A user reports that:

  nft -f ruleset.nft

fails with:

  netlink: Error: Could not process rule: No buffer space available

This was triggered by:

table ip6 fule {
  set domestic_ip6 {
    type ipv6_addr
    flags dynamic,interval
    elements = $domestic_ip6
  }
  chain prerouting {
    type filter hook prerouting priority 0;
    ip6 daddr @domestic_ip6 counter
  }
}

where $domestic_ip6 contains a large number of IPv6 addresses.

This set declaration is not supported currently, because dynamic sets
with intervals are not supported, then every IPv6 address that is added
triggers an error, overruning the userspace socket buffer with lots of
NLMSG_ERROR messages.

In the particular context of batch processing, ENOBUFS is just an
indication that too many errors have occurred. The kernel cannot store
any more NLMSG_ERROR messages into the userspace socket buffer.

However, there are still NLMSG_ERROR messages in the socket buffer to be
processed that can provide a hint on what is going on.

Instead of breaking on ENOBUFS in batches, continue error processing.

After this patch, the ruleset above displays:

ruleset.nft:2367:7-18: Error: Could not process rule: Operation not supported
  set domestic_ip6 {
      ^^^^^^^^^^^^
ruleset.nft:2367:7-18: Error: Could not process rule: No such file or directory
  set domestic_ip6 {
      ^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/libnftables.c |  2 +-
 src/mnl.c         | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index c8293f77677f..b3f56f69d68d 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -58,7 +58,7 @@ static int nft_netlink(struct nft_ctx *nft,
 		goto out;
 
 	ret = mnl_batch_talk(&ctx, &err_list, num_cmds);
-	if (ret < 0) {
+	if (ret < 0 && errno != ENOBUFS) {
 		if (ctx.maybe_emsgsize && errno == EMSGSIZE) {
 			netlink_io_error(&ctx, NULL,
 					 "Could not process rule: %s\n"
diff --git a/src/mnl.c b/src/mnl.c
index 6684029606e5..294b90c5537a 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -419,6 +419,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
 		.err_list = err_list,
 		.nl_ctx = ctx,
 	};
+	bool enobufs = false;
 
 	mnl_set_sndbuffer(ctx);
 
@@ -449,14 +450,25 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
 			break;
 
 		ret = mnl_socket_recvfrom(nl, rcv_buf, sizeof(rcv_buf));
-		if (ret == -1)
-			return -1;
+		if (ret == -1) {
+			/* Too many errors, not all errors are displayed. */
+			if (errno != ENOBUFS)
+				return -1;
+
+			enobufs = true;
+		}
 
 		/* Continue on error, make sure we get all acknowledgments */
 		ret = mnl_cb_run2(rcv_buf, ret, 0, portid,
 				  netlink_echo_callback, &cb_data,
 				  cb_ctl_array, MNL_ARRAY_SIZE(cb_ctl_array));
 	}
+
+	if (enobufs) {
+		errno = ENOBUFS;
+		return -1;
+	}
+
 	return 0;
 }
 
-- 
2.30.2