aarch64 - netlink: Error: Could not process rule: No buffer space available

aarch64 - netlink: Error: Could not process rule: No buffer space available

[Steven Haigh]

Hi all,

Firstly, please CC me in replies as I'm not subscribed to the list.

I am currently loading some named sets into nftables using the following 
configuration:

set au-ipv4 {
         type ipv4_addr
         flags interval
         auto-merge
         elements = { $AU.ipv4 }
}

set au-ipv6 {
         type ipv6_addr
         flags interval
         auto-merge
         elements = { $AU.ipv6 }
}

These sets are loaded in the config via:
include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";

The files are created using the geo-nft.sh script here:
https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh

When loading these, I get the following fatal error:
netlink: Error: Could not process rule: No buffer space available

This only seems to happen on the aarch64 installs. The same kernel 
version + tools version on x86_64 architecture seems to load just fine.

$ cat /proc/version
Linux version 6.18.15-200.fc43.aarch64 
(mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 
(Red Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC 
Fri Feb 27 22:55:30 UTC 2026

$ nft --version
nftables v1.1.3 (Commodore Bullmoose #4)

I've had no success in hunting for why this would be the case.

I've found that I can batch-load the sets in ~500 rules at a time, and 
the entire set will load - but including them at the nftables service 
level always fails.

How should I fix this?

-- 
Steven Haigh

📧 netwiz@crc.id.au
💻 https://crc.id.au

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

Hi,

On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> Hi all,
> 
> Firstly, please CC me in replies as I'm not subscribed to the list.
> 
> I am currently loading some named sets into nftables using the following
> configuration:
> 
> set au-ipv4 {
>         type ipv4_addr
>         flags interval
>         auto-merge
>         elements = { $AU.ipv4 }
> }
> 
> set au-ipv6 {
>         type ipv6_addr
>         flags interval
>         auto-merge
>         elements = { $AU.ipv6 }
> }
> 
> These sets are loaded in the config via:
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> 
> The files are created using the geo-nft.sh script here:
> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> 
> When loading these, I get the following fatal error:
> netlink: Error: Could not process rule: No buffer space available
>
> This only seems to happen on the aarch64 installs. The same kernel version +
> tools version on x86_64 architecture seems to load just fine.
> 
> $ cat /proc/version
> Linux version 6.18.15-200.fc43.aarch64
> (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red
> Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb
> 27 22:55:30 UTC 2026
> 
> $ nft --version
> nftables v1.1.3 (Commodore Bullmoose #4)

Can you try latest nftables version to confirm this bug on aarch64 is
current? Otherwise, try nftables git HEAD snapshot?

> I've had no success in hunting for why this would be the case.
> 
> I've found that I can batch-load the sets in ~500 rules at a time, and the
> entire set will load - but including them at the nftables service level
> always fails.
> 
> How should I fix this?
> 
> -- 
> Steven Haigh
> 
> 📧 netwiz@crc.id.au
> 💻 https://crc.id.au
> 
> 
> 

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > Hi all,
> > 
> > Firstly, please CC me in replies as I'm not subscribed to the list.
> > 
> > I am currently loading some named sets into nftables using the following
> > configuration:
> > 
> > set au-ipv4 {
> >         type ipv4_addr
> >         flags interval
> >         auto-merge
> >         elements = { $AU.ipv4 }
> > }
> > 
> > set au-ipv6 {
> >         type ipv6_addr
> >         flags interval
> >         auto-merge
> >         elements = { $AU.ipv6 }
> > }
> > 
> > These sets are loaded in the config via:
> > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > 
> > The files are created using the geo-nft.sh script here:
> > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > 
> > When loading these, I get the following fatal error:
> > netlink: Error: Could not process rule: No buffer space available

Just to be sure and discard something simple.

Maybe you made a mistake in your ruleset in the aarch64 box? With lots
of errors coming from the kernel, older userspace nftables versions
report ENOBUFS.

Try loading AU.ipv4 and AU.ipv6 with only one element to see if
userspace reports a different error.

commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue Aug 26 10:09:13 2025 +0200
 
    mnl: continue on ENOBUFS errors when processing batch
    
    A user reports that:
    
      nft -f ruleset.nft
    
    fails with:
    
      netlink: Error: Could not process rule: No buffer space available
    
    This was triggered by:
    
    table ip6 fule {
      set domestic_ip6 {
        type ipv6_addr
        flags dynamic,interval
        elements = $domestic_ip6
      }
      chain prerouting {
        type filter hook prerouting priority 0;
        ip6 daddr @domestic_ip6 counter
      }
    }
    
    where $domestic_ip6 contains a large number of IPv6 addresses.
    
    This set declaration is not supported currently, because dynamic sets
    with intervals are not supported, then every IPv6 address that is added
    triggers an error, overruning the userspace socket buffer with lots of
    NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
    socket buffer)

> > This only seems to happen on the aarch64 installs. The same kernel version +
> > tools version on x86_64 architecture seems to load just fine.
> > 
> > $ cat /proc/version
> > Linux version 6.18.15-200.fc43.aarch64
> > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red
> > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb
> > 27 22:55:30 UTC 2026
> > 
> > $ nft --version
> > nftables v1.1.3 (Commodore Bullmoose #4)
> 
> Can you try latest nftables version to confirm this bug on aarch64 is
> current? Otherwise, try nftables git HEAD snapshot?
> 
> > I've had no success in hunting for why this would be the case.
> > 
> > I've found that I can batch-load the sets in ~500 rules at a time, and the
> > entire set will load - but including them at the nftables service level
> > always fails.
> > 
> > How should I fix this?
> > 
> > -- 
> > Steven Haigh
> > 
> > 📧 netwiz@crc.id.au
> > 💻 https://crc.id.au
> > 
> > 
> > 
> 

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Steven Haigh]

Hi Pablo,

Thanks for the reply.

On 4/3/26 11:02, Pablo Neira Ayuso wrote:
> Hi,
> 
> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
>> Hi all,
>>
>> Firstly, please CC me in replies as I'm not subscribed to the list.
>>
>> I am currently loading some named sets into nftables using the following
>> configuration:
>>
>> set au-ipv4 {
>>          type ipv4_addr
>>          flags interval
>>          auto-merge
>>          elements = { $AU.ipv4 }
>> }
>>
>> set au-ipv6 {
>>          type ipv6_addr
>>          flags interval
>>          auto-merge
>>          elements = { $AU.ipv6 }
>> }
>>
>> These sets are loaded in the config via:
>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
>>
>> The files are created using the geo-nft.sh script here:
>> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
>>
>> When loading these, I get the following fatal error:
>> netlink: Error: Could not process rule: No buffer space available
>>
>> This only seems to happen on the aarch64 installs. The same kernel version +
>> tools version on x86_64 architecture seems to load just fine.
>>
>> $ cat /proc/version
>> Linux version 6.18.15-200.fc43.aarch64
>> (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red
>> Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb
>> 27 22:55:30 UTC 2026
>>
>> $ nft --version
>> nftables v1.1.3 (Commodore Bullmoose #4)
> 
> Can you try latest nftables version to confirm this bug on aarch64 is
> current? Otherwise, try nftables git HEAD snapshot?

I grabbed some scratch builds from Fedora 44 which updated:
	* libnftnl 1.2.9 -> 1.3.1
	* nftables 1.1.3 -> 1.1.6

When processing the files though, a new error occurs:

In file included from ./firewall.nft:7:1-61:
/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4:1646:2-24: Error: 
Could not process rule: File exists
         103.4.84.0-103.4.87.255,
         ^^^^^^^^^^^^^^^^^^^^^^^

Looking at the ranges at / around this line however, I can't see any 
kind of duplicate:

         103.4.16.0-103.4.19.255,
         103.4.55.0-103.4.55.255,
         103.4.60.0-103.4.63.255,
         103.4.84.0-103.4.87.255,
         103.4.120.0-103.4.120.255,
         103.4.122.0-103.4.123.255,
         103.4.132.0-103.4.133.255,

Checking the datafile:
$ grep 103.4.84 geo-nft/countrysets/AU.ipv4
         103.4.84.0-103.4.87.255,

 From what I understand, even if this range did overlap - the auto-merge 
flag should handle this.

>> I've had no success in hunting for why this would be the case.
>>
>> I've found that I can batch-load the sets in ~500 rules at a time, and the
>> entire set will load - but including them at the nftables service level
>> always fails.
>>
>> How should I fix this?
-- 
Steven Haigh

📧 netwiz@crc.id.au
💻 https://crc.id.au

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Steven Haigh]

On 4/3/26 11:17, Pablo Neira Ayuso wrote:
> On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
>> Hi,
>>
>> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
>>> Hi all,
>>>
>>> Firstly, please CC me in replies as I'm not subscribed to the list.
>>>
>>> I am currently loading some named sets into nftables using the following
>>> configuration:
>>>
>>> set au-ipv4 {
>>>          type ipv4_addr
>>>          flags interval
>>>          auto-merge
>>>          elements = { $AU.ipv4 }
>>> }
>>>
>>> set au-ipv6 {
>>>          type ipv6_addr
>>>          flags interval
>>>          auto-merge
>>>          elements = { $AU.ipv6 }
>>> }
>>>
>>> These sets are loaded in the config via:
>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
>>>
>>> The files are created using the geo-nft.sh script here:
>>> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
>>>
>>> When loading these, I get the following fatal error:
>>> netlink: Error: Could not process rule: No buffer space available
> 
> Just to be sure and discard something simple.
> 
> Maybe you made a mistake in your ruleset in the aarch64 box? With lots
> of errors coming from the kernel, older userspace nftables versions
> report ENOBUFS.
> 
> Try loading AU.ipv4 and AU.ipv6 with only one element to see if
> userspace reports a different error.
> 
> commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
> Author: Pablo Neira Ayuso <pablo@netfilter.org>
> Date:   Tue Aug 26 10:09:13 2025 +0200
>   
>      mnl: continue on ENOBUFS errors when processing batch
>      
>      A user reports that:
>      
>        nft -f ruleset.nft
>      
>      fails with:
>      
>        netlink: Error: Could not process rule: No buffer space available
>      
>      This was triggered by:
>      
>      table ip6 fule {
>        set domestic_ip6 {
>          type ipv6_addr
>          flags dynamic,interval
>          elements = $domestic_ip6
>        }
>        chain prerouting {
>          type filter hook prerouting priority 0;
>          ip6 daddr @domestic_ip6 counter
>        }
>      }
>      
>      where $domestic_ip6 contains a large number of IPv6 addresses.
>      
>      This set declaration is not supported currently, because dynamic sets
>      with intervals are not supported, then every IPv6 address that is added
>      triggers an error, overruning the userspace socket buffer with lots of
>      NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
>      socket buffer)

--snip--

Interesting.

I have noticed that if I split the set into multiple 'chunks', then the 
set can be populated properly.

As an example, this crude claude code authored script here does function 
as expected and the entire set is loaded successfully:
	https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/

It does take some time, but it does work:

$ time ./load-countrysets.sh
Loaded 8480 elements into au-ipv4
Loaded 11577 elements into au-ipv6

real    0m22.202s
user    0m20.335s
sys     0m1.798s

-- 
Steven Haigh

📧 netwiz@crc.id.au
💻 https://crc.id.au

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

On Wed, Mar 04, 2026 at 11:19:36AM +1100, Steven Haigh wrote:
> Hi Pablo,
> 
> Thanks for the reply.
> 
> On 4/3/26 11:02, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > > Hi all,
> > > 
> > > Firstly, please CC me in replies as I'm not subscribed to the list.
> > > 
> > > I am currently loading some named sets into nftables using the following
> > > configuration:
> > > 
> > > set au-ipv4 {
> > >          type ipv4_addr
> > >          flags interval
> > >          auto-merge
> > >          elements = { $AU.ipv4 }
> > > }
> > > 
> > > set au-ipv6 {
> > >          type ipv6_addr
> > >          flags interval
> > >          auto-merge
> > >          elements = { $AU.ipv6 }
> > > }
> > > 
> > > These sets are loaded in the config via:
> > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > > 
> > > The files are created using the geo-nft.sh script here:
> > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > > 
> > > When loading these, I get the following fatal error:
> > > netlink: Error: Could not process rule: No buffer space available
> > > 
> > > This only seems to happen on the aarch64 installs. The same kernel version +
> > > tools version on x86_64 architecture seems to load just fine.
> > > 
> > > $ cat /proc/version
> > > Linux version 6.18.15-200.fc43.aarch64
> > > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red
> > > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb
> > > 27 22:55:30 UTC 2026
> > > 
> > > $ nft --version
> > > nftables v1.1.3 (Commodore Bullmoose #4)
> > 
> > Can you try latest nftables version to confirm this bug on aarch64 is
> > current? Otherwise, try nftables git HEAD snapshot?
> 
> I grabbed some scratch builds from Fedora 44 which updated:
> 	* libnftnl 1.2.9 -> 1.3.1
> 	* nftables 1.1.3 -> 1.1.6
> 
> When processing the files though, a new error occurs:
> 
> In file included from ./firewall.nft:7:1-61:
> /etc/nftables/firewall/geo-nft/countrysets/AU.ipv4:1646:2-24: Error: Could
> not process rule: File exists
>         103.4.84.0-103.4.87.255,
>         ^^^^^^^^^^^^^^^^^^^^^^^
> 
> Looking at the ranges at / around this line however, I can't see any kind of
> duplicate:
> 
>         103.4.16.0-103.4.19.255,
>         103.4.55.0-103.4.55.255,
>         103.4.60.0-103.4.63.255,
>         103.4.84.0-103.4.87.255,
>         103.4.120.0-103.4.120.255,
>         103.4.122.0-103.4.123.255,
>         103.4.132.0-103.4.133.255,
> 
> Checking the datafile:
> $ grep 103.4.84 geo-nft/countrysets/AU.ipv4
>         103.4.84.0-103.4.87.255,
> 
> From what I understand, even if this range did overlap - the auto-merge flag
> should handle this.

Are you using the 'create element' command?

This is fixed in git HEAD, this is a bug in 1.1.6.

commit e83e32c8d1cd228d751fb92b756306c6eb6c0759
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Jan 12 12:59:26 2026 +0100
 
    mnl: restore create element command with large batches
    
    The rework to reduce memory consumption has introduced a bug that result
    in spurious EEXIST with large batches.

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote:
> On 4/3/26 11:17, Pablo Neira Ayuso wrote:
> > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
> > > Hi,
> > > 
> > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > > > Hi all,
> > > > 
> > > > Firstly, please CC me in replies as I'm not subscribed to the list.
> > > > 
> > > > I am currently loading some named sets into nftables using the following
> > > > configuration:
> > > > 
> > > > set au-ipv4 {
> > > >          type ipv4_addr
> > > >          flags interval
> > > >          auto-merge
> > > >          elements = { $AU.ipv4 }
> > > > }
> > > > 
> > > > set au-ipv6 {
> > > >          type ipv6_addr
> > > >          flags interval
> > > >          auto-merge
> > > >          elements = { $AU.ipv6 }
> > > > }
> > > > 
> > > > These sets are loaded in the config via:
> > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > > > 
> > > > The files are created using the geo-nft.sh script here:
> > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > > > 
> > > > When loading these, I get the following fatal error:
> > > > netlink: Error: Could not process rule: No buffer space available
> > 
> > Just to be sure and discard something simple.
> > 
> > Maybe you made a mistake in your ruleset in the aarch64 box? With lots
> > of errors coming from the kernel, older userspace nftables versions
> > report ENOBUFS.
> > 
> > Try loading AU.ipv4 and AU.ipv6 with only one element to see if
> > userspace reports a different error.
> > 
> > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
> > Author: Pablo Neira Ayuso <pablo@netfilter.org>
> > Date:   Tue Aug 26 10:09:13 2025 +0200
> >      mnl: continue on ENOBUFS errors when processing batch
> >      A user reports that:
> >        nft -f ruleset.nft
> >      fails with:
> >        netlink: Error: Could not process rule: No buffer space available
> >      This was triggered by:
> >      table ip6 fule {
> >        set domestic_ip6 {
> >          type ipv6_addr
> >          flags dynamic,interval
> >          elements = $domestic_ip6
> >        }
> >        chain prerouting {
> >          type filter hook prerouting priority 0;
> >          ip6 daddr @domestic_ip6 counter
> >        }
> >      }
> >      where $domestic_ip6 contains a large number of IPv6 addresses.
> >      This set declaration is not supported currently, because dynamic sets
> >      with intervals are not supported, then every IPv6 address that is added
> >      triggers an error, overruning the userspace socket buffer with lots of
> >      NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
> >      socket buffer)
> 
> --snip--
> 
> Interesting.
> 
> I have noticed that if I split the set into multiple 'chunks', then the set
> can be populated properly.
> 
> As an example, this crude claude code authored script here does function as
> expected and the entire set is loaded successfully:
> 	https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/

Unfortunately, I cannot reach this link.

> It does take some time, but it does work:
> 
> $ time ./load-countrysets.sh
> Loaded 8480 elements into au-ipv4
> Loaded 11577 elements into au-ipv6
> 
> real    0m22.202s
> user    0m20.335s
> sys     0m1.798s

Even with ASAN enabled I can load such a small ruleset a lot faster,
not sure what this script is doing.

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Steven Haigh]

On 4/3/26 11:42, Pablo Neira Ayuso wrote:
> On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote:
>> On 4/3/26 11:17, Pablo Neira Ayuso wrote:
>>> On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
>>>> Hi,
>>>>
>>>> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
>>>>> Hi all,
>>>>>
>>>>> Firstly, please CC me in replies as I'm not subscribed to the list.
>>>>>
>>>>> I am currently loading some named sets into nftables using the following
>>>>> configuration:
>>>>>
>>>>> set au-ipv4 {
>>>>>           type ipv4_addr
>>>>>           flags interval
>>>>>           auto-merge
>>>>>           elements = { $AU.ipv4 }
>>>>> }
>>>>>
>>>>> set au-ipv6 {
>>>>>           type ipv6_addr
>>>>>           flags interval
>>>>>           auto-merge
>>>>>           elements = { $AU.ipv6 }
>>>>> }
>>>>>
>>>>> These sets are loaded in the config via:
>>>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
>>>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
>>>>>
>>>>> The files are created using the geo-nft.sh script here:
>>>>> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
>>>>>
>>>>> When loading these, I get the following fatal error:
>>>>> netlink: Error: Could not process rule: No buffer space available
>>>
>>> Just to be sure and discard something simple.
>>>
>>> Maybe you made a mistake in your ruleset in the aarch64 box? With lots
>>> of errors coming from the kernel, older userspace nftables versions
>>> report ENOBUFS.
>>>
>>> Try loading AU.ipv4 and AU.ipv6 with only one element to see if
>>> userspace reports a different error.
>>>
>>> commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
>>> Author: Pablo Neira Ayuso <pablo@netfilter.org>
>>> Date:   Tue Aug 26 10:09:13 2025 +0200
>>>       mnl: continue on ENOBUFS errors when processing batch
>>>       A user reports that:
>>>         nft -f ruleset.nft
>>>       fails with:
>>>         netlink: Error: Could not process rule: No buffer space available
>>>       This was triggered by:
>>>       table ip6 fule {
>>>         set domestic_ip6 {
>>>           type ipv6_addr
>>>           flags dynamic,interval
>>>           elements = $domestic_ip6
>>>         }
>>>         chain prerouting {
>>>           type filter hook prerouting priority 0;
>>>           ip6 daddr @domestic_ip6 counter
>>>         }
>>>       }
>>>       where $domestic_ip6 contains a large number of IPv6 addresses.
>>>       This set declaration is not supported currently, because dynamic sets
>>>       with intervals are not supported, then every IPv6 address that is added
>>>       triggers an error, overruning the userspace socket buffer with lots of
>>>       NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
>>>       socket buffer)
>>
>> --snip--
>>
>> Interesting.
>>
>> I have noticed that if I split the set into multiple 'chunks', then the set
>> can be populated properly.
>>
>> As an example, this crude claude code authored script here does function as
>> expected and the entire set is loaded successfully:
>> 	https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/
> 
> Unfortunately, I cannot reach this link.

Apologies - its behind the firewall that I'm debugging :)

Mirrored here: https://pastebin.com/iTa9XRCb

>> It does take some time, but it does work:
>>
>> $ time ./load-countrysets.sh
>> Loaded 8480 elements into au-ipv4
>> Loaded 11577 elements into au-ipv6
>>
>> real    0m22.202s
>> user    0m20.335s
>> sys     0m1.798s
> 
> Even with ASAN enabled I can load such a small ruleset a lot faster,
> not sure what this script is doing.
> 

-- 
Steven Haigh

📧 netwiz@crc.id.au
💻 https://crc.id.au

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

On Wed, Mar 04, 2026 at 11:49:41AM +1100, Steven Haigh wrote:
> On 4/3/26 11:42, Pablo Neira Ayuso wrote:
> > On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote:
> > > On 4/3/26 11:17, Pablo Neira Ayuso wrote:
> > > > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
> > > > > Hi,
> > > > > 
> > > > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > > > > > Hi all,
> > > > > > 
> > > > > > Firstly, please CC me in replies as I'm not subscribed to the list.
> > > > > > 
> > > > > > I am currently loading some named sets into nftables using the following
> > > > > > configuration:
> > > > > > 
> > > > > > set au-ipv4 {
> > > > > >           type ipv4_addr
> > > > > >           flags interval
> > > > > >           auto-merge
> > > > > >           elements = { $AU.ipv4 }
> > > > > > }
> > > > > > 
> > > > > > set au-ipv6 {
> > > > > >           type ipv6_addr
> > > > > >           flags interval
> > > > > >           auto-merge
> > > > > >           elements = { $AU.ipv6 }
> > > > > > }
> > > > > > 
> > > > > > These sets are loaded in the config via:
> > > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > > > > > 
> > > > > > The files are created using the geo-nft.sh script here:
> > > > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > > > > > 
> > > > > > When loading these, I get the following fatal error:
> > > > > > netlink: Error: Could not process rule: No buffer space available
> > > > 
> > > > Just to be sure and discard something simple.
> > > > 
> > > > Maybe you made a mistake in your ruleset in the aarch64 box? With lots
> > > > of errors coming from the kernel, older userspace nftables versions
> > > > report ENOBUFS.
> > > > 
> > > > Try loading AU.ipv4 and AU.ipv6 with only one element to see if
> > > > userspace reports a different error.
> > > > 
> > > > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
> > > > Author: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > Date:   Tue Aug 26 10:09:13 2025 +0200
> > > >       mnl: continue on ENOBUFS errors when processing batch
> > > >       A user reports that:
> > > >         nft -f ruleset.nft
> > > >       fails with:
> > > >         netlink: Error: Could not process rule: No buffer space available
> > > >       This was triggered by:
> > > >       table ip6 fule {
> > > >         set domestic_ip6 {
> > > >           type ipv6_addr
> > > >           flags dynamic,interval
> > > >           elements = $domestic_ip6
> > > >         }
> > > >         chain prerouting {
> > > >           type filter hook prerouting priority 0;
> > > >           ip6 daddr @domestic_ip6 counter
> > > >         }
> > > >       }
> > > >       where $domestic_ip6 contains a large number of IPv6 addresses.
> > > >       This set declaration is not supported currently, because dynamic sets
> > > >       with intervals are not supported, then every IPv6 address that is added
> > > >       triggers an error, overruning the userspace socket buffer with lots of
> > > >       NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
> > > >       socket buffer)
> > > 
> > > --snip--
> > > 
> > > Interesting.
> > > 
> > > I have noticed that if I split the set into multiple 'chunks', then the set
> > > can be populated properly.
> > > 
> > > As an example, this crude claude code authored script here does function as
> > > expected and the entire set is loaded successfully:
> > > 	https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/
> > 
> > Unfortunately, I cannot reach this link.
> 
> Apologies - its behind the firewall that I'm debugging :)
> 
> Mirrored here: https://pastebin.com/iTa9XRCb

This is insane:
while IFS= read -r line; do
 ...
 echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f -

this is one transaction per command.

This is as bad as a shell script with explicit iptables invocations,
one per line. This is an antipattern.

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Steven Haigh]

On 4/3/26 11:53, Pablo Neira Ayuso wrote:
--snip--
>> Apologies - its behind the firewall that I'm debugging :)
>>
>> Mirrored here: https://pastebin.com/iTa9XRCb
> 
> This is insane:
> while IFS= read -r line; do
>   ...
>   echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f -
> 
> this is one transaction per command.
> 
> This is as bad as a shell script with explicit iptables invocations,
> one per line. This is an antipattern.

Yep - it isn't optimal - however it loads up to 512 lines per invocation 
of nft. It isn't meant to be a production or solution - just proof that 
the set is actually good and can be loaded successfully - even if the 
set is loaded at up to 512 elements at a time.

At this moment, I've had no success loading the entire set via the 
normal methods - being uncommenting these two lines:

include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";

table inet filter {
	set au-ipv4 {
	        type ipv4_addr
	        flags interval
	        auto-merge
	        #elements = { $AU.ipv4 }
	}

	set au-ipv6 {
	        type ipv6_addr
	        flags interval
	        auto-merge
	        #elements = { $AU.ipv6 }
	}
}

At best, its a workaround for now. I can work with it until nft 1.1.7 if 
you believe this should work correctly in that version?

I don't have an aarch64 cross-compile setup on this system (its an 
embedded 8 core ARM board based on the rk3588 SOC) - so I can probably 
monitor Fedora's Bodhi instance here until 1.1.7 is released and built:
	https://bodhi.fedoraproject.org/updates/?search=nftables

-- 
Steven Haigh

📧 netwiz@crc.id.au
💻 https://crc.id.au

Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso]

On Wed, Mar 04, 2026 at 12:05:30PM +1100, Steven Haigh wrote:
> On 4/3/26 11:53, Pablo Neira Ayuso wrote:
> --snip--
> > > Apologies - its behind the firewall that I'm debugging :)
> > > 
> > > Mirrored here: https://pastebin.com/iTa9XRCb
> > 
> > This is insane:
> > while IFS= read -r line; do
> >   ...
> >   echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f -
> > 
> > this is one transaction per command.
> > 
> > This is as bad as a shell script with explicit iptables invocations,
> > one per line. This is an antipattern.
> 
> Yep - it isn't optimal - however it loads up to 512 lines per invocation of
> nft. It isn't meant to be a production or solution - just proof that the set
> is actually good and can be loaded successfully - even if the set is loaded
> at up to 512 elements at a time.
> 
> At this moment, I've had no success loading the entire set via the normal
> methods - being uncommenting these two lines:
> 
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> 
> table inet filter {
> 	set au-ipv4 {
> 	        type ipv4_addr
> 	        flags interval
> 	        auto-merge
> 	        #elements = { $AU.ipv4 }
> 	}
> 
> 	set au-ipv6 {
> 	        type ipv6_addr
> 	        flags interval
> 	        auto-merge
> 	        #elements = { $AU.ipv6 }
> 	}
> }
> 
> At best, its a workaround for now. I can work with it until nft 1.1.7 if you
> believe this should work correctly in that version?

It should work fine with nftables 1.1.7, yes.

> I don't have an aarch64 cross-compile setup on this system (its an embedded
> 8 core ARM board based on the rk3588 SOC) - so I can probably monitor
> Fedora's Bodhi instance here until 1.1.7 is released and built:
> 	https://bodhi.fedoraproject.org/updates/?search=nftables

Florian just told me that:

commit 648946966a08e4cb1a71619e3d1b12bd7642de7b
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Feb 6 13:33:46 2026 +0100
 
    netfilter: nft_set_rbtree: validate open interval overlap

went into -stable 6.18, which I overlook.

Reverting this kernel patch in -stable should also address this issue.