From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd
Date: Thu, 7 Mar 2024 15:31:59 +0100 [thread overview]
Message-ID: <ZenP32bq9xtJglJQ@orbyte.nwl.cc> (raw)
In-Reply-To: <20240307122640.29507-3-fw@strlen.de>
Hi Florian,
On Thu, Mar 07, 2024 at 01:26:32PM +0100, Florian Westphal wrote:
> The existing parser cannot handle certain inputs. Example:
>
> "map": {
> "family": "ip",
> "name": "testmap",
> "table": "test",
> "type": "ipv4_addr",
> "handle": 2,
> "map": "verdict",
> "elem": [ [ "*", {
> "jump": {
> "target": "testchain"
> [..]
> },
> {
> "chain": {
> "family": "ip",
> "table": "test",
> "name": "testchain",
> ...
>
> Problem is that the json input parser does cmd_add at the earliest opportunity.
>
> For a simple input file defining a table, set, set element and chain, we get
> following transaction:
> * add table
> * add set
> * add setelem
> * add chain
>
> This is rejected by the kernel, because the set element references a chain
> that does (not yet) exist.
>
> Normal input parser only allocates a CMD_ADD request for the table.
>
> Rest of the transactional commands are created much later, via nft_cmd_expand(),
> which walks "struct table" and then creates the needed CMD_ADD for the objects
> owned by that table.
JSON parser simply does not support nested syntax, like, for instance:
| table test {
| map testmap {
| type ipv4_addr : verdict
| elements = {
| "*" : jump testchain
| }
| }
| chain testchain {
| }
| }
Your example above is equivalent to the following in standard syntax:
| add table t
| add map t m { type ipv4_addr : verdict; elements = { 10.0.0.1 : jump mychain }; }
| add chain t mychain
It is rejected by nft as well:
| /tmp/input.nft:2:54-61: Error: Could not process rule: No such file or directory
| add map t m { type ipv4_addr : verdict; elements = { 10.0.0.1 : jump mychain }; }
| ^^^^^^^^
(Note the wrong marker position, an unrelated bug it seems.)
If I swap the 'add map' and 'add chain' commands in input, it is
accepted.
Cheers, Phil
next prev parent reply other threads:[~2024-03-07 14:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 12:26 [PATCH nft 0/5] parser_json: fix up transaction ordering Florian Westphal
2024-03-07 12:26 ` [PATCH nft 1/5] parser_json: move some code around Florian Westphal
2024-03-07 12:26 ` [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd Florian Westphal
2024-03-07 14:31 ` Phil Sutter [this message]
2024-03-07 15:10 ` Florian Westphal
2024-03-07 15:52 ` Phil Sutter
2024-03-07 16:44 ` Florian Westphal
2024-03-07 17:58 ` Phil Sutter
2024-03-07 12:26 ` [PATCH nft 3/5] parser_json: add and use CMD_ERR helpers Florian Westphal
2024-03-07 12:26 ` [PATCH nft 4/5] parser_json: defer command allocation to nft_cmd_expand Florian Westphal
2024-03-07 12:26 ` [PATCH nft 5/5] tests: shell: add more json-nft dumps Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZenP32bq9xtJglJQ@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).