Hi Florian,

On Sun, Feb 18, 2018 at 10:44:18AM +0100, Florian Westphal wrote:
> Recent kernels gained ability to emit error string back to userspace to
> improve error reporting.
> At this time, as nftables kernel side doesn't generate such error
> messages, so this will always show 'unknown netlink error'.
> This will hopefully improve with newer kernels.
> src/nft add rule ip filter input set add ip protocol @protocols
> Error: Could not process rule: Invalid argument (unknown netlink error)
> the -EINVAL stems from attempt to modify set from packet path,
> but kernel picked a set backend that lacks an ->update()
> facilty.  Fixing this would obviously result in the command to succeed.
> However, given similar future bugs, kernel might have told us something
> like 'expression failed inititialisation' or 'set lacks update
> callback', which is much more helpful for developers to pinpoint the
> place where netlink processing failed on nftables kernel side.

This looks good, thanks for adding these bits.

One thing though: We shouldn't print the error string. My plan was to
correlate netlink attribute offset with struct location, for we can
provide finer grain error reporting. It's going to be a bit of code in
userspace to support this though.

I'm going to wait to see if we can sort out that bugreport on the
large set and overlapping elements, then release 0.8.3, so you can
keep this back until this happens.

Let me know if this is fine with you.

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to