* [nft] regarding sets names length
@ 2015-10-08 11:23 Arturo Borrero Gonzalez
2015-10-08 11:55 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Arturo Borrero Gonzalez @ 2015-10-08 11:23 UTC (permalink / raw)
To: Netfilter Development Mailing list; +Cc: Pablo Neira Ayuso, Patrick McHardy
Hi,
I'm trying to migrate a iptables/ip6tables ruleset to nftables.
I've found that the current IFNAMSIZ limitation for set names is
annoying because there are lots of ipset sets which needs to move to
nftables which cannot do it straight forward.
Also, the error reporting for this is very poor (reported by the
kernel in a generic way).
This example illustrates both issues:
% nft add set inet filter external_services { type ipv4_addr\; }
<cmdline>:1:1-57: Error: Could not process rule: Numerical result out of range
add set inet filter external_services { type ipv4_addr; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Also, I don't find any documentation apart of the source code itself :-)
I would suggest:
* check names length also in userspace to show a better error message
* enlarge set names sizes
best regards
PD: Just updated
http://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets with
info about the name length.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-08 11:23 [nft] regarding sets names length Arturo Borrero Gonzalez
@ 2015-10-08 11:55 ` Patrick McHardy
2015-10-08 13:05 ` Jozsef Kadlecsik
0 siblings, 1 reply; 7+ messages in thread
From: Patrick McHardy @ 2015-10-08 11:55 UTC (permalink / raw)
To: Arturo Borrero Gonzalez
Cc: Netfilter Development Mailing list, Pablo Neira Ayuso
On 08.10, Arturo Borrero Gonzalez wrote:
> Hi,
>
> I'm trying to migrate a iptables/ip6tables ruleset to nftables.
>
> I've found that the current IFNAMSIZ limitation for set names is
> annoying because there are lots of ipset sets which needs to move to
> nftables which cannot do it straight forward.
> Also, the error reporting for this is very poor (reported by the
> kernel in a generic way).
>
> This example illustrates both issues:
>
> % nft add set inet filter external_services { type ipv4_addr\; }
> <cmdline>:1:1-57: Error: Could not process rule: Numerical result out of range
> add set inet filter external_services { type ipv4_addr; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Also, I don't find any documentation apart of the source code itself :-)
>
> I would suggest:
> * check names length also in userspace to show a better error message
Sure. The root cause is the IMO poorly chosen errno code for nla policy
checks when the size is exceeded. Unfortunately that's something outside
of nf_tables and also something other applications possibly depend on.
> * enlarge set names sizes
Agreed, I think its a good idea to use 32 as for the other object types.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-08 11:55 ` Patrick McHardy
@ 2015-10-08 13:05 ` Jozsef Kadlecsik
2015-10-08 19:35 ` Patrick McHardy
0 siblings, 1 reply; 7+ messages in thread
From: Jozsef Kadlecsik @ 2015-10-08 13:05 UTC (permalink / raw)
To: Patrick McHardy
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Pablo Neira Ayuso
Hi,
On Thu, 8 Oct 2015, Patrick McHardy wrote:
> On 08.10, Arturo Borrero Gonzalez wrote:
> > * enlarge set names sizes
>
> Agreed, I think its a good idea to use 32 as for the other object types.
I'd suggest 128 or even 256 chars. In ipset the set name is limited to 32
too but I had received a few complains and plan to increase it.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-08 13:05 ` Jozsef Kadlecsik
@ 2015-10-08 19:35 ` Patrick McHardy
2015-10-09 11:12 ` Jozsef Kadlecsik
0 siblings, 1 reply; 7+ messages in thread
From: Patrick McHardy @ 2015-10-08 19:35 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Pablo Neira Ayuso
On 08.10, Jozsef Kadlecsik wrote:
> Hi,
>
> On Thu, 8 Oct 2015, Patrick McHardy wrote:
>
> > On 08.10, Arturo Borrero Gonzalez wrote:
> > > * enlarge set names sizes
> >
> > Agreed, I think its a good idea to use 32 as for the other object types.
>
> I'd suggest 128 or even 256 chars. In ipset the set name is limited to 32
> too but I had received a few complains and plan to increase it.
I guess we will follow suit then since we should be compatible to ipset
anyways. Did you already decide for a value?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-08 19:35 ` Patrick McHardy
@ 2015-10-09 11:12 ` Jozsef Kadlecsik
2015-10-09 12:26 ` Jan Engelhardt
2015-10-09 13:07 ` Patrick McHardy
0 siblings, 2 replies; 7+ messages in thread
From: Jozsef Kadlecsik @ 2015-10-09 11:12 UTC (permalink / raw)
To: Patrick McHardy
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Pablo Neira Ayuso
On Thu, 8 Oct 2015, Patrick McHardy wrote:
> > > Agreed, I think its a good idea to use 32 as for the other object types.
> >
> > I'd suggest 128 or even 256 chars. In ipset the set name is limited to 32
> > too but I had received a few complains and plan to increase it.
>
> I guess we will follow suit then since we should be compatible to ipset
> anyways. Did you already decide for a value?
I thought 32 chars should be enough for everybody ;-) so I'm unsure about
the good enough value. 128 seems just pretty long, but the name length is
actually not critical, it could be 256. What do you think?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-09 11:12 ` Jozsef Kadlecsik
@ 2015-10-09 12:26 ` Jan Engelhardt
2015-10-09 13:07 ` Patrick McHardy
1 sibling, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2015-10-09 12:26 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Patrick McHardy, Arturo Borrero Gonzalez,
Netfilter Development Mailing list, Pablo Neira Ayuso
On Friday 2015-10-09 13:12, Jozsef Kadlecsik wrote:
>>
>> I guess we will follow suit then since we should be compatible to ipset
>> anyways. Did you already decide for a value?
>
>I thought 32 chars should be enough for everybody ;-) so I'm unsure about
>the good enough value. 128 seems just pretty long, but the name length is
>actually not critical, it could be 256. What do you think?
42.
Is there a particular reason to stick to any particular length limit?
Besides the Netlink packet limitations and page size restrictions,
are there any "char x[STATICLIMIT]" fields that prohibit us from just
offering practically-arbitrary-length strings (zero-terminated in C)?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nft] regarding sets names length
2015-10-09 11:12 ` Jozsef Kadlecsik
2015-10-09 12:26 ` Jan Engelhardt
@ 2015-10-09 13:07 ` Patrick McHardy
1 sibling, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2015-10-09 13:07 UTC (permalink / raw)
To: Jozsef Kadlecsik
Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
Pablo Neira Ayuso
Am 9. Oktober 2015 12:12:05 WESZ, schrieb Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>:
>On Thu, 8 Oct 2015, Patrick McHardy wrote:
>
>> > > Agreed, I think its a good idea to use 32 as for the other object
>types.
>> >
>> > I'd suggest 128 or even 256 chars. In ipset the set name is limited
>to 32
>> > too but I had received a few complains and plan to increase it.
>>
>> I guess we will follow suit then since we should be compatible to
>ipset
>> anyways. Did you already decide for a value?
>
>I thought 32 chars should be enough for everybody ;-) so I'm unsure
>about
>the good enough value. 128 seems just pretty long, but the name length
>is
>actually not critical, it could be 256. What do you think?
Either one is fine, if it gets too large we will just convert it to a separately allocated piece of memory.
>
>Best regards,
>Jozsef
>-
>E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
>PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
>Address : Wigner Research Centre for Physics, Hungarian Academy of
>Sciences
> H-1525 Budapest 114, POB. 49, Hungary
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-10-09 13:07 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-08 11:23 [nft] regarding sets names length Arturo Borrero Gonzalez
2015-10-08 11:55 ` Patrick McHardy
2015-10-08 13:05 ` Jozsef Kadlecsik
2015-10-08 19:35 ` Patrick McHardy
2015-10-09 11:12 ` Jozsef Kadlecsik
2015-10-09 12:26 ` Jan Engelhardt
2015-10-09 13:07 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.