netfilter buglog - May 2019 - [Bug 1340] New: nft -f rules.nft exitcode 1 when file too large

https://bugzilla.netfilter.org/show_bug.cgi?id=1340

            Bug ID: 1340
           Summary: nft -f rules.nft exitcode 1 when file too large
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: lukeo at partyheld.de

Using "nftables v0.9.0 (Fearless Fosdick)" on Kernel 4.19.44 on a
Gentoo Linux.

I have large IP lists (~15000 entries) across two files I include in my
"rules.nft" via "include "./ip.nft" ". I noticed
that my rules are not imported
since nftables-0.8. "nft -f" quits with exit code 1 without error
message.

If removing the include directive from the "rules.nft" import works
and rules
are applied. 

My rule config is as follows:

        chain c_drops {
                include "./200ips.nft"
                return
        }

The content of 200ips.nft is (times 200):
ip saddr A.B.C.D log prefix "Dropping packet" group 0 drop

I noticed the threshold for my set is 140 IPs, once I go to 141 nft -f crashes.

The last message with --debug all is:

----------------        ------------------
|  0000000020  |        | message length |
| 00017 | R--- |        |  type | flags  |
|  0000000179  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------

I am sure it worked when I first time set up the rule set a year ago. I have
checked with "nft list ruleset".

Any help appreciated. 

Cheers Luke

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190524/01353bf7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1340

--- Comment #1 from lukeo at partyheld.de ---
Created attachment 563
  --> https://bugzilla.netfilter.org/attachment.cgi?id=563&action=edit
nftables configuration with include directive

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190528/4856ed82/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1340

--- Comment #2 from lukeo at partyheld.de ---
Created attachment 564
  --> https://bugzilla.netfilter.org/attachment.cgi?id=564&action=edit
Big List of IPs, example: TOR Exitnodes

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190528/b37e080f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1340

--- Comment #3 from lukeo at partyheld.de ---
I have just reproduced the issue on a different machine (nft Version 0.8) and
attached my config files.

The workaround is to "nft add rule TYPE TABLE CHAIN RULE" each entry
individually which is not nice.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190528/acd16a3d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1340

lukeo at partyheld.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from lukeo at partyheld.de ---
Fixed in release:
nftables v0.9.2 (Scram)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190827/a0893957/attachment.html>