From 213bb692b8907c2d458298ff2569c96ed71fb925 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 13:08:45 +0100
Subject: [PATCH] src: Reject 'export vm json' command
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1646336
Upstream Status: nftables commit 8d51f169e0e83
Conflicts:
* Adjusted changes to missing commit a84f9329d2f6c
("src: use location to display error messages").
* Error message changed to not suggest 'nft -j' which doesn't exist in
RHEL7.
* Man page changes applied manually, upstream converted to asciidoc in
between.
* Include netlink.h from src/evaluate.c to make NFTNL_OUTPUT_JSON
known. Upstream added this in unrelated commit 1524134b0bc01
("src: osf: load pf.os from expr_evaluate_osf()").
commit 8d51f169e0e832a41d2ed278be903c08bd4fa473
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 17 16:29:56 2018 +0100
src: Reject 'export vm json' command
Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.
Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.
To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/nft.xml | 23 +++--------------------
src/evaluate.c | 4 ++++
2 files changed, 7 insertions(+), 20 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index e6cfb78..a4a4c3f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -514,11 +514,6 @@ filter input iif $int_ifs accept
<command>ruleset</command>
<arg choice="opt"><replaceable>family</replaceable></arg>
</cmdsynopsis>
- <cmdsynopsis>
- <arg choice="req">export</arg>
- <arg choice="opt"><command>ruleset</command></arg>
- <arg choice="req"><replaceable>format</replaceable></arg>
- </cmdsynopsis>
</para>
<para>
@@ -548,17 +543,6 @@ filter input iif $int_ifs accept
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><option>export</option></term>
- <listitem>
- <para>
- Print the ruleset in machine readable format. The
- mandatory <replaceable>format</replaceable> parameter
- may be either <literal>xml</literal> or
- <literal>json</literal>.
- </para>
- </listitem>
- </varlistentry>
</variablelist>
<para>
@@ -568,10 +552,9 @@ filter input iif $int_ifs accept
</para>
<para>
- Note that contrary to what one might assume, the output generated
- by <command>export</command> is not parseable by
- <command>nft -f</command>. Instead, the output of
- <command>list</command> command serves well for that purpose.
+ By design, <command>list ruleset</command> command output may be used as
+ input to <command>nft -f</command>. Effectively, this is the nft-equivalent
+ of <command>iptables-save</command> and <command>iptables-restore</command>.
</para>
</refsect1>
diff --git a/src/evaluate.c b/src/evaluate.c
index c8a98f1..b6c70b8 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -24,6 +24,7 @@
#include <expression.h>
#include <statement.h>
+#include <netlink.h>
#include <rule.h>
#include <erec.h>
#include <gmputil.h>
@@ -3428,6 +3429,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
{
if (cmd->export->format == __NFT_OUTPUT_NOTSUPP)
return cmd_error(ctx, "this output type is not supported");
+ else if (cmd->export->format == NFTNL_OUTPUT_JSON)
+ return cmd_error(ctx,
+ "JSON export is not supported");
return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
ctx->debug_mask & DEBUG_NETLINK, ctx->octx);
--
1.8.3.1