From 032a1808c1abb70004703f57c2d1625a099beca3 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Fri, 15 Mar 2019 12:59:19 +0100

Subject: [PATCH] src: bail out when exporting ruleset with unsupported output

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336

Upstream Status: nftables commit a340aa6ca6cd0

Conflicts:

* Dropped changes to import command which doesn't exist in RHEL7.

* Changes to parser_bison.y applied manually. Major conflicts due to

  missing commit 2fa54d8a49352 ("src: Add import command for low level

  json").

* Adjusted to missing commit 2fa54d8a49352 ("src: Add import command for

  low level json").

commit a340aa6ca6cd08ae173fbb95cd3e65807264df07

Author: Pablo Neira Ayuso <pablo@netfilter.org>

Date:   Thu Feb 15 17:22:16 2018 +0100

    src: bail out when exporting ruleset with unsupported output

    Display error message and propagate error to shell when running command

    with unsupported output:

     # nft export ruleset json

     Error: this output type is not supported

     export ruleset json

     ^^^^^^^^^^^^^^^^^^^^

     # echo $?

     1

    When displaying the output in json using the low-level VM

    representation, it shows:

     # nft export ruleset vm json

     ... low-level VM json output

     # echo $?

     0

    While at it, do the same with obsoleted XML output.

    Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224

    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

---

 include/nftables.h | 2 ++

 src/evaluate.c     | 3 +++

 src/parser_bison.y | 4 ++--

 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/nftables.h b/include/nftables.h

index 01d72a8..0abbcaf 100644

--- a/include/nftables.h

+++ b/include/nftables.h

@@ -154,4 +154,6 @@ int nft_print(struct output_ctx *octx, const char *fmt, ...)

 int nft_gmp_print(struct output_ctx *octx, const char *fmt, ...)

 	__attribute__((format(printf, 2, 0)));

+#define __NFT_OUTPUT_NOTSUPP	UINT_MAX

+

 #endif /* NFTABLES_NFTABLES_H */

diff --git a/src/evaluate.c b/src/evaluate.c

index ab1347f..c8a98f1 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -3426,6 +3426,9 @@ static int cmd_evaluate_monitor(struct eval_ctx *ctx, struct cmd *cmd)

 static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)

 {

+	if (cmd->export->format == __NFT_OUTPUT_NOTSUPP)

+		return cmd_error(ctx, "this output type is not supported");

+

 	return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,

 			    ctx->debug_mask & DEBUG_NETLINK, ctx->octx);

 }

diff --git a/src/parser_bison.y b/src/parser_bison.y

index f9878ba..e87669e 100644

--- a/src/parser_bison.y

+++ b/src/parser_bison.y

@@ -1204,8 +1204,8 @@ monitor_format		:	/* empty */	{ $$ = NFTNL_OUTPUT_DEFAULT; }

 			|	export_format

 			;

-export_format		: 	XML 		{ $$ = NFTNL_OUTPUT_XML; }

-			|	JSON		{ $$ = NFTNL_OUTPUT_JSON; }

+export_format		: 	XML 		{ $$ = __NFT_OUTPUT_NOTSUPP; }

+			|	JSON		{ $$ = __NFT_OUTPUT_NOTSUPP; }

 			;

 describe_cmd		:	primary_expr

-- 

1.8.3.1