| From 213bb692b8907c2d458298ff2569c96ed71fb925 Mon Sep 17 00:00:00 2001 |
| From: Phil Sutter <psutter@redhat.com> |
| Date: Fri, 15 Mar 2019 13:08:45 +0100 |
| Subject: [PATCH] src: Reject 'export vm json' command |
| |
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336 |
| Upstream Status: nftables commit 8d51f169e0e83 |
| Conflicts: |
| * Adjusted changes to missing commit a84f9329d2f6c |
| ("src: use location to display error messages"). |
| * Error message changed to not suggest 'nft -j' which doesn't exist in |
| RHEL7. |
| * Man page changes applied manually, upstream converted to asciidoc in |
| between. |
| * Include netlink.h from src/evaluate.c to make NFTNL_OUTPUT_JSON |
| known. Upstream added this in unrelated commit 1524134b0bc01 |
| ("src: osf: load pf.os from expr_evaluate_osf()"). |
| |
| commit 8d51f169e0e832a41d2ed278be903c08bd4fa473 |
| Author: Phil Sutter <phil@nwl.cc> |
| Date: Mon Dec 17 16:29:56 2018 +0100 |
| |
| src: Reject 'export vm json' command |
| |
| Since libnftnl recently dropped JSON output support, this form of JSON |
| export is not available anymore. Point at 'nft -j list ruleset' command |
| for a replacement in error message. |
| |
| Since 'export' command is not useable anymore, remove it from |
| documentation. Instead point out that 'list ruleset' command serves well |
| for dumping and later restoring. |
| |
| To not cause pointless inconvenience for users wishing to store their |
| ruleset in JSON format, make JSON parser fallback to CMD_ADD if no |
| recognized command property was found. This allows to feed the output of |
| 'nft -j list ruleset' into 'nft -f' without any modification. |
| |
| Signed-off-by: Phil Sutter <phil@nwl.cc> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| |
| doc/nft.xml | 23 +++-------------------- |
| src/evaluate.c | 4 ++++ |
| 2 files changed, 7 insertions(+), 20 deletions(-) |
| |
| diff --git a/doc/nft.xml b/doc/nft.xml |
| index e6cfb78..a4a4c3f 100644 |
| |
| |
| @@ -514,11 +514,6 @@ filter input iif $int_ifs accept |
| <command>ruleset</command> |
| <arg choice="opt"><replaceable>family</replaceable></arg> |
| </cmdsynopsis> |
| - <cmdsynopsis> |
| - <arg choice="req">export</arg> |
| - <arg choice="opt"><command>ruleset</command></arg> |
| - <arg choice="req"><replaceable>format</replaceable></arg> |
| - </cmdsynopsis> |
| </para> |
| |
| <para> |
| @@ -548,17 +543,6 @@ filter input iif $int_ifs accept |
| </para> |
| </listitem> |
| </varlistentry> |
| - <varlistentry> |
| - <term><option>export</option></term> |
| - <listitem> |
| - <para> |
| - Print the ruleset in machine readable format. The |
| - mandatory <replaceable>format</replaceable> parameter |
| - may be either <literal>xml</literal> or |
| - <literal>json</literal>. |
| - </para> |
| - </listitem> |
| - </varlistentry> |
| </variablelist> |
| |
| <para> |
| @@ -568,10 +552,9 @@ filter input iif $int_ifs accept |
| </para> |
| |
| <para> |
| - Note that contrary to what one might assume, the output generated |
| - by <command>export</command> is not parseable by |
| - <command>nft -f</command>. Instead, the output of |
| - <command>list</command> command serves well for that purpose. |
| + By design, <command>list ruleset</command> command output may be used as |
| + input to <command>nft -f</command>. Effectively, this is the nft-equivalent |
| + of <command>iptables-save</command> and <command>iptables-restore</command>. |
| </para> |
| </refsect1> |
| |
| diff --git a/src/evaluate.c b/src/evaluate.c |
| index c8a98f1..b6c70b8 100644 |
| |
| |
| @@ -24,6 +24,7 @@ |
| |
| #include <expression.h> |
| #include <statement.h> |
| +#include <netlink.h> |
| #include <rule.h> |
| #include <erec.h> |
| #include <gmputil.h> |
| @@ -3428,6 +3429,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd) |
| { |
| if (cmd->export->format == __NFT_OUTPUT_NOTSUPP) |
| return cmd_error(ctx, "this output type is not supported"); |
| + else if (cmd->export->format == NFTNL_OUTPUT_JSON) |
| + return cmd_error(ctx, |
| + "JSON export is not supported"); |
| |
| return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs, |
| ctx->debug_mask & DEBUG_NETLINK, ctx->octx); |
| -- |
| 1.8.3.1 |
| |