upper limit on number of ip addresses in an NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM message

* upper limit on number of ip addresses in an NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM message
@ 2021-09-29 14:06 Cristian Constantin
  2021-09-30 14:00 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Cristian Constantin @ 2021-09-29 14:06 UTC (permalink / raw)
  To: netfilter

hi!

suppose new ip addresses are added to nft set using a message of type:

NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM

over netlink sockets; e.g. (from an strace capture):

sendmsg(7, {msg_name={sa_family=AF_NETLINK, nl_pid=0,
nl_groups=00000000}, msg_namelen=12, msg_iov=[{iov_base=[{{len=20,
type=NFNL_MSG_BATCH_BEGIN, flags=NLM_F_REQUEST, seq=1112598292,
pid=2460867}, {nfgen_family=AF_UNSPEC, version=NFNETLINK_V0,
res_id=htons(10)}, {{len=28732,
type=NFNL_SUBSYS_NFTABLES<<8|NFT_MSG_NEWSETELEM,
flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_CREATE, seq=1112598293,
pid=2460867}, {nfgen_family=AF_INET, version=NFNETLINK_V0,
res_id=htons(0), [{{nla_len=13, nla_type=0x2},
"\x68\x6f\x6e\x65\x79\x6e\x65\x74\x00"}, {{nla_len=8, nla_type=0x4},
"\x00\x00\x00\x02"}, {{nla_len=11, nla_type=NFNETLINK_V1},
"\x66\x69\x6c\x74\x65\x72\x00"}, {{nla_len=28676,
nla_type=NLA_F_NESTED|0x3},
"\x1c\x00\x01\x80\x0c\x00\x01\x80\x08\x00\x01\x00\x23\x9c\x55\x4b\x0c\x00\x04\x00\x00\x00\x00\x00\x05\x26\x5c\x00\x1c\x00\x02\x80"...}]},
{{len=20, type=NFNL_MSG_BATCH_END, flags=NLM_F_REQUEST,
seq=1112598294, pid=2460867}, {nfgen_family=AF_UNSPEC,
version=NFNETLINK_V0, res_id=htons(10)}], iov_len=28772}],
msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 28772

what limits the number of ip addresses which can be pushed, using one
write on the socket to the kernel nft set?

a. the socket write buffer itself
b. some kind of netlink specific limit; how to detect it automatically?

thanks,
cristian

^ permalink raw reply	[flat|nested] 2+ messages in thread