11:19:36AM +1100, Steven Haigh wrote:
> Hi Pablo,
> 
> Thanks for the reply.
> 
> On 4/3/26 11:02, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > > Hi all,
> > > 
> > > Firstly, please CC me in replies as I'm not subscribed to the list.
> > > 
> > > I am currently loading some named sets into nftables using the following
> > > configuration:
> > > 
> > > set au-ipv4 {
> > >          type ipv4_addr
> > >          flags interval
> > >          auto-merge
> > >          elements = { $AU.ipv4 }
> > > }
> > > 
> > > set au-ipv6 {
> > >          type ipv6_addr
> > >          flags interval
> > >          auto-merge
> > >          elements = { $AU.ipv6 }
> > > }
> > > 
> > > These sets are loaded in the config via:
> > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > > 
> > > The files are created using the geo-nft.sh script here:
> > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > > 
> > > When loading these, I get the following fatal error:
> > > netlink: Error: Could not process rule: No buffer space available
> > > 
> > > This only seems to happen on the aarch64 installs. The same kernel version +
> > > tools version on x86_64 architecture seems to load just fine.
> > > 
> > > $ cat /proc/version
> > > Linux version 6.18.15-200.fc43.aarch64
> > > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red
> > > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb
> > > 27 22:55:30 UTC 2026
> > > 
> > > $ nft --version
> > > nftables v1.1.3 (Commodore Bullmoose #4)
> > 
> > Can you try latest nftables version to confirm this bug on aarch64 is
> > current? Otherwise, try nftables git HEAD snapshot?
> 
> I grabbed some scratch builds from Fedora 44 which updated:
> 	* libnftnl 1.2.9 -> 1.3.1
> 	* nftables 1.1.3 -> 1.1.6
> 
> When processing the files though, a new error occurs:
> 
> In file included from ./firewall.nft:7:1-61:
> /etc/nftables/firewall/geo-nft/countrysets/AU.ipv4:1646:2-24: Error: Could
> not process rule: File exists
>         103.4.84.0-103.4.87.255,
>         ^^^^^^^^^^^^^^^^^^^^^^^
> 
> Looking at the ranges at / around this line however, I can't see any kind of
> duplicate:
> 
>         103.4.16.0-103.4.19.255,
>         103.4.55.0-103.4.55.255,
>         103.4.60.0-103.4.63.255,
>         103.4.84.0-103.4.87.255,
>         103.4.120.0-103.4.120.255,
>         103.4.122.0-103.4.123.255,
>         103.4.132.0-103.4.133.255,
> 
> Checking the datafile:
> $ grep 103.4.84 geo-nft/countrysets/AU.ipv4
>         103.4.84.0-103.4.87.255,
> 
> From what I understand, even if this range did overlap - the auto-merge flag
> should handle this.

Are you using the 'create element' command?

This is fixed in git HEAD, this is a bug in 1.1.6.

commit e83e32c8d1cd228d751fb92b756306c6eb6c0759
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Jan 12 12:59:26 2026 +0100
 
    mnl: restore create element command with large batches
    
    The rework to reduce memory consumption has introduced a bug that result
    in spurious EEXIST with large batches.