From 5b2f626cb8770f485c20ae4f815763deac89a632 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 14 Aug 2024 16:20:37 +0200 Subject: [PATCH] xt: Rewrite unsupported compat expression dumping JIRA: https://issues.redhat.com/browse/RHEL-5806 Upstream Status: nftables commit 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Conflicts: * One chunk manually applied, upstream moved stmt_print_json() in commit e66f3187d891a ("json: add table map statement support"). commit 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f Author: Phil Sutter Date: Thu Nov 24 14:17:17 2022 +0100 xt: Rewrite unsupported compat expression dumping Choose a format which provides more information and is easily parseable. Then teach parsers about it and make it explicitly reject the ruleset giving a meaningful explanation. Also update the man pages with some more details. Signed-off-by: Phil Sutter Signed-off-by: Phil Sutter --- doc/libnftables-json.adoc | 18 +++++++++++++++--- doc/statements.txt | 17 +++++++++++++++++ include/json.h | 2 ++ include/parser.h | 1 + src/json.c | 19 +++++++++++++------ src/parser_bison.y | 18 ++++++++++++++++++ src/parser_json.c | 5 +++++ src/scanner.l | 3 +++ src/statement.c | 1 + src/xt.c | 8 +++++++- 10 files changed, 82 insertions(+), 10 deletions(-) diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index 9cc17ff..284ffab 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -1059,10 +1059,22 @@ Assign connection tracking expectation. === XT [verse] -*{ "xt": null }* +____ +*{ "xt": { + "type":* 'TYPENAME'*, + "name":* 'STRING' +*}}* + +'TYPENAME' := *match* | *target* | *watcher* +____ + +This represents an xt statement from xtables compat interface. It is a +fallback if translation is not available or not complete. + +Seeing this means the ruleset (or parts of it) were created by *iptables-nft* +and one should use that to manage it. -This represents an xt statement from xtables compat interface. Sadly, at this -point, it is not possible to provide any further information about its content. +*BEWARE:* nftables won't restore these statements. == EXPRESSIONS Expressions are the building blocks of (most) statements. In their most basic diff --git a/doc/statements.txt b/doc/statements.txt index 6aaf806..a00bd5d 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -778,3 +778,20 @@ ____ # jump to different chains depending on layer 4 protocol type: nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain } ------------------------ + +XT STATEMENT +~~~~~~~~~~~~ +This represents an xt statement from xtables compat interface. It is a +fallback if translation is not available or not complete. + +[verse] +____ +*xt* 'TYPE' 'NAME' + +'TYPE' := *match* | *target* | *watcher* +____ + +Seeing this means the ruleset (or parts of it) were created by *iptables-nft* +and one should use that to manage it. + +*BEWARE:* nftables won't restore these statements. diff --git a/include/json.h b/include/json.h index b0d78eb..f691678 100644 --- a/include/json.h +++ b/include/json.h @@ -92,6 +92,7 @@ json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx); +json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx); int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd); @@ -194,6 +195,7 @@ STMT_PRINT_STUB(connlimit) STMT_PRINT_STUB(tproxy) STMT_PRINT_STUB(synproxy) STMT_PRINT_STUB(optstrip) +STMT_PRINT_STUB(xt) #undef STMT_PRINT_STUB #undef EXPR_PRINT_STUB diff --git a/include/parser.h b/include/parser.h index 5e5ad28..bd61b8f 100644 --- a/include/parser.h +++ b/include/parser.h @@ -50,6 +50,7 @@ enum startcond_type { PARSER_SC_TCP, PARSER_SC_TYPE, PARSER_SC_VLAN, + PARSER_SC_XT, PARSER_SC_CMD_EXPORT, PARSER_SC_CMD_IMPORT, PARSER_SC_CMD_LIST, diff --git a/src/json.c b/src/json.c index a525fd1..622fe08 100644 --- a/src/json.c +++ b/src/json.c @@ -173,12 +173,6 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) char buf[1024]; FILE *fp; - /* XXX: Can't be supported at this point: - * xt_stmt_xlate() ignores output_fp. - */ - if (stmt->ops->type == STMT_XT) - return json_pack("{s:n}", "xt"); - if (stmt->ops->json) return stmt->ops->json(stmt, octx); @@ -1584,6 +1578,19 @@ json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx) expr_print_json(stmt->optstrip.expr, octx)); } +json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx) +{ + static const char *xt_typename[NFT_XT_MAX] = { + [NFT_XT_MATCH] = "match", + [NFT_XT_TARGET] = "target", + [NFT_XT_WATCHER] = "watcher", + }; + + return json_pack("{s:{s:s, s:s}}", "xt", + "type", xt_typename[stmt->xt.type], + "name", stmt->xt.name); +} + static json_t *table_print_json_full(struct netlink_ctx *ctx, struct table *table) { diff --git a/src/parser_bison.y b/src/parser_bison.y index b882f3b..a9d16f8 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -615,6 +615,8 @@ int nft_lex(void *, void *, void *); %token IN "in" %token OUT "out" +%token XT "xt" + %type limit_rate_pkts %type limit_rate_bytes @@ -889,6 +891,9 @@ int nft_lex(void *, void *, void *); %type optstrip_stmt %destructor { stmt_free($$); } optstrip_stmt +%type xt_stmt +%destructor { stmt_free($$); } xt_stmt + %type boolean_expr %destructor { expr_free($$); } boolean_expr %type boolean_keys @@ -981,6 +986,7 @@ close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPL close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); } close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); } +close_scope_xt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_XT); } common_block : INCLUDE QUOTED_STRING stmt_separator { @@ -2861,6 +2867,18 @@ stmt : verdict_stmt | synproxy_stmt close_scope_synproxy | chain_stmt | optstrip_stmt + | xt_stmt close_scope_xt + ; + +xt_stmt : XT STRING STRING + { + $$ = NULL; + xfree($2); + xfree($3); + erec_queue(error(&@$, "unsupported xtables compat expression, use iptables-nft with this ruleset"), + state->msgs); + YYERROR; + } ; chain_stmt_type : JUMP { $$ = NFT_JUMP; } diff --git a/src/parser_json.c b/src/parser_json.c index fb40100..1699a44 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -2716,6 +2716,11 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) return verdict_stmt_alloc(int_loc, expr); } + if (!strcmp(type, "xt")) { + json_error(ctx, "unsupported xtables compat expression, use iptables-nft with this ruleset"); + return NULL; + } + for (i = 0; i < array_size(stmt_parser_tbl); i++) { if (!strcmp(type, stmt_parser_tbl[i].key)) return stmt_parser_tbl[i].cb(ctx, stmt_parser_tbl[i].key, tmp); diff --git a/src/scanner.l b/src/scanner.l index ed7256b..64d21df 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -215,6 +215,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) %s SCANSTATE_TCP %s SCANSTATE_TYPE %s SCANSTATE_VLAN +%s SCANSTATE_XT %s SCANSTATE_CMD_EXPORT %s SCANSTATE_CMD_IMPORT %s SCANSTATE_CMD_LIST @@ -803,6 +804,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; } +"xt" { scanner_push_start_cond(yyscanner, SCANSTATE_XT); return XT; } + {addrstring} { yylval->string = xstrdup(yytext); return STRING; diff --git a/src/statement.c b/src/statement.c index 30caf9c..0448c85 100644 --- a/src/statement.c +++ b/src/statement.c @@ -997,6 +997,7 @@ static const struct stmt_ops xt_stmt_ops = { .name = "xt", .print = xt_stmt_print, .destroy = xt_stmt_destroy, + .json = xt_stmt_json, }; struct stmt *xt_stmt_alloc(const struct location *loc) diff --git a/src/xt.c b/src/xt.c index 300416a..12b52aa 100644 --- a/src/xt.c +++ b/src/xt.c @@ -115,7 +115,13 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) xt_xlate_free(xl); xfree(entry); #else - nft_print(octx, "# xt_%s", stmt->xt.name); + static const char *typename[NFT_XT_MAX] = { + [NFT_XT_MATCH] = "match", + [NFT_XT_TARGET] = "target", + [NFT_XT_WATCHER] = "watcher", + }; + + nft_print(octx, "xt %s %s", typename[stmt->xt.type], stmt->xt.name); #endif } -- 2.45.0