From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: libnftables extended API proposal
Date: Wed, 20 Dec 2017 13:32:25 +0100 [thread overview]
Message-ID: <20171220123225.GS32305@orbyte.nwl.cc> (raw)
In-Reply-To: <20171218230048.pwtnnezyxyhh4geu@salvia>
Hi Pablo,
On Tue, Dec 19, 2017 at 12:00:48AM +0100, Pablo Neira Ayuso wrote:
> On Sat, Dec 16, 2017 at 05:06:51PM +0100, Phil Sutter wrote:
> > On Sun, Dec 10, 2017 at 10:55:40PM +0100, Pablo Neira Ayuso wrote:
> > > On Thu, Dec 07, 2017 at 12:34:31PM +0100, Phil Sutter wrote:
> > > > On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote:
> > > > > On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
> > > > [...]
> > > > > > After tweaking the parser a bit, I can use it now to parse just a
> > > > > > set_list_member_expr and use the struct expr it returns. This made it
> > > > > > possible to create the desired struct cmd in above function without
> > > > > > having to invoke the parser there.
> > > > > >
> > > > > > Exercising this refining consequently should allow to reach arbitrary
> > > > > > levels of granularity. For instance, one could stop at statement level,
> > > > > > i.e. statements are created using a string representation. Or one could
> > > > > > go down to expression level, and statements are created using one or two
> > > > > > expressions (depending on whether it is relational or not). Of course
> > > > > > this means the library will eventually become as complicated as the
> > > > > > parser itself, not necessarily a good thing.
> > > > >
> > > > > Yes, and we'll expose all internal representation details, that we
> > > > > will need to maintain forever if we don't want to break backward.
> > > >
> > > > Not necessarily. I had this in mind when declaring 'struct nft_table'
> > > > instead of reusing 'struct table'. :)
> > > >
> > > > The parser defines the grammar, the library would just follow it. So if
> > > > a given internal change complies with the old grammar, it should comply
> > > > with the library as well. Though this is quite theoretical, of course.
> > > >
> > > > Let's take relational expressions as simple example: In bison, we define
> > > > 'expr op rhs_expr'. An equivalent library function could be:
> > > >
> > > > | struct nft_expr *nft_relational_new(struct nft_expr *,
> > > > | enum rel_ops,
> > > > | struct nft_expr *);
> > >
> > > Then that means you would like to expose an API that allows you to
> > > build the abstract syntax tree.
> >
> > That was the idea I had when I thought about how to transition from
> > fully text-based simple API to an extended one which allows to work with
> > objects instead. We could start simple and refine further if
> > required/sensible. At the basic level, adding a new rule could be
> > something like:
> >
> > | myrule = nft_rule_create("tcp dport 22 accept");
> >
> > If required, one could implement rule building based on statements:
> >
> > | stmt1 = nft_stmt_create("tcp dport 22");
> > | stmt2 = nft_stmt_create("accept");
> > | myrule = nft_rule_create();
> > | nft_rule_add_stmt(myrule, stmt1);
> > | nft_rule_add_stmt(myrule, stmt2);
>
> This is mixing parsing and abstract syntax tree creation.
>
> If you want to expose the syntax tree, then I would the parsing layer
> entirely and expose the syntax tree, which is what the json
> representation for the high level library will be doing.
But that means having to provide a creating function for every
expression there is, no?
> To support new protocol, we will need a new library version too, when
> the abstraction to represent a payload is already well-defined, ie.
> [ base, offset, length ], which is pretty much everywhere the same,
> not only in nftables.
Sorry, I didn't get that. Are you talking about that JSON
representation?
> I wonder if firewalld could generate high level json representation
> instead, so it becomes a compiler/translator from its own
> representation to nftables abstract syntax tree. As I said, the json
> representation is mapping to the abstract syntax tree we have in nft.
> I'm refering to the high level json representation that doesn't exist
> yet, not the low level one for libnftnl.
Can you point me to some information about that high level JSON
representation? Seems I'm missing something here.
Thanks, Phil
next prev parent reply other threads:[~2017-12-20 12:32 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 19:10 [nft PATCH] libnftables: Fix for multiple context instances Phil Sutter
2017-11-20 12:37 ` Pablo Neira Ayuso
2017-11-20 12:54 ` Phil Sutter
2017-11-20 13:07 ` Pablo Neira Ayuso
2017-11-20 15:58 ` Phil Sutter
2017-11-20 16:53 ` Pablo Neira Ayuso
2017-11-22 17:49 ` Phil Sutter
2017-11-22 18:18 ` Pablo Neira Ayuso
[not found] ` <20171204100955.GA1822@salvia>
[not found] ` <20171204105324.GX32305@orbyte.nwl.cc>
[not found] ` <20171204110142.GA19776@salvia>
[not found] ` <20171204164327.GA32305@orbyte.nwl.cc>
[not found] ` <20171204184604.GA1556@salvia>
2017-12-05 13:43 ` libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances) Phil Sutter
2017-12-07 0:05 ` Pablo Neira Ayuso
2017-12-07 11:34 ` Phil Sutter
2017-12-10 21:55 ` Pablo Neira Ayuso
2017-12-16 16:06 ` libnftables extended API proposal Phil Sutter
2017-12-18 23:00 ` Pablo Neira Ayuso
2017-12-20 12:32 ` Phil Sutter [this message]
2017-12-20 22:23 ` Pablo Neira Ayuso
2017-12-22 13:08 ` Phil Sutter
2017-12-22 13:49 ` Pablo Neira Ayuso
2017-12-22 15:30 ` Phil Sutter
2017-12-22 20:39 ` Pablo Neira Ayuso
2017-12-23 13:19 ` Phil Sutter
2017-12-28 19:21 ` Pablo Neira Ayuso
2017-12-29 14:58 ` Phil Sutter
2018-01-02 18:02 ` Pablo Neira Ayuso
2018-01-05 17:52 ` Phil Sutter
2018-01-09 23:31 ` Pablo Neira Ayuso
2018-01-10 4:46 ` mark diener
2018-01-10 10:39 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171220123225.GS32305@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).