From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd
Date: Thu, 7 Mar 2024 15:31:59 +0100 [thread overview]
Message-ID: <ZenP32bq9xtJglJQ@orbyte.nwl.cc> (raw)
In-Reply-To: <20240307122640.29507-3-fw@strlen.de>
Hi Florian,
On Thu, Mar 07, 2024 at 01:26:32PM +0100, Florian Westphal wrote:
> The existing parser cannot handle certain inputs. Example:
>
> "map": {
> "family": "ip",
> "name": "testmap",
> "table": "test",
> "type": "ipv4_addr",
> "handle": 2,
> "map": "verdict",
> "elem": [ [ "*", {
> "jump": {
> "target": "testchain"
> [..]
> },
> {
> "chain": {
> "family": "ip",
> "table": "test",
> "name": "testchain",
> ...
>
> Problem is that the json input parser does cmd_add at the earliest opportunity.
>
> For a simple input file defining a table, set, set element and chain, we get
> following transaction:
> * add table
> * add set
> * add setelem
> * add chain
>
> This is rejected by the kernel, because the set element references a chain
> that does (not yet) exist.
>
> Normal input parser only allocates a CMD_ADD request for the table.
>
> Rest of the transactional commands are created much later, via nft_cmd_expand(),
> which walks "struct table" and then creates the needed CMD_ADD for the objects
> owned by that table.
JSON parser simply does not support nested syntax, like, for instance:
| table test {
| map testmap {
| type ipv4_addr : verdict
| elements = {
| "*" : jump testchain
| }
| }
| chain testchain {
| }
| }
Your example above is equivalent to the following in standard syntax:
| add table t
| add map t m { type ipv4_addr : verdict; elements = { 10.0.0.1 : jump mychain }; }
| add chain t mychain
It is rejected by nft as well:
| /tmp/input.nft:2:54-61: Error: Could not process rule: No such file or directory
| add map t m { type ipv4_addr : verdict; elements = { 10.0.0.1 : jump mychain }; }
| ^^^^^^^^
(Note the wrong marker position, an unrelated bug it seems.)
If I swap the 'add map' and 'add chain' commands in input, it is
accepted.
Cheers, Phil
next prev parent reply other threads:[~2024-03-07 14:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 12:26 [PATCH nft 0/5] parser_json: fix up transaction ordering Florian Westphal
2024-03-07 12:26 ` [PATCH nft 1/5] parser_json: move some code around Florian Westphal
2024-03-07 12:26 ` [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd Florian Westphal
2024-03-07 14:31 ` Phil Sutter [this message]
2024-03-07 15:10 ` Florian Westphal
2024-03-07 15:52 ` Phil Sutter
2024-03-07 16:44 ` Florian Westphal
2024-03-07 17:58 ` Phil Sutter
2024-03-07 12:26 ` [PATCH nft 3/5] parser_json: add and use CMD_ERR helpers Florian Westphal
2024-03-07 12:26 ` [PATCH nft 4/5] parser_json: defer command allocation to nft_cmd_expand Florian Westphal
2024-03-07 12:26 ` [PATCH nft 5/5] tests: shell: add more json-nft dumps Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZenP32bq9xtJglJQ@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.