| Message ID | 20180214183244.16184-1-pablo@netfilter.org |
|---|---|
| State | Not Applicable |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nft] parser_bison: restore nft {import,export} ruleset | expand |
Hi Pablo, On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > Restore original syntax for the yet experimental VM low-level json > representation. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > I asked for this change to make room for the high-level json > representation, but we can use -j options for this instead. Given there > are more users for the json representation that I expected, I'm fixing > it myself by restoring the former behaviour. Why would one use "nft export" without "nft import". if someone exports rules in json then they can't use those rules given the fact that "nft import" was not available earlier. Am i missing something? Thanks!! > src/parser_bison.y | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/src/parser_bison.y b/src/parser_bison.y > index 578bfdc10429..4cfc54cfd7b2 100644 > --- a/src/parser_bison.y > +++ b/src/parser_bison.y > @@ -1186,7 +1186,7 @@ rename_cmd : CHAIN chain_spec identifier > } > ; > > -import_cmd : RULESET markup_format > +import_cmd : RULESET markup_format > { > struct handle h = { .family = NFPROTO_UNSPEC }; > struct markup *markup = markup_alloc($2); > @@ -1198,7 +1198,6 @@ import_cmd : RULESET markup_format > struct markup *markup = markup_alloc($1); > $$ = cmd_alloc(CMD_IMPORT, CMD_OBJ_MARKUP, &h, &@$, markup); > } > - | JSON { $$ = NULL; } > ; > > export_cmd : RULESET markup_format > @@ -1213,7 +1212,6 @@ export_cmd : RULESET markup_format > struct markup *markup = markup_alloc($1); > $$ = cmd_alloc(CMD_EXPORT, CMD_OBJ_MARKUP, &h, &@$, markup); > } > - | JSON { $$ = NULL; } > ; > > monitor_cmd : monitor_event monitor_object monitor_format > @@ -1241,10 +1239,10 @@ monitor_object : /* empty */ { $$ = CMD_MONITOR_OBJ_ANY; } > > monitor_format : /* empty */ { $$ = NFTNL_OUTPUT_DEFAULT; } > | markup_format > - | JSON { $$ = NFTNL_OUTPUT_JSON; } > ; > > markup_format : XML { $$ = NFTNL_OUTPUT_XML; } > + | JSON { $$ = NFTNL_OUTPUT_JSON; } > | VM JSON { $$ = NFTNL_OUTPUT_JSON; } > ; > > -- > 2.11.0 > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > Hi Pablo, > > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > Restore original syntax for the yet experimental VM low-level json > > representation. > > > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > --- > > I asked for this change to make room for the high-level json > > representation, but we can use -j options for this instead. Given there > > are more users for the json representation that I expected, I'm fixing > > it myself by restoring the former behaviour. > > Why would one use "nft export" without "nft import". > if someone exports rules in json then they can't use those rules > given the fact that "nft import" was not available earlier. > > Am i missing something? With this patch nft import and nft export works as expected, ie. nft export ruleset json > file.json nft import ruleset json < file.json I'm just restoring 'nft export ruleset json' with this patch, it seems there are more users of this than I expected, so let's restore this before 0.8.3 is released, that's my proposal. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: > On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > > Hi Pablo, > > > > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > > Restore original syntax for the yet experimental VM low-level json > > > representation. > > > > > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > > --- > > > I asked for this change to make room for the high-level json > > > representation, but we can use -j options for this instead. Given there > > > are more users for the json representation that I expected, I'm fixing > > > it myself by restoring the former behaviour. > > > > Why would one use "nft export" without "nft import". > > if someone exports rules in json then they can't use those rules > > given the fact that "nft import" was not available earlier. > > > > Am i missing something? > > With this patch nft import and nft export works as expected, ie. > > nft export ruleset json > file.json > nft import ruleset json < file.json > > I'm just restoring 'nft export ruleset json' with this patch, it seems > there are more users of this than I expected, so let's restore this > before 0.8.3 is released, that's my proposal. Oh, probably you got confused because the patch title refers to nft import when it should only refer to nft export ruleset json? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: >> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: >> > Hi Pablo, >> > >> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > > Restore original syntax for the yet experimental VM low-level json >> > > representation. >> > > >> > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 >> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> >> > > --- >> > > I asked for this change to make room for the high-level json >> > > representation, but we can use -j options for this instead. Given there >> > > are more users for the json representation that I expected, I'm fixing >> > > it myself by restoring the former behaviour. >> > >> > Why would one use "nft export" without "nft import". >> > if someone exports rules in json then they can't use those rules >> > given the fact that "nft import" was not available earlier. >> > >> > Am i missing something? >> >> With this patch nft import and nft export works as expected, ie. >> >> nft export ruleset json > file.json >> nft import ruleset json < file.json >> >> I'm just restoring 'nft export ruleset json' with this patch, it seems >> there are more users of this than I expected, so let's restore this >> before 0.8.3 is released, that's my proposal. > > Oh, probably you got confused because the patch title refers to nft > import when it should only refer to nft export ruleset json? No, I mean in some previous mail Phil mentioned that it could break user's script. I was thinking why one would use "nft export json" alone. Earlier we didn't have nft import command. So lets say if some user do "nft export json >file.json" then the rules in file.json are of no use without "nft import json" because we had no way to import or use them again. Sorry, I missed previous mail and couldn't follow up. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Shyam, On Thu, Feb 15, 2018 at 01:25:04AM +0530, Shyam Saini wrote: > > On Wed, Feb 14, 2018 at 08:16:52PM +0100, Pablo Neira Ayuso wrote: > >> On Thu, Feb 15, 2018 at 12:34:31AM +0530, Shyam Saini wrote: > >> > Hi Pablo, > >> > > >> > On Thu, Feb 15, 2018 at 12:02 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >> > > Restore original syntax for the yet experimental VM low-level json > >> > > representation. > >> > > > >> > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 > >> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > >> > > --- > >> > > I asked for this change to make room for the high-level json > >> > > representation, but we can use -j options for this instead. Given there > >> > > are more users for the json representation that I expected, I'm fixing > >> > > it myself by restoring the former behaviour. > >> > > >> > Why would one use "nft export" without "nft import". > >> > if someone exports rules in json then they can't use those rules > >> > given the fact that "nft import" was not available earlier. > >> > > >> > Am i missing something? > >> > >> With this patch nft import and nft export works as expected, ie. > >> > >> nft export ruleset json > file.json > >> nft import ruleset json < file.json > >> > >> I'm just restoring 'nft export ruleset json' with this patch, it seems > >> there are more users of this than I expected, so let's restore this > >> before 0.8.3 is released, that's my proposal. > > > > Oh, probably you got confused because the patch title refers to nft > > import when it should only refer to nft export ruleset json? > > No, I mean in some previous mail Phil mentioned that it could break user's > script. > I was thinking why one would use "nft export json" alone. > Earlier we didn't have nft import command. > > So lets say if some user do "nft export json >file.json" then the > rules in file.json > are of no use without "nft import json" because we had no way to > import or use them again. > > Sorry, I missed previous mail and couldn't follow up. My point was that 'nft export json' might be in use for other things than restoring nftables rule set later on, e.g. to verify current system state against a known one. The problem I saw was not so much that 'nft export json' stopped working but that it returned 0 and hence did not allow for such scripts to detect a failure in execution. So this might lead to red lights turning on because a system may seem like it lost all previously installed nftables rules. Yes, this case is pretty much constructed, but if something's possible, there's always at least one guy on the internet doing it. :) Cheers, Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/parser_bison.y b/src/parser_bison.y index 578bfdc10429..4cfc54cfd7b2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1186,7 +1186,7 @@ rename_cmd : CHAIN chain_spec identifier } ; -import_cmd : RULESET markup_format +import_cmd : RULESET markup_format { struct handle h = { .family = NFPROTO_UNSPEC }; struct markup *markup = markup_alloc($2); @@ -1198,7 +1198,6 @@ import_cmd : RULESET markup_format struct markup *markup = markup_alloc($1); $$ = cmd_alloc(CMD_IMPORT, CMD_OBJ_MARKUP, &h, &@$, markup); } - | JSON { $$ = NULL; } ; export_cmd : RULESET markup_format @@ -1213,7 +1212,6 @@ export_cmd : RULESET markup_format struct markup *markup = markup_alloc($1); $$ = cmd_alloc(CMD_EXPORT, CMD_OBJ_MARKUP, &h, &@$, markup); } - | JSON { $$ = NULL; } ; monitor_cmd : monitor_event monitor_object monitor_format @@ -1241,10 +1239,10 @@ monitor_object : /* empty */ { $$ = CMD_MONITOR_OBJ_ANY; } monitor_format : /* empty */ { $$ = NFTNL_OUTPUT_DEFAULT; } | markup_format - | JSON { $$ = NFTNL_OUTPUT_JSON; } ; markup_format : XML { $$ = NFTNL_OUTPUT_XML; } + | JSON { $$ = NFTNL_OUTPUT_JSON; } | VM JSON { $$ = NFTNL_OUTPUT_JSON; } ;
Restore original syntax for the yet experimental VM low-level json representation. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1224 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- I asked for this change to make room for the high-level json representation, but we can use -j options for this instead. Given there are more users for the json representation that I expected, I'm fixing it myself by restoring the former behaviour. src/parser_bison.y | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)