153 lines
5.0 KiB
Diff
153 lines
5.0 KiB
Diff
From b5fd560fa6b1aa1e112273d9f04281b58eb06dae Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <phil@nwl.cc>
|
|
Date: Mon, 17 Dec 2018 16:29:56 +0100
|
|
Subject: [PATCH] src: Reject 'export vm json' command
|
|
|
|
Since libnftnl recently dropped JSON output support, this form of JSON
|
|
export is not available anymore. Point at 'nft -j list ruleset' command
|
|
for a replacement in error message.
|
|
|
|
Since 'export' command is not useable anymore, remove it from
|
|
documentation. Instead point out that 'list ruleset' command serves well
|
|
for dumping and later restoring.
|
|
|
|
To not cause pointless inconvenience for users wishing to store their
|
|
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
|
|
recognized command property was found. This allows to feed the output of
|
|
'nft -j list ruleset' into 'nft -f' without any modification.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
(cherry picked from commit 8d51f169e0e832a41d2ed278be903c08bd4fa473)
|
|
|
|
Conflicts:
|
|
-> Documentation changes applied manually due to missing conversion to
|
|
asciidoc.
|
|
-> Dropped references to libnftables-json man page from documentation.
|
|
(This file has not been backported and doing so is non-trivial due to
|
|
asciidoc conversion.)
|
|
-> Include libnftnl/common.h in src/evaluate.c to make symbol
|
|
NFTNL_OUTPUT_JSON known.
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
doc/nft.xml | 34 +++++++++++++---------------------
|
|
src/evaluate.c | 5 +++++
|
|
src/parser_json.c | 4 ++--
|
|
3 files changed, 20 insertions(+), 23 deletions(-)
|
|
|
|
diff --git a/doc/nft.xml b/doc/nft.xml
|
|
index 512724ed8f9a7..1a97d7a169776 100644
|
|
--- a/doc/nft.xml
|
|
+++ b/doc/nft.xml
|
|
@@ -46,7 +46,7 @@ vi:ts=4 sw=4
|
|
<cmdsynopsis>
|
|
<command>nft</command>
|
|
<group>
|
|
- <arg><option> -nNscae </option></arg>
|
|
+ <arg><option> -nNscaej </option></arg>
|
|
</group>
|
|
<arg> -I
|
|
<replaceable>directory</replaceable>
|
|
@@ -155,6 +155,14 @@ vi:ts=4 sw=4
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
+ <varlistentry>
|
|
+ <term><option>-j, --json</option></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Format output in JSON.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
<varlistentry>
|
|
<term><option>-I, --includepath <replaceable>directory</replaceable></option></term>
|
|
<listitem>
|
|
@@ -480,11 +488,6 @@ filter input iif $int_ifs accept
|
|
<command>ruleset</command>
|
|
<arg choice="opt"><replaceable>family</replaceable></arg>
|
|
</cmdsynopsis>
|
|
- <cmdsynopsis>
|
|
- <arg choice="plain">export</arg>
|
|
- <arg choice="opt"><command>ruleset</command></arg>
|
|
- <arg choice="plain"><replaceable>format</replaceable></arg>
|
|
- </cmdsynopsis>
|
|
</para>
|
|
|
|
<para>
|
|
@@ -514,17 +517,6 @@ filter input iif $int_ifs accept
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
- <varlistentry>
|
|
- <term><option>export</option></term>
|
|
- <listitem>
|
|
- <para>
|
|
- Print the ruleset in machine readable format. The
|
|
- mandatory <replaceable>format</replaceable> parameter
|
|
- may be either <literal>xml</literal> or
|
|
- <literal>json</literal>.
|
|
- </para>
|
|
- </listitem>
|
|
- </varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
@@ -534,10 +526,10 @@ filter input iif $int_ifs accept
|
|
</para>
|
|
|
|
<para>
|
|
- Note that contrary to what one might assume, the output generated
|
|
- by <command>export</command> is not parseable by
|
|
- <command>nft -f</command>. Instead, the output of
|
|
- <command>list</command> command serves well for that purpose.
|
|
+ By design, <command>list ruleset</command> command output may be
|
|
+ used as input to <command>nft -f</command>.
|
|
+ Effectively, this is the nft-equivalent of <command>iptables-save</command> and
|
|
+ <command>iptables-restore</command>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
index 809920748c0a9..4656c7566db39 100644
|
|
--- a/src/evaluate.c
|
|
+++ b/src/evaluate.c
|
|
@@ -31,6 +31,8 @@
|
|
#include <utils.h>
|
|
#include <xt.h>
|
|
|
|
+#include <libnftnl/common.h>
|
|
+
|
|
static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr);
|
|
|
|
static const char * const byteorder_names[] = {
|
|
@@ -3526,6 +3528,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
|
|
if (cmd->markup->format == __NFT_OUTPUT_NOTSUPP)
|
|
return cmd_error(ctx, &cmd->location,
|
|
"this output type is not supported");
|
|
+ else if (cmd->markup->format == NFTNL_OUTPUT_JSON)
|
|
+ return cmd_error(ctx, &cmd->location,
|
|
+ "JSON export is no longer supported, use 'nft -j list ruleset' instead");
|
|
|
|
return cache_update(ctx->nft, cmd->op, ctx->msgs);
|
|
}
|
|
diff --git a/src/parser_json.c b/src/parser_json.c
|
|
index 817415c15fb89..1e3688b2dc1cd 100644
|
|
--- a/src/parser_json.c
|
|
+++ b/src/parser_json.c
|
|
@@ -3018,8 +3018,8 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root)
|
|
|
|
return parse_cb_table[i].cb(ctx, tmp, parse_cb_table[i].op);
|
|
}
|
|
- json_error(ctx, "Unknown command object.");
|
|
- return NULL;
|
|
+ /* to accept 'list ruleset' output 1:1, try add command */
|
|
+ return json_parse_cmd_add(ctx, root, CMD_ADD);
|
|
}
|
|
|
|
static int __json_parse(struct json_ctx *ctx, json_t *root)
|
|
--
|
|
2.21.0
|
|
|