bugzilla-daemon at netfilter.org
2017-Aug-23 17:40 UTC
[Bug 1175] New: Document limitations on identifier names
https://bugzilla.netfilter.org/show_bug.cgi?id=1175 Bug ID: 1175 Summary: Document limitations on identifier names Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at allycomm.com I understand that some of the functionality within nftables requires identifiers to be available within kernel structures and that there needs to be a "reasonable" limit on the lengths of those identifiers. Unfortunately, these limits are not only poorly documented, but also result in "meaningless" error messages, such as nftables.conf:3:1-14: Error: Could not process rule: No such file or directory flush ruleset ^^^^^^^^^^^^^^ (Error messaging to be the subject of another issue) In searching the "official" documentation, there is little to describe the limits on length. ==<https://wiki.nftables.org/wiki-nftables/index.php/Configuring_tables> (nothing) ==<https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains> (nothing) ==<https://wiki.nftables.org/wiki-nftables/index.php/Scripting> (define syntax described here -- nothing) ==<https://wiki.nftables.org/wiki-nftables/index.php/Sets> "Current maximum name length is 16 characters." (assumed to apply to sets and not necessarily other identifiers, especially given the man page description of "identifiers") ==<https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes> (nothing) ==<http://www.netfilter.org/projects/nftables/manpage.html> Under LEXICAL CONVENTIONS Identifiers begin with an alphabetic character (a-z,A-Z), followed zero or more alphanumeric characters (a-z,A-Z,0-9) and the characters slash (/), backslash (\), underscore (_) and dot (.). Identifiers using different characters or clashing with a keyword need to be enclosed in double quotes ("). Under SYMBOLIC VARIABLES (nothing) Under TABLES, CHAINS (nothing) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/00b575d9/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-23 21:44 UTC
[Bug 1175] Document limitations on identifier names
https://bugzilla.netfilter.org/show_bug.cgi?id=1175 --- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> --- The limit on set identifiers appears to be 31 characters, conflicting with the wiki on this point. It also appears that the limit on chain identifiers is also 31 characters. The limit on define identifiers ("variable names") appears to be somewhere in excess of 65 characters. ~/build/nftables$ git log -1 commit d74eed8c9649e9278b69f2cd0fd92f71e3e19cfb (HEAD -> master, tag: 2017-08-19, origin/master, origin/HEAD) Author: Varsha Rao <rvarsha016 at gmail.com> Date: Wed Aug 16 19:48:17 2017 +0530 $ cat nftables.conf #!/usr/sbin/nft -f flush ruleset table inet global { define identifier123456789212345678931234567894123456789512345678961234. one define identifier123456789212345678931234567894123456789512345678961234_ one chain prerouting12345678921234567893. { type filter hook prerouting priority -175 } chain prerouting12345678921234567893_ { type filter hook prerouting priority -50 } set identifier12345678921234567893. { type inet_service } set identifier12345678921234567893_ { type inet_service } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/71a4df12/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 23:59 UTC
[Bug 1175] Document limitations on identifier names
https://bugzilla.netfilter.org/show_bug.cgi?id=1175 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/add99de1/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 07:27 UTC
[Bug 1175] Document limitations on identifier names
https://bugzilla.netfilter.org/show_bug.cgi?id=1175 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.netfilter. | |org/show_bug.cgi?id=1283 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/500b6452/attachment.html>
Seemingly Similar Threads
- [Bug 1176] New: Invalid identifiers produce unhelpful error messages
- [Bug 1174] New: 'define' functionality not sufficient for maintaining sets and the like
- [Bug 1185] New: counter flag proposal for sets and maps
- [Bug 1434] New: Usability improvements, enabling creation of complex firewalls
- [Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2