* aarch64 - netlink: Error: Could not process rule: No buffer space available
@ 2026-03-03 23:36 Steven Haigh
2026-03-04 0:02 ` Pablo Neira Ayuso
0 siblings, 1 reply; 11+ messages in thread
From: Steven Haigh @ 2026-03-03 23:36 UTC (permalink / raw)
To: netfilter
Hi all,
Firstly, please CC me in replies as I'm not subscribed to the list.
I am currently loading some named sets into nftables using the following
configuration:
set au-ipv4 {
type ipv4_addr
flags interval
auto-merge
elements = { $AU.ipv4 }
}
set au-ipv6 {
type ipv6_addr
flags interval
auto-merge
elements = { $AU.ipv6 }
}
These sets are loaded in the config via:
include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
The files are created using the geo-nft.sh script here:
https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
When loading these, I get the following fatal error:
netlink: Error: Could not process rule: No buffer space available
This only seems to happen on the aarch64 installs. The same kernel
version + tools version on x86_64 architecture seems to load just fine.
$ cat /proc/version
Linux version 6.18.15-200.fc43.aarch64
(mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123
(Red Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC
Fri Feb 27 22:55:30 UTC 2026
$ nft --version
nftables v1.1.3 (Commodore Bullmoose #4)
I've had no success in hunting for why this would be the case.
I've found that I can batch-load the sets in ~500 rules at a time, and
the entire set will load - but including them at the nftables service
level always fails.
How should I fix this?
--
Steven Haigh
📧 netwiz@crc.id.au
💻 https://crc.id.au
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-03 23:36 aarch64 - netlink: Error: Could not process rule: No buffer space available Steven Haigh @ 2026-03-04 0:02 ` Pablo Neira Ayuso 2026-03-04 0:17 ` Pablo Neira Ayuso 2026-03-04 0:19 ` Steven Haigh 0 siblings, 2 replies; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 0:02 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter Hi, On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: > Hi all, > > Firstly, please CC me in replies as I'm not subscribed to the list. > > I am currently loading some named sets into nftables using the following > configuration: > > set au-ipv4 { > type ipv4_addr > flags interval > auto-merge > elements = { $AU.ipv4 } > } > > set au-ipv6 { > type ipv6_addr > flags interval > auto-merge > elements = { $AU.ipv6 } > } > > These sets are loaded in the config via: > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > The files are created using the geo-nft.sh script here: > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh > > When loading these, I get the following fatal error: > netlink: Error: Could not process rule: No buffer space available > > This only seems to happen on the aarch64 installs. The same kernel version + > tools version on x86_64 architecture seems to load just fine. > > $ cat /proc/version > Linux version 6.18.15-200.fc43.aarch64 > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb > 27 22:55:30 UTC 2026 > > $ nft --version > nftables v1.1.3 (Commodore Bullmoose #4) Can you try latest nftables version to confirm this bug on aarch64 is current? Otherwise, try nftables git HEAD snapshot? > I've had no success in hunting for why this would be the case. > > I've found that I can batch-load the sets in ~500 rules at a time, and the > entire set will load - but including them at the nftables service level > always fails. > > How should I fix this? > > -- > Steven Haigh > > 📧 netwiz@crc.id.au > 💻 https://crc.id.au > > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:02 ` Pablo Neira Ayuso @ 2026-03-04 0:17 ` Pablo Neira Ayuso 2026-03-04 0:34 ` Steven Haigh 2026-03-04 0:19 ` Steven Haigh 1 sibling, 1 reply; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 0:17 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote: > Hi, > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: > > Hi all, > > > > Firstly, please CC me in replies as I'm not subscribed to the list. > > > > I am currently loading some named sets into nftables using the following > > configuration: > > > > set au-ipv4 { > > type ipv4_addr > > flags interval > > auto-merge > > elements = { $AU.ipv4 } > > } > > > > set au-ipv6 { > > type ipv6_addr > > flags interval > > auto-merge > > elements = { $AU.ipv6 } > > } > > > > These sets are loaded in the config via: > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > > > The files are created using the geo-nft.sh script here: > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh > > > > When loading these, I get the following fatal error: > > netlink: Error: Could not process rule: No buffer space available Just to be sure and discard something simple. Maybe you made a mistake in your ruleset in the aarch64 box? With lots of errors coming from the kernel, older userspace nftables versions report ENOBUFS. Try loading AU.ipv4 and AU.ipv6 with only one element to see if userspace reports a different error. commit 47e9aaf0227daf16f43a7442e1dceae8851817a5 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue Aug 26 10:09:13 2025 +0200 mnl: continue on ENOBUFS errors when processing batch A user reports that: nft -f ruleset.nft fails with: netlink: Error: Could not process rule: No buffer space available This was triggered by: table ip6 fule { set domestic_ip6 { type ipv6_addr flags dynamic,interval elements = $domestic_ip6 } chain prerouting { type filter hook prerouting priority 0; ip6 daddr @domestic_ip6 counter } } where $domestic_ip6 contains a large number of IPv6 addresses. This set declaration is not supported currently, because dynamic sets with intervals are not supported, then every IPv6 address that is added triggers an error, overruning the userspace socket buffer with lots of NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the socket buffer) > > This only seems to happen on the aarch64 installs. The same kernel version + > > tools version on x86_64 architecture seems to load just fine. > > > > $ cat /proc/version > > Linux version 6.18.15-200.fc43.aarch64 > > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red > > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb > > 27 22:55:30 UTC 2026 > > > > $ nft --version > > nftables v1.1.3 (Commodore Bullmoose #4) > > Can you try latest nftables version to confirm this bug on aarch64 is > current? Otherwise, try nftables git HEAD snapshot? > > > I've had no success in hunting for why this would be the case. > > > > I've found that I can batch-load the sets in ~500 rules at a time, and the > > entire set will load - but including them at the nftables service level > > always fails. > > > > How should I fix this? > > > > -- > > Steven Haigh > > > > 📧 netwiz@crc.id.au > > 💻 https://crc.id.au > > > > > > > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:17 ` Pablo Neira Ayuso @ 2026-03-04 0:34 ` Steven Haigh 2026-03-04 0:42 ` Pablo Neira Ayuso 0 siblings, 1 reply; 11+ messages in thread From: Steven Haigh @ 2026-03-04 0:34 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter On 4/3/26 11:17, Pablo Neira Ayuso wrote: > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote: >> Hi, >> >> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: >>> Hi all, >>> >>> Firstly, please CC me in replies as I'm not subscribed to the list. >>> >>> I am currently loading some named sets into nftables using the following >>> configuration: >>> >>> set au-ipv4 { >>> type ipv4_addr >>> flags interval >>> auto-merge >>> elements = { $AU.ipv4 } >>> } >>> >>> set au-ipv6 { >>> type ipv6_addr >>> flags interval >>> auto-merge >>> elements = { $AU.ipv6 } >>> } >>> >>> These sets are loaded in the config via: >>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; >>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; >>> >>> The files are created using the geo-nft.sh script here: >>> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh >>> >>> When loading these, I get the following fatal error: >>> netlink: Error: Could not process rule: No buffer space available > > Just to be sure and discard something simple. > > Maybe you made a mistake in your ruleset in the aarch64 box? With lots > of errors coming from the kernel, older userspace nftables versions > report ENOBUFS. > > Try loading AU.ipv4 and AU.ipv6 with only one element to see if > userspace reports a different error. > > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5 > Author: Pablo Neira Ayuso <pablo@netfilter.org> > Date: Tue Aug 26 10:09:13 2025 +0200 > > mnl: continue on ENOBUFS errors when processing batch > > A user reports that: > > nft -f ruleset.nft > > fails with: > > netlink: Error: Could not process rule: No buffer space available > > This was triggered by: > > table ip6 fule { > set domestic_ip6 { > type ipv6_addr > flags dynamic,interval > elements = $domestic_ip6 > } > chain prerouting { > type filter hook prerouting priority 0; > ip6 daddr @domestic_ip6 counter > } > } > > where $domestic_ip6 contains a large number of IPv6 addresses. > > This set declaration is not supported currently, because dynamic sets > with intervals are not supported, then every IPv6 address that is added > triggers an error, overruning the userspace socket buffer with lots of > NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the > socket buffer) --snip-- Interesting. I have noticed that if I split the set into multiple 'chunks', then the set can be populated properly. As an example, this crude claude code authored script here does function as expected and the entire set is loaded successfully: https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/ It does take some time, but it does work: $ time ./load-countrysets.sh Loaded 8480 elements into au-ipv4 Loaded 11577 elements into au-ipv6 real 0m22.202s user 0m20.335s sys 0m1.798s -- Steven Haigh 📧 netwiz@crc.id.au 💻 https://crc.id.au ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:34 ` Steven Haigh @ 2026-03-04 0:42 ` Pablo Neira Ayuso 2026-03-04 0:49 ` Steven Haigh 0 siblings, 1 reply; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 0:42 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote: > On 4/3/26 11:17, Pablo Neira Ayuso wrote: > > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote: > > > Hi, > > > > > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: > > > > Hi all, > > > > > > > > Firstly, please CC me in replies as I'm not subscribed to the list. > > > > > > > > I am currently loading some named sets into nftables using the following > > > > configuration: > > > > > > > > set au-ipv4 { > > > > type ipv4_addr > > > > flags interval > > > > auto-merge > > > > elements = { $AU.ipv4 } > > > > } > > > > > > > > set au-ipv6 { > > > > type ipv6_addr > > > > flags interval > > > > auto-merge > > > > elements = { $AU.ipv6 } > > > > } > > > > > > > > These sets are loaded in the config via: > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > > > > > > > The files are created using the geo-nft.sh script here: > > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh > > > > > > > > When loading these, I get the following fatal error: > > > > netlink: Error: Could not process rule: No buffer space available > > > > Just to be sure and discard something simple. > > > > Maybe you made a mistake in your ruleset in the aarch64 box? With lots > > of errors coming from the kernel, older userspace nftables versions > > report ENOBUFS. > > > > Try loading AU.ipv4 and AU.ipv6 with only one element to see if > > userspace reports a different error. > > > > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5 > > Author: Pablo Neira Ayuso <pablo@netfilter.org> > > Date: Tue Aug 26 10:09:13 2025 +0200 > > mnl: continue on ENOBUFS errors when processing batch > > A user reports that: > > nft -f ruleset.nft > > fails with: > > netlink: Error: Could not process rule: No buffer space available > > This was triggered by: > > table ip6 fule { > > set domestic_ip6 { > > type ipv6_addr > > flags dynamic,interval > > elements = $domestic_ip6 > > } > > chain prerouting { > > type filter hook prerouting priority 0; > > ip6 daddr @domestic_ip6 counter > > } > > } > > where $domestic_ip6 contains a large number of IPv6 addresses. > > This set declaration is not supported currently, because dynamic sets > > with intervals are not supported, then every IPv6 address that is added > > triggers an error, overruning the userspace socket buffer with lots of > > NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the > > socket buffer) > > --snip-- > > Interesting. > > I have noticed that if I split the set into multiple 'chunks', then the set > can be populated properly. > > As an example, this crude claude code authored script here does function as > expected and the entire set is loaded successfully: > https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/ Unfortunately, I cannot reach this link. > It does take some time, but it does work: > > $ time ./load-countrysets.sh > Loaded 8480 elements into au-ipv4 > Loaded 11577 elements into au-ipv6 > > real 0m22.202s > user 0m20.335s > sys 0m1.798s Even with ASAN enabled I can load such a small ruleset a lot faster, not sure what this script is doing. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:42 ` Pablo Neira Ayuso @ 2026-03-04 0:49 ` Steven Haigh 2026-03-04 0:53 ` Pablo Neira Ayuso 0 siblings, 1 reply; 11+ messages in thread From: Steven Haigh @ 2026-03-04 0:49 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter On 4/3/26 11:42, Pablo Neira Ayuso wrote: > On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote: >> On 4/3/26 11:17, Pablo Neira Ayuso wrote: >>> On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote: >>>> Hi, >>>> >>>> On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: >>>>> Hi all, >>>>> >>>>> Firstly, please CC me in replies as I'm not subscribed to the list. >>>>> >>>>> I am currently loading some named sets into nftables using the following >>>>> configuration: >>>>> >>>>> set au-ipv4 { >>>>> type ipv4_addr >>>>> flags interval >>>>> auto-merge >>>>> elements = { $AU.ipv4 } >>>>> } >>>>> >>>>> set au-ipv6 { >>>>> type ipv6_addr >>>>> flags interval >>>>> auto-merge >>>>> elements = { $AU.ipv6 } >>>>> } >>>>> >>>>> These sets are loaded in the config via: >>>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; >>>>> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; >>>>> >>>>> The files are created using the geo-nft.sh script here: >>>>> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh >>>>> >>>>> When loading these, I get the following fatal error: >>>>> netlink: Error: Could not process rule: No buffer space available >>> >>> Just to be sure and discard something simple. >>> >>> Maybe you made a mistake in your ruleset in the aarch64 box? With lots >>> of errors coming from the kernel, older userspace nftables versions >>> report ENOBUFS. >>> >>> Try loading AU.ipv4 and AU.ipv6 with only one element to see if >>> userspace reports a different error. >>> >>> commit 47e9aaf0227daf16f43a7442e1dceae8851817a5 >>> Author: Pablo Neira Ayuso <pablo@netfilter.org> >>> Date: Tue Aug 26 10:09:13 2025 +0200 >>> mnl: continue on ENOBUFS errors when processing batch >>> A user reports that: >>> nft -f ruleset.nft >>> fails with: >>> netlink: Error: Could not process rule: No buffer space available >>> This was triggered by: >>> table ip6 fule { >>> set domestic_ip6 { >>> type ipv6_addr >>> flags dynamic,interval >>> elements = $domestic_ip6 >>> } >>> chain prerouting { >>> type filter hook prerouting priority 0; >>> ip6 daddr @domestic_ip6 counter >>> } >>> } >>> where $domestic_ip6 contains a large number of IPv6 addresses. >>> This set declaration is not supported currently, because dynamic sets >>> with intervals are not supported, then every IPv6 address that is added >>> triggers an error, overruning the userspace socket buffer with lots of >>> NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the >>> socket buffer) >> >> --snip-- >> >> Interesting. >> >> I have noticed that if I split the set into multiple 'chunks', then the set >> can be populated properly. >> >> As an example, this crude claude code authored script here does function as >> expected and the entire set is loaded successfully: >> https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/ > > Unfortunately, I cannot reach this link. Apologies - its behind the firewall that I'm debugging :) Mirrored here: https://pastebin.com/iTa9XRCb >> It does take some time, but it does work: >> >> $ time ./load-countrysets.sh >> Loaded 8480 elements into au-ipv4 >> Loaded 11577 elements into au-ipv6 >> >> real 0m22.202s >> user 0m20.335s >> sys 0m1.798s > > Even with ASAN enabled I can load such a small ruleset a lot faster, > not sure what this script is doing. > -- Steven Haigh 📧 netwiz@crc.id.au 💻 https://crc.id.au ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:49 ` Steven Haigh @ 2026-03-04 0:53 ` Pablo Neira Ayuso 2026-03-04 1:05 ` Steven Haigh 0 siblings, 1 reply; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 0:53 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter On Wed, Mar 04, 2026 at 11:49:41AM +1100, Steven Haigh wrote: > On 4/3/26 11:42, Pablo Neira Ayuso wrote: > > On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote: > > > On 4/3/26 11:17, Pablo Neira Ayuso wrote: > > > > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote: > > > > > Hi, > > > > > > > > > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: > > > > > > Hi all, > > > > > > > > > > > > Firstly, please CC me in replies as I'm not subscribed to the list. > > > > > > > > > > > > I am currently loading some named sets into nftables using the following > > > > > > configuration: > > > > > > > > > > > > set au-ipv4 { > > > > > > type ipv4_addr > > > > > > flags interval > > > > > > auto-merge > > > > > > elements = { $AU.ipv4 } > > > > > > } > > > > > > > > > > > > set au-ipv6 { > > > > > > type ipv6_addr > > > > > > flags interval > > > > > > auto-merge > > > > > > elements = { $AU.ipv6 } > > > > > > } > > > > > > > > > > > > These sets are loaded in the config via: > > > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > > > > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > > > > > > > > > > > The files are created using the geo-nft.sh script here: > > > > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh > > > > > > > > > > > > When loading these, I get the following fatal error: > > > > > > netlink: Error: Could not process rule: No buffer space available > > > > > > > > Just to be sure and discard something simple. > > > > > > > > Maybe you made a mistake in your ruleset in the aarch64 box? With lots > > > > of errors coming from the kernel, older userspace nftables versions > > > > report ENOBUFS. > > > > > > > > Try loading AU.ipv4 and AU.ipv6 with only one element to see if > > > > userspace reports a different error. > > > > > > > > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5 > > > > Author: Pablo Neira Ayuso <pablo@netfilter.org> > > > > Date: Tue Aug 26 10:09:13 2025 +0200 > > > > mnl: continue on ENOBUFS errors when processing batch > > > > A user reports that: > > > > nft -f ruleset.nft > > > > fails with: > > > > netlink: Error: Could not process rule: No buffer space available > > > > This was triggered by: > > > > table ip6 fule { > > > > set domestic_ip6 { > > > > type ipv6_addr > > > > flags dynamic,interval > > > > elements = $domestic_ip6 > > > > } > > > > chain prerouting { > > > > type filter hook prerouting priority 0; > > > > ip6 daddr @domestic_ip6 counter > > > > } > > > > } > > > > where $domestic_ip6 contains a large number of IPv6 addresses. > > > > This set declaration is not supported currently, because dynamic sets > > > > with intervals are not supported, then every IPv6 address that is added > > > > triggers an error, overruning the userspace socket buffer with lots of > > > > NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the > > > > socket buffer) > > > > > > --snip-- > > > > > > Interesting. > > > > > > I have noticed that if I split the set into multiple 'chunks', then the set > > > can be populated properly. > > > > > > As an example, this crude claude code authored script here does function as > > > expected and the entire set is loaded successfully: > > > https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/ > > > > Unfortunately, I cannot reach this link. > > Apologies - its behind the firewall that I'm debugging :) > > Mirrored here: https://pastebin.com/iTa9XRCb This is insane: while IFS= read -r line; do ... echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f - this is one transaction per command. This is as bad as a shell script with explicit iptables invocations, one per line. This is an antipattern. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:53 ` Pablo Neira Ayuso @ 2026-03-04 1:05 ` Steven Haigh 2026-03-04 1:17 ` Pablo Neira Ayuso 0 siblings, 1 reply; 11+ messages in thread From: Steven Haigh @ 2026-03-04 1:05 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter On 4/3/26 11:53, Pablo Neira Ayuso wrote: --snip-- >> Apologies - its behind the firewall that I'm debugging :) >> >> Mirrored here: https://pastebin.com/iTa9XRCb > > This is insane: > while IFS= read -r line; do > ... > echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f - > > this is one transaction per command. > > This is as bad as a shell script with explicit iptables invocations, > one per line. This is an antipattern. Yep - it isn't optimal - however it loads up to 512 lines per invocation of nft. It isn't meant to be a production or solution - just proof that the set is actually good and can be loaded successfully - even if the set is loaded at up to 512 elements at a time. At this moment, I've had no success loading the entire set via the normal methods - being uncommenting these two lines: include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; table inet filter { set au-ipv4 { type ipv4_addr flags interval auto-merge #elements = { $AU.ipv4 } } set au-ipv6 { type ipv6_addr flags interval auto-merge #elements = { $AU.ipv6 } } } At best, its a workaround for now. I can work with it until nft 1.1.7 if you believe this should work correctly in that version? I don't have an aarch64 cross-compile setup on this system (its an embedded 8 core ARM board based on the rk3588 SOC) - so I can probably monitor Fedora's Bodhi instance here until 1.1.7 is released and built: https://bodhi.fedoraproject.org/updates/?search=nftables -- Steven Haigh 📧 netwiz@crc.id.au 💻 https://crc.id.au ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 1:05 ` Steven Haigh @ 2026-03-04 1:17 ` Pablo Neira Ayuso 0 siblings, 0 replies; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 1:17 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter On Wed, Mar 04, 2026 at 12:05:30PM +1100, Steven Haigh wrote: > On 4/3/26 11:53, Pablo Neira Ayuso wrote: > --snip-- > > > Apologies - its behind the firewall that I'm debugging :) > > > > > > Mirrored here: https://pastebin.com/iTa9XRCb > > > > This is insane: > > while IFS= read -r line; do > > ... > > echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f - > > > > this is one transaction per command. > > > > This is as bad as a shell script with explicit iptables invocations, > > one per line. This is an antipattern. > > Yep - it isn't optimal - however it loads up to 512 lines per invocation of > nft. It isn't meant to be a production or solution - just proof that the set > is actually good and can be loaded successfully - even if the set is loaded > at up to 512 elements at a time. > > At this moment, I've had no success loading the entire set via the normal > methods - being uncommenting these two lines: > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > table inet filter { > set au-ipv4 { > type ipv4_addr > flags interval > auto-merge > #elements = { $AU.ipv4 } > } > > set au-ipv6 { > type ipv6_addr > flags interval > auto-merge > #elements = { $AU.ipv6 } > } > } > > At best, its a workaround for now. I can work with it until nft 1.1.7 if you > believe this should work correctly in that version? It should work fine with nftables 1.1.7, yes. > I don't have an aarch64 cross-compile setup on this system (its an embedded > 8 core ARM board based on the rk3588 SOC) - so I can probably monitor > Fedora's Bodhi instance here until 1.1.7 is released and built: > https://bodhi.fedoraproject.org/updates/?search=nftables Florian just told me that: commit 648946966a08e4cb1a71619e3d1b12bd7642de7b Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri Feb 6 13:33:46 2026 +0100 netfilter: nft_set_rbtree: validate open interval overlap went into -stable 6.18, which I overlook. Reverting this kernel patch in -stable should also address this issue. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:02 ` Pablo Neira Ayuso 2026-03-04 0:17 ` Pablo Neira Ayuso @ 2026-03-04 0:19 ` Steven Haigh 2026-03-04 0:35 ` Pablo Neira Ayuso 1 sibling, 1 reply; 11+ messages in thread From: Steven Haigh @ 2026-03-04 0:19 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter Hi Pablo, Thanks for the reply. On 4/3/26 11:02, Pablo Neira Ayuso wrote: > Hi, > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: >> Hi all, >> >> Firstly, please CC me in replies as I'm not subscribed to the list. >> >> I am currently loading some named sets into nftables using the following >> configuration: >> >> set au-ipv4 { >> type ipv4_addr >> flags interval >> auto-merge >> elements = { $AU.ipv4 } >> } >> >> set au-ipv6 { >> type ipv6_addr >> flags interval >> auto-merge >> elements = { $AU.ipv6 } >> } >> >> These sets are loaded in the config via: >> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; >> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; >> >> The files are created using the geo-nft.sh script here: >> https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh >> >> When loading these, I get the following fatal error: >> netlink: Error: Could not process rule: No buffer space available >> >> This only seems to happen on the aarch64 installs. The same kernel version + >> tools version on x86_64 architecture seems to load just fine. >> >> $ cat /proc/version >> Linux version 6.18.15-200.fc43.aarch64 >> (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red >> Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb >> 27 22:55:30 UTC 2026 >> >> $ nft --version >> nftables v1.1.3 (Commodore Bullmoose #4) > > Can you try latest nftables version to confirm this bug on aarch64 is > current? Otherwise, try nftables git HEAD snapshot? I grabbed some scratch builds from Fedora 44 which updated: * libnftnl 1.2.9 -> 1.3.1 * nftables 1.1.3 -> 1.1.6 When processing the files though, a new error occurs: In file included from ./firewall.nft:7:1-61: /etc/nftables/firewall/geo-nft/countrysets/AU.ipv4:1646:2-24: Error: Could not process rule: File exists 103.4.84.0-103.4.87.255, ^^^^^^^^^^^^^^^^^^^^^^^ Looking at the ranges at / around this line however, I can't see any kind of duplicate: 103.4.16.0-103.4.19.255, 103.4.55.0-103.4.55.255, 103.4.60.0-103.4.63.255, 103.4.84.0-103.4.87.255, 103.4.120.0-103.4.120.255, 103.4.122.0-103.4.123.255, 103.4.132.0-103.4.133.255, Checking the datafile: $ grep 103.4.84 geo-nft/countrysets/AU.ipv4 103.4.84.0-103.4.87.255, From what I understand, even if this range did overlap - the auto-merge flag should handle this. >> I've had no success in hunting for why this would be the case. >> >> I've found that I can batch-load the sets in ~500 rules at a time, and the >> entire set will load - but including them at the nftables service level >> always fails. >> >> How should I fix this? -- Steven Haigh 📧 netwiz@crc.id.au 💻 https://crc.id.au ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: aarch64 - netlink: Error: Could not process rule: No buffer space available 2026-03-04 0:19 ` Steven Haigh @ 2026-03-04 0:35 ` Pablo Neira Ayuso 0 siblings, 0 replies; 11+ messages in thread From: Pablo Neira Ayuso @ 2026-03-04 0:35 UTC (permalink / raw) To: Steven Haigh; +Cc: netfilter On Wed, Mar 04, 2026 at 11:19:36AM +1100, Steven Haigh wrote: > Hi Pablo, > > Thanks for the reply. > > On 4/3/26 11:02, Pablo Neira Ayuso wrote: > > Hi, > > > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote: > > > Hi all, > > > > > > Firstly, please CC me in replies as I'm not subscribed to the list. > > > > > > I am currently loading some named sets into nftables using the following > > > configuration: > > > > > > set au-ipv4 { > > > type ipv4_addr > > > flags interval > > > auto-merge > > > elements = { $AU.ipv4 } > > > } > > > > > > set au-ipv6 { > > > type ipv6_addr > > > flags interval > > > auto-merge > > > elements = { $AU.ipv6 } > > > } > > > > > > These sets are loaded in the config via: > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4"; > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6"; > > > > > > The files are created using the geo-nft.sh script here: > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh > > > > > > When loading these, I get the following fatal error: > > > netlink: Error: Could not process rule: No buffer space available > > > > > > This only seems to happen on the aarch64 installs. The same kernel version + > > > tools version on x86_64 architecture seems to load just fine. > > > > > > $ cat /proc/version > > > Linux version 6.18.15-200.fc43.aarch64 > > > (mockbuild@835a9c7eeabc46d3b99996c22f20c9cf) (gcc (GCC) 15.2.1 20260123 (Red > > > Hat 15.2.1-7), GNU ld version 2.45.1-4.fc43) #1 SMP PREEMPT_DYNAMIC Fri Feb > > > 27 22:55:30 UTC 2026 > > > > > > $ nft --version > > > nftables v1.1.3 (Commodore Bullmoose #4) > > > > Can you try latest nftables version to confirm this bug on aarch64 is > > current? Otherwise, try nftables git HEAD snapshot? > > I grabbed some scratch builds from Fedora 44 which updated: > * libnftnl 1.2.9 -> 1.3.1 > * nftables 1.1.3 -> 1.1.6 > > When processing the files though, a new error occurs: > > In file included from ./firewall.nft:7:1-61: > /etc/nftables/firewall/geo-nft/countrysets/AU.ipv4:1646:2-24: Error: Could > not process rule: File exists > 103.4.84.0-103.4.87.255, > ^^^^^^^^^^^^^^^^^^^^^^^ > > Looking at the ranges at / around this line however, I can't see any kind of > duplicate: > > 103.4.16.0-103.4.19.255, > 103.4.55.0-103.4.55.255, > 103.4.60.0-103.4.63.255, > 103.4.84.0-103.4.87.255, > 103.4.120.0-103.4.120.255, > 103.4.122.0-103.4.123.255, > 103.4.132.0-103.4.133.255, > > Checking the datafile: > $ grep 103.4.84 geo-nft/countrysets/AU.ipv4 > 103.4.84.0-103.4.87.255, > > From what I understand, even if this range did overlap - the auto-merge flag > should handle this. Are you using the 'create element' command? This is fixed in git HEAD, this is a bug in 1.1.6. commit e83e32c8d1cd228d751fb92b756306c6eb6c0759 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon Jan 12 12:59:26 2026 +0100 mnl: restore create element command with large batches The rework to reduce memory consumption has introduced a bug that result in spurious EEXIST with large batches. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2026-03-04 1:17 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-03 23:36 aarch64 - netlink: Error: Could not process rule: No buffer space available Steven Haigh 2026-03-04 0:02 ` Pablo Neira Ayuso 2026-03-04 0:17 ` Pablo Neira Ayuso 2026-03-04 0:34 ` Steven Haigh 2026-03-04 0:42 ` Pablo Neira Ayuso 2026-03-04 0:49 ` Steven Haigh 2026-03-04 0:53 ` Pablo Neira Ayuso 2026-03-04 1:05 ` Steven Haigh 2026-03-04 1:17 ` Pablo Neira Ayuso 2026-03-04 0:19 ` Steven Haigh 2026-03-04 0:35 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox