nftables/SOURCES/0031-src-Reject-export-vm-json-command.patch

153 lines
5.0 KiB
Diff
Raw Normal View History

2020-04-07 09:15:19 +00:00
From b5fd560fa6b1aa1e112273d9f04281b58eb06dae Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 17 Dec 2018 16:29:56 +0100
Subject: [PATCH] src: Reject 'export vm json' command
Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.
Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.
To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 8d51f169e0e832a41d2ed278be903c08bd4fa473)
Conflicts:
-> Documentation changes applied manually due to missing conversion to
asciidoc.
-> Dropped references to libnftables-json man page from documentation.
(This file has not been backported and doing so is non-trivial due to
asciidoc conversion.)
-> Include libnftnl/common.h in src/evaluate.c to make symbol
NFTNL_OUTPUT_JSON known.
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
doc/nft.xml | 34 +++++++++++++---------------------
src/evaluate.c | 5 +++++
src/parser_json.c | 4 ++--
3 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index 512724ed8f9a7..1a97d7a169776 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -46,7 +46,7 @@ vi:ts=4 sw=4
<cmdsynopsis>
<command>nft</command>
<group>
- <arg><option> -nNscae </option></arg>
+ <arg><option> -nNscaej </option></arg>
</group>
<arg> -I
<replaceable>directory</replaceable>
@@ -155,6 +155,14 @@ vi:ts=4 sw=4
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-j, --json</option></term>
+ <listitem>
+ <para>
+ Format output in JSON.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>-I, --includepath <replaceable>directory</replaceable></option></term>
<listitem>
@@ -480,11 +488,6 @@ filter input iif $int_ifs accept
<command>ruleset</command>
<arg choice="opt"><replaceable>family</replaceable></arg>
</cmdsynopsis>
- <cmdsynopsis>
- <arg choice="plain">export</arg>
- <arg choice="opt"><command>ruleset</command></arg>
- <arg choice="plain"><replaceable>format</replaceable></arg>
- </cmdsynopsis>
</para>
<para>
@@ -514,17 +517,6 @@ filter input iif $int_ifs accept
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><option>export</option></term>
- <listitem>
- <para>
- Print the ruleset in machine readable format. The
- mandatory <replaceable>format</replaceable> parameter
- may be either <literal>xml</literal> or
- <literal>json</literal>.
- </para>
- </listitem>
- </varlistentry>
</variablelist>
<para>
@@ -534,10 +526,10 @@ filter input iif $int_ifs accept
</para>
<para>
- Note that contrary to what one might assume, the output generated
- by <command>export</command> is not parseable by
- <command>nft -f</command>. Instead, the output of
- <command>list</command> command serves well for that purpose.
+ By design, <command>list ruleset</command> command output may be
+ used as input to <command>nft -f</command>.
+ Effectively, this is the nft-equivalent of <command>iptables-save</command> and
+ <command>iptables-restore</command>.
</para>
</refsect1>
diff --git a/src/evaluate.c b/src/evaluate.c
index 809920748c0a9..4656c7566db39 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -31,6 +31,8 @@
#include <utils.h>
#include <xt.h>
+#include <libnftnl/common.h>
+
static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr);
static const char * const byteorder_names[] = {
@@ -3526,6 +3528,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
if (cmd->markup->format == __NFT_OUTPUT_NOTSUPP)
return cmd_error(ctx, &cmd->location,
"this output type is not supported");
+ else if (cmd->markup->format == NFTNL_OUTPUT_JSON)
+ return cmd_error(ctx, &cmd->location,
+ "JSON export is no longer supported, use 'nft -j list ruleset' instead");
return cache_update(ctx->nft, cmd->op, ctx->msgs);
}
diff --git a/src/parser_json.c b/src/parser_json.c
index 817415c15fb89..1e3688b2dc1cd 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3018,8 +3018,8 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root)
return parse_cb_table[i].cb(ctx, tmp, parse_cb_table[i].op);
}
- json_error(ctx, "Unknown command object.");
- return NULL;
+ /* to accept 'list ruleset' output 1:1, try add command */
+ return json_parse_cmd_add(ctx, root, CMD_ADD);
}
static int __json_parse(struct json_ctx *ctx, json_t *root)
--
2.21.0