Re: aarch64 - netlink: Error: Could not process rule: No buffer space available

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Mar 04, 2026 at 11:34:39AM +1100, Steven Haigh wrote:
> On 4/3/26 11:17, Pablo Neira Ayuso wrote:
> > On Wed, Mar 04, 2026 at 01:02:14AM +0100, Pablo Neira Ayuso wrote:
> > > Hi,
> > > 
> > > On Wed, Mar 04, 2026 at 10:36:20AM +1100, Steven Haigh wrote:
> > > > Hi all,
> > > > 
> > > > Firstly, please CC me in replies as I'm not subscribed to the list.
> > > > 
> > > > I am currently loading some named sets into nftables using the following
> > > > configuration:
> > > > 
> > > > set au-ipv4 {
> > > >          type ipv4_addr
> > > >          flags interval
> > > >          auto-merge
> > > >          elements = { $AU.ipv4 }
> > > > }
> > > > 
> > > > set au-ipv6 {
> > > >          type ipv6_addr
> > > >          flags interval
> > > >          auto-merge
> > > >          elements = { $AU.ipv6 }
> > > > }
> > > > 
> > > > These sets are loaded in the config via:
> > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> > > > include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
> > > > 
> > > > The files are created using the geo-nft.sh script here:
> > > > https://raw.githubusercontent.com/wirefalls/geo-nft/main/geo-nft.sh
> > > > 
> > > > When loading these, I get the following fatal error:
> > > > netlink: Error: Could not process rule: No buffer space available
> > 
> > Just to be sure and discard something simple.
> > 
> > Maybe you made a mistake in your ruleset in the aarch64 box? With lots
> > of errors coming from the kernel, older userspace nftables versions
> > report ENOBUFS.
> > 
> > Try loading AU.ipv4 and AU.ipv6 with only one element to see if
> > userspace reports a different error.
> > 
> > commit 47e9aaf0227daf16f43a7442e1dceae8851817a5
> > Author: Pablo Neira Ayuso <pablo@netfilter.org>
> > Date:   Tue Aug 26 10:09:13 2025 +0200
> >      mnl: continue on ENOBUFS errors when processing batch
> >      A user reports that:
> >        nft -f ruleset.nft
> >      fails with:
> >        netlink: Error: Could not process rule: No buffer space available
> >      This was triggered by:
> >      table ip6 fule {
> >        set domestic_ip6 {
> >          type ipv6_addr
> >          flags dynamic,interval
> >          elements = $domestic_ip6
> >        }
> >        chain prerouting {
> >          type filter hook prerouting priority 0;
> >          ip6 daddr @domestic_ip6 counter
> >        }
> >      }
> >      where $domestic_ip6 contains a large number of IPv6 addresses.
> >      This set declaration is not supported currently, because dynamic sets
> >      with intervals are not supported, then every IPv6 address that is added
> >      triggers an error, overruning the userspace socket buffer with lots of
> >      NLMSG_ERROR messages (or too big NLMSG_ERROR message to fit into the
> >      socket buffer)
> 
> --snip--
> 
> Interesting.
> 
> I have noticed that if I split the set into multiple 'chunks', then the set
> can be populated properly.
> 
> As an example, this crude claude code authored script here does function as
> expected and the entire set is loaded successfully:
> 	https://lamp.crc.id.au/paste/e0e9DD01E48E46e27F5ad1bc0e/

Unfortunately, I cannot reach this link.

> It does take some time, but it does work:
> 
> $ time ./load-countrysets.sh
> Loaded 8480 elements into au-ipv4
> Loaded 11577 elements into au-ipv6
> 
> real    0m22.202s
> user    0m20.335s
> sys     0m1.798s

Even with ASAN enabled I can load such a small ruleset a lot faster,
not sure what this script is doing.