On Mon, Aug 25, 2025 at 06:57:50PM +0800, lilydjwg wrote:
> On Mon, Aug 25, 2025 at 12:47:57PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Aug 25, 2025 at 06:46:48PM +0800, lilydjwg wrote:
> > > On Mon, Aug 25, 2025 at 12:16:46PM +0200, Pablo Neira Ayuso wrote:
> > > > Hi,
> > > >
> > > > On Sun, Aug 24, 2025 at 04:18:50PM +0800, lilydjwg wrote:
> > > >> I'm switching from iptables+ipset to nftables, and as part of it, I need to
> > > >> import a set containing ~2400 IPv6 networks. The file looks like this:
> > > >
> > > > What nftables version are you using?
> > >
> > > Sorry I forgot to mention that I'm using nftables 1:1.1.4-1 on Arch Linux
> > > and the linux kernel version is 6.15.8.
> >
> > Provide your example listing to reproduce this issue.
>
> OK, I'm pasting the whole file that could reproduce the issue below.
> The ruleset is empty when executing the "nft -f" command.
>
> define domestic_ip6 = {
> 2001:250::/31,
[...]
> table ip6 gravity {
> set domestic_ip6 {
> type ipv6_addr
> flags dynamic,interval
Error reporting is misleading, combination of dynamic and interval is
not supported.
Looking at the example below, you do not need dynamic, remove it.
ENOBUFS is reported because each element hits an error and
I am going to take a look to improve error reporting for this case.
> elements = $domestic_ip6
> }
> chain output {
> type route hook output priority -150;
> tcp flags & (syn | ack) == syn ip6 daddr @domestic_ip6 counter reject with icmpv6 reject-route
> }
> }
