After adding new rules via ACL the nftables does not load newly added rules. We check the rules on the host and docker level (docker exec root-gateway-1 nft list table inet DEFGUARD-wg0). We have 33 aliases and 8 rules sorted by groups of users. We tried to change the aliases to use "All ports" instead of defined ports/protocols but but the problem still persists. We run the Enterprise license on this instance.
Additional information:
Gateway 1.6.3 + Core 1.6.5 (latest stable)
100+ users, ~123 peers, ~100 ACL rules (we use the same aliases for multiple rules)
Debug logs show all rules built correctly, no errors
nft command works inside container (TEST_TABLE test passes)
strace shows zero netlink syscalls from the gateway process
Container has NET_ADMIN, SYS_ADMIN, host network
Ruleset size: ~300KB
Previous ENOBUFS errors in July 2025
Buffer tuning had no effect
Appreciate any help - we use this on production and this limits us hardly. We have to find the solution asap or get back to wg.
After adding new rules via ACL the nftables does not load newly added rules. We check the rules on the host and docker level (docker exec root-gateway-1 nft list table inet DEFGUARD-wg0). We have 33 aliases and 8 rules sorted by groups of users. We tried to change the aliases to use "All ports" instead of defined ports/protocols but but the problem still persists. We run the Enterprise license on this instance.
Additional information:
Gateway 1.6.3 + Core 1.6.5 (latest stable)
100+ users, ~123 peers, ~100 ACL rules (we use the same aliases for multiple rules)
Debug logs show all rules built correctly, no errors
nft command works inside container (TEST_TABLE test passes)
strace shows zero netlink syscalls from the gateway process
Container has NET_ADMIN, SYS_ADMIN, host network
Ruleset size: ~300KB
Previous ENOBUFS errors in July 2025
Buffer tuning had no effect
Appreciate any help - we use this on production and this limits us hardly. We have to find the solution asap or get back to wg.