NFT: name lenghts
mmetc opened this issue · 1 comments
tldr: With the default names "crowdsec-blacklists" and "crowdsec6-blacklists" the bouncer fails to create sets on some systems.
A PR is available with a very limited scope: it suggests the user to change name, but it does not check if the issue comes instead from table or chain names.
The names of tables, chains and sets have limits. They have historically been at least 32 characters (since at least a few years) then raised to 256 in recent kernels - torvalds/linux@3874549
Now, if a name exceeds the limit we get an error from netlink, like
conn.Receive: netlink receive: numerical result out of range
and we flush all requests together (create table, set, chains) but the error we receive ( https://github.com/google/nftables/blob/main/conn.go#L233 ) does not have the context. We don't know which object has a problem.
This would normally not be an issue but on some systems, the error is raised when the set name is > 15 characters. Example: ubuntu 16.04
The issue can be replicated on the command line:
$ sudo nft add set ip crowdsec crowdsec-blackli { type ipv4_addr\; }
<cmdline>:1:1-56: Error: Could not process rule: Numerical result out of range
add set ip crowdsec crowdsec-blackli { type ipv4_addr; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
$ sudo nft add set ip crowdsec crowdsec-blackl { type ipv4_addr\; }
$
The current PR is limited -- we could have something that truncates and retries, at the cost of code complications and ugly names. We cannot check the actual limits at runtime. Can we flush an object at a time?