* [PATCH nft v2] json: add set statement list support
@ 2022-09-01 10:31 Fernando Fernandez Mancera
2022-09-01 12:46 ` Pablo Neira Ayuso
2022-09-03 14:06 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2022-09-01 10:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Fernando Fernandez Mancera
When listing a set with statements with JSON support, the statements were
ignored.
Output example:
{
"set": {
"op": "add",
"elem": {
"payload": {
"protocol": "ip",
"field": "saddr"
}
},
"stmt": [
{
"limit": {
"rate": 10,
"burst": 5,
"per": "second"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
}
],
"set": "@my_ssh_meter"
}
}
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
v2: extend testcases
---
src/json.c | 19 +++++++++++-
src/parser_json.c | 29 ++++++++++++++++++-
.../shell/testcases/json/0001set_statements_0 | 9 ++++++
.../json/dumps/0001set_statements_0.nft | 12 ++++++++
4 files changed, 67 insertions(+), 2 deletions(-)
create mode 100755 tests/shell/testcases/json/0001set_statements_0
create mode 100644 tests/shell/testcases/json/dumps/0001set_statements_0.nft
diff --git a/src/json.c b/src/json.c
index a525fd1b..55959eea 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1439,11 +1439,28 @@ json_t *counter_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
"bytes", stmt->counter.bytes);
}
+static json_t *set_stmt_list_json(const struct list_head *stmt_list,
+ struct output_ctx *octx)
+{
+ json_t *root, *tmp;
+ struct stmt *i;
+
+ root = json_array();
+
+ list_for_each_entry(i, stmt_list, list) {
+ tmp = stmt_print_json(i, octx);
+ json_array_append_new(root, tmp);
+ }
+
+ return root;
+}
+
json_t *set_stmt_json(const struct stmt *stmt, struct output_ctx *octx)
{
- return json_pack("{s:{s:s, s:o, s:s+}}", "set",
+ return json_pack("{s:{s:s, s:o, s:o, s:s+}}", "set",
"op", set_stmt_op_names[stmt->set.op],
"elem", expr_print_json(stmt->set.key, octx),
+ "stmt", set_stmt_list_json(&stmt->set.stmt_list, octx),
"set", "@", stmt->set.set->set->handle.set.name);
}
diff --git a/src/parser_json.c b/src/parser_json.c
index 9e93927a..a8dbb890 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2227,13 +2227,36 @@ static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx,
return stmt;
}
+static void json_parse_set_stmt_list(struct json_ctx *ctx,
+ struct list_head *stmt_list,
+ json_t *stmt_json)
+{
+ struct list_head *head;
+ struct stmt *tmp;
+ json_t *value;
+ size_t index;
+
+ if (!stmt_json)
+ return;
+
+ if (!json_is_array(stmt_json))
+ json_error(ctx, "Unexpected object type in stmt");
+
+ head = stmt_list;
+ json_array_foreach(stmt_json, index, value) {
+ tmp = json_parse_stmt(ctx, value);
+ list_add(&tmp->list, head);
+ head = &tmp->list;
+ }
+}
+
static struct stmt *json_parse_set_stmt(struct json_ctx *ctx,
const char *key, json_t *value)
{
const char *opstr, *set;
struct expr *expr, *expr2;
+ json_t *elem, *stmt_json;
struct stmt *stmt;
- json_t *elem;
int op;
if (json_unpack_err(ctx, value, "{s:s, s:o, s:s}",
@@ -2268,6 +2291,10 @@ static struct stmt *json_parse_set_stmt(struct json_ctx *ctx,
stmt->set.op = op;
stmt->set.key = expr;
stmt->set.set = expr2;
+
+ if (!json_unpack(value, "{s:o}", "stmt", &stmt_json))
+ json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json);
+
return stmt;
}
diff --git a/tests/shell/testcases/json/0001set_statements_0 b/tests/shell/testcases/json/0001set_statements_0
new file mode 100755
index 00000000..1c72d35b
--- /dev/null
+++ b/tests/shell/testcases/json/0001set_statements_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+$NFT flush ruleset
+
+RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "testt", "handle": 3}}, {"set": {"family": "ip", "name": "ssh_meter", "table": "testt", "type": "ipv4_addr", "handle": 2, "size": 65535}}, {"chain": {"family": "ip", "table": "testt", "name": "testc", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "accept"}}, {"rule": {"family": "ip", "table": "testt", "chain": "testc", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 22}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"set": {"op": "add", "elem": {"payload": {"protocol": "ip", "field": "saddr"}}, "stmt": [{"limit": {"rate": 10, "burst": 5, "per": "second"}}], "set": "@ssh_meter"}}, {"accept": null}]}}]}'
+
+$NFT -j -f - <<< $RULESET
diff --git a/tests/shell/testcases/json/dumps/0001set_statements_0.nft b/tests/shell/testcases/json/dumps/0001set_statements_0.nft
new file mode 100644
index 00000000..ee4a8670
--- /dev/null
+++ b/tests/shell/testcases/json/dumps/0001set_statements_0.nft
@@ -0,0 +1,12 @@
+table ip testt {
+ set ssh_meter {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+
+ chain testc {
+ type filter hook input priority filter; policy accept;
+ tcp dport 22 ct state new add @ssh_meter { ip saddr limit rate 10/second } accept
+ }
+}
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH nft v2] json: add set statement list support
2022-09-01 10:31 [PATCH nft v2] json: add set statement list support Fernando Fernandez Mancera
@ 2022-09-01 12:46 ` Pablo Neira Ayuso
2022-09-03 14:06 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2022-09-01 12:46 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
On Thu, Sep 01, 2022 at 12:31:43PM +0200, Fernando Fernandez Mancera wrote:
> When listing a set with statements with JSON support, the statements were
> ignored.
>
> Output example:
>
> {
> "set": {
> "op": "add",
> "elem": {
> "payload": {
> "protocol": "ip",
> "field": "saddr"
> }
> },
> "stmt": [
> {
> "limit": {
> "rate": 10,
> "burst": 5,
> "per": "second"
> }
> },
> {
> "counter": {
> "packets": 0,
> "bytes": 0
> }
> }
> ],
> "set": "@my_ssh_meter"
> }
> }
Applied, thanks
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH nft v2] json: add set statement list support
2022-09-01 10:31 [PATCH nft v2] json: add set statement list support Fernando Fernandez Mancera
2022-09-01 12:46 ` Pablo Neira Ayuso
@ 2022-09-03 14:06 ` Pablo Neira Ayuso
2022-09-04 11:22 ` Fernando F. Mancera
1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2022-09-03 14:06 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
On Thu, Sep 01, 2022 at 12:31:43PM +0200, Fernando Fernandez Mancera wrote:
> When listing a set with statements with JSON support, the statements were
> ignored.
>
> Output example:
>
> {
> "set": {
> "op": "add",
> "elem": {
> "payload": {
> "protocol": "ip",
> "field": "saddr"
> }
> },
> "stmt": [
> {
> "limit": {
> "rate": 10,
> "burst": 5,
> "per": "second"
> }
> },
> {
> "counter": {
> "packets": 0,
> "bytes": 0
> }
> }
> ],
> "set": "@my_ssh_meter"
> }
> }
ip/sets.t: WARNING: line 53: '{"nftables": [{"add": {"rule": {"table": "test-ip4", "chain": "input", "family": "ip", "expr": [{"set": {"set": "@set5", "elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add"}}]}}}]}': '[{"set": {"elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add", "set": "@set5"}}]' mismatches '[{"set": {"elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add", "set": "@set5", "stmt": []}}]'
tests/py in nftables reports this warning.
I think it should be possible not to print "stmt" if it is empty.
Please follow up with an incremental patch to address this.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH nft v2] json: add set statement list support
2022-09-03 14:06 ` Pablo Neira Ayuso
@ 2022-09-04 11:22 ` Fernando F. Mancera
0 siblings, 0 replies; 4+ messages in thread
From: Fernando F. Mancera @ 2022-09-04 11:22 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 9/3/22 16:06, Pablo Neira Ayuso wrote:
> On Thu, Sep 01, 2022 at 12:31:43PM +0200, Fernando Fernandez Mancera wrote:
>> When listing a set with statements with JSON support, the statements were
>> ignored.
>>
>> Output example:
>>
>> {
>> "set": {
>> "op": "add",
>> "elem": {
>> "payload": {
>> "protocol": "ip",
>> "field": "saddr"
>> }
>> },
>> "stmt": [
>> {
>> "limit": {
>> "rate": 10,
>> "burst": 5,
>> "per": "second"
>> }
>> },
>> {
>> "counter": {
>> "packets": 0,
>> "bytes": 0
>> }
>> }
>> ],
>> "set": "@my_ssh_meter"
>> }
>> }
>
> ip/sets.t: WARNING: line 53: '{"nftables": [{"add": {"rule": {"table": "test-ip4", "chain": "input", "family": "ip", "expr": [{"set": {"set": "@set5", "elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add"}}]}}}]}': '[{"set": {"elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add", "set": "@set5"}}]' mismatches '[{"set": {"elem": {"concat": [{"payload": {"field": "saddr", "protocol": "ip"}}, {"payload": {"field": "daddr", "protocol": "ip"}}]}, "op": "add", "set": "@set5", "stmt": []}}]'
>
> tests/py in nftables reports this warning.
>
> I think it should be possible not to print "stmt" if it is empty.
Ugh, I missed it. Yes, it is possible. In addittion, I noticed when
generating the JSON output the statements in the list should be
stateless. I will send a patch for both problems.
Thank you,
Fernando.
>
> Please follow up with an incremental patch to address this.
>
> Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-04 11:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-01 10:31 [PATCH nft v2] json: add set statement list support Fernando Fernandez Mancera
2022-09-01 12:46 ` Pablo Neira Ayuso
2022-09-03 14:06 ` Pablo Neira Ayuso
2022-09-04 11:22 ` Fernando F. Mancera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).