From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Steven Haigh <netwiz@crc.id.au>
Cc: netfilter@vger.kernel.org
Subject: Re: aarch64 - netlink: Error: Could not process rule: No buffer space available
Date: Wed, 4 Mar 2026 02:17:00 +0100 [thread overview]
Message-ID: <aaeIDJigEVkDfrRg@chamomile> (raw)
In-Reply-To: <6a13633f-3d2b-47c4-b9fa-a556e88c2188@crc.id.au>
On Wed, Mar 04, 2026 at 12:05:30PM +1100, Steven Haigh wrote:
> On 4/3/26 11:53, Pablo Neira Ayuso wrote:
> --snip--
> > > Apologies - its behind the firewall that I'm debugging :)
> > >
> > > Mirrored here: https://pastebin.com/iTa9XRCb
> >
> > This is insane:
> > while IFS= read -r line; do
> > ...
> > echo "add element $TABLE_FAMILY $TABLE_NAME $set_name { $batch }" | nft -f -
> >
> > this is one transaction per command.
> >
> > This is as bad as a shell script with explicit iptables invocations,
> > one per line. This is an antipattern.
>
> Yep - it isn't optimal - however it loads up to 512 lines per invocation of
> nft. It isn't meant to be a production or solution - just proof that the set
> is actually good and can be loaded successfully - even if the set is loaded
> at up to 512 elements at a time.
>
> At this moment, I've had no success loading the entire set via the normal
> methods - being uncommenting these two lines:
>
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv4";
> include "/etc/nftables/firewall/geo-nft/countrysets/AU.ipv6";
>
> table inet filter {
> set au-ipv4 {
> type ipv4_addr
> flags interval
> auto-merge
> #elements = { $AU.ipv4 }
> }
>
> set au-ipv6 {
> type ipv6_addr
> flags interval
> auto-merge
> #elements = { $AU.ipv6 }
> }
> }
>
> At best, its a workaround for now. I can work with it until nft 1.1.7 if you
> believe this should work correctly in that version?
It should work fine with nftables 1.1.7, yes.
> I don't have an aarch64 cross-compile setup on this system (its an embedded
> 8 core ARM board based on the rk3588 SOC) - so I can probably monitor
> Fedora's Bodhi instance here until 1.1.7 is released and built:
> https://bodhi.fedoraproject.org/updates/?search=nftables
Florian just told me that:
commit 648946966a08e4cb1a71619e3d1b12bd7642de7b
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri Feb 6 13:33:46 2026 +0100
netfilter: nft_set_rbtree: validate open interval overlap
went into -stable 6.18, which I overlook.
Reverting this kernel patch in -stable should also address this issue.
next prev parent reply other threads:[~2026-03-04 1:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 23:36 aarch64 - netlink: Error: Could not process rule: No buffer space available Steven Haigh
2026-03-04 0:02 ` Pablo Neira Ayuso
2026-03-04 0:17 ` Pablo Neira Ayuso
2026-03-04 0:34 ` Steven Haigh
2026-03-04 0:42 ` Pablo Neira Ayuso
2026-03-04 0:49 ` Steven Haigh
2026-03-04 0:53 ` Pablo Neira Ayuso
2026-03-04 1:05 ` Steven Haigh
2026-03-04 1:17 ` Pablo Neira Ayuso [this message]
2026-03-04 0:19 ` Steven Haigh
2026-03-04 0:35 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaeIDJigEVkDfrRg@chamomile \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=netwiz@crc.id.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox