|
 |
ad45ff |
From 213bb692b8907c2d458298ff2569c96ed71fb925 Mon Sep 17 00:00:00 2001
|
|
|
ad45ff |
From: Phil Sutter <psutter@redhat.com>
|
|
|
ad45ff |
Date: Fri, 15 Mar 2019 13:08:45 +0100
|
|
|
ad45ff |
Subject: [PATCH] src: Reject 'export vm json' command
|
|
|
ad45ff |
|
|
|
ad45ff |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336
|
|
|
ad45ff |
Upstream Status: nftables commit 8d51f169e0e83
|
|
|
ad45ff |
Conflicts:
|
|
|
ad45ff |
* Adjusted changes to missing commit a84f9329d2f6c
|
|
|
ad45ff |
("src: use location to display error messages").
|
|
|
ad45ff |
* Error message changed to not suggest 'nft -j' which doesn't exist in
|
|
|
ad45ff |
RHEL7.
|
|
|
ad45ff |
* Man page changes applied manually, upstream converted to asciidoc in
|
|
|
ad45ff |
between.
|
|
|
ad45ff |
* Include netlink.h from src/evaluate.c to make NFTNL_OUTPUT_JSON
|
|
|
ad45ff |
known. Upstream added this in unrelated commit 1524134b0bc01
|
|
|
ad45ff |
("src: osf: load pf.os from expr_evaluate_osf()").
|
|
|
ad45ff |
|
|
|
ad45ff |
commit 8d51f169e0e832a41d2ed278be903c08bd4fa473
|
|
|
ad45ff |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
ad45ff |
Date: Mon Dec 17 16:29:56 2018 +0100
|
|
|
ad45ff |
|
|
|
ad45ff |
src: Reject 'export vm json' command
|
|
|
ad45ff |
|
|
|
ad45ff |
Since libnftnl recently dropped JSON output support, this form of JSON
|
|
|
ad45ff |
export is not available anymore. Point at 'nft -j list ruleset' command
|
|
|
ad45ff |
for a replacement in error message.
|
|
|
ad45ff |
|
|
|
ad45ff |
Since 'export' command is not useable anymore, remove it from
|
|
|
ad45ff |
documentation. Instead point out that 'list ruleset' command serves well
|
|
|
ad45ff |
for dumping and later restoring.
|
|
|
ad45ff |
|
|
|
ad45ff |
To not cause pointless inconvenience for users wishing to store their
|
|
|
ad45ff |
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
|
|
|
ad45ff |
recognized command property was found. This allows to feed the output of
|
|
|
ad45ff |
'nft -j list ruleset' into 'nft -f' without any modification.
|
|
|
ad45ff |
|
|
|
ad45ff |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
ad45ff |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
ad45ff |
---
|
|
|
ad45ff |
doc/nft.xml | 23 +++--------------------
|
|
|
ad45ff |
src/evaluate.c | 4 ++++
|
|
|
ad45ff |
2 files changed, 7 insertions(+), 20 deletions(-)
|
|
|
ad45ff |
|
|
|
ad45ff |
diff --git a/doc/nft.xml b/doc/nft.xml
|
|
|
ad45ff |
index e6cfb78..a4a4c3f 100644
|
|
|
ad45ff |
--- a/doc/nft.xml
|
|
|
ad45ff |
+++ b/doc/nft.xml
|
|
|
ad45ff |
@@ -514,11 +514,6 @@ filter input iif $int_ifs accept
|
|
|
ad45ff |
<command>ruleset</command>
|
|
|
ad45ff |
<arg choice="opt"><replaceable>family</replaceable></arg>
|
|
|
ad45ff |
</cmdsynopsis>
|
|
|
ad45ff |
- <cmdsynopsis>
|
|
|
ad45ff |
- <arg choice="req">export</arg>
|
|
|
ad45ff |
- <arg choice="opt"><command>ruleset</command></arg>
|
|
|
ad45ff |
- <arg choice="req"><replaceable>format</replaceable></arg>
|
|
|
ad45ff |
- </cmdsynopsis>
|
|
|
ad45ff |
</para>
|
|
|
ad45ff |
|
|
|
ad45ff |
<para>
|
|
|
ad45ff |
@@ -548,17 +543,6 @@ filter input iif $int_ifs accept
|
|
|
ad45ff |
</para>
|
|
|
ad45ff |
</listitem>
|
|
|
ad45ff |
</varlistentry>
|
|
|
ad45ff |
- <varlistentry>
|
|
|
ad45ff |
- <term><option>export</option></term>
|
|
|
ad45ff |
- <listitem>
|
|
|
ad45ff |
- <para>
|
|
|
ad45ff |
- Print the ruleset in machine readable format. The
|
|
|
ad45ff |
- mandatory <replaceable>format</replaceable> parameter
|
|
|
ad45ff |
- may be either <literal>xml</literal> or
|
|
|
ad45ff |
- <literal>json</literal>.
|
|
|
ad45ff |
- </para>
|
|
|
ad45ff |
- </listitem>
|
|
|
ad45ff |
- </varlistentry>
|
|
|
ad45ff |
</variablelist>
|
|
|
ad45ff |
|
|
|
ad45ff |
<para>
|
|
|
ad45ff |
@@ -568,10 +552,9 @@ filter input iif $int_ifs accept
|
|
|
ad45ff |
</para>
|
|
|
ad45ff |
|
|
|
ad45ff |
<para>
|
|
|
ad45ff |
- Note that contrary to what one might assume, the output generated
|
|
|
ad45ff |
- by <command>export</command> is not parseable by
|
|
|
ad45ff |
- <command>nft -f</command>. Instead, the output of
|
|
|
ad45ff |
- <command>list</command> command serves well for that purpose.
|
|
|
ad45ff |
+ By design, <command>list ruleset</command> command output may be used as
|
|
|
ad45ff |
+ input to <command>nft -f</command>. Effectively, this is the nft-equivalent
|
|
|
ad45ff |
+ of <command>iptables-save</command> and <command>iptables-restore</command>.
|
|
|
ad45ff |
</para>
|
|
|
ad45ff |
</refsect1>
|
|
|
ad45ff |
|
|
|
ad45ff |
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
|
ad45ff |
index c8a98f1..b6c70b8 100644
|
|
|
ad45ff |
--- a/src/evaluate.c
|
|
|
ad45ff |
+++ b/src/evaluate.c
|
|
|
ad45ff |
@@ -24,6 +24,7 @@
|
|
|
ad45ff |
|
|
|
ad45ff |
#include <expression.h>
|
|
|
ad45ff |
#include <statement.h>
|
|
|
ad45ff |
+#include <netlink.h>
|
|
|
ad45ff |
#include <rule.h>
|
|
|
ad45ff |
#include <erec.h>
|
|
|
ad45ff |
#include <gmputil.h>
|
|
|
ad45ff |
@@ -3428,6 +3429,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
|
|
|
ad45ff |
{
|
|
|
ad45ff |
if (cmd->export->format == __NFT_OUTPUT_NOTSUPP)
|
|
|
ad45ff |
return cmd_error(ctx, "this output type is not supported");
|
|
|
ad45ff |
+ else if (cmd->export->format == NFTNL_OUTPUT_JSON)
|
|
|
ad45ff |
+ return cmd_error(ctx,
|
|
|
ad45ff |
+ "JSON export is not supported");
|
|
|
ad45ff |
|
|
|
ad45ff |
return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
|
|
|
ad45ff |
ctx->debug_mask & DEBUG_NETLINK, ctx->octx);
|
|
|
ad45ff |
--
|
|
|
ad45ff |
1.8.3.1
|
|
|
ad45ff |
|