From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd
Date: Thu, 7 Mar 2024 16:52:53 +0100 [thread overview]
Message-ID: <Zeni1X75HHJYpu_l@orbyte.nwl.cc> (raw)
In-Reply-To: <20240307151005.GM4420@breakpoint.cc>
On Thu, Mar 07, 2024 at 04:10:05PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > > Problem is that the json input parser does cmd_add at the earliest opportunity.
> > >
> > > For a simple input file defining a table, set, set element and chain, we get
> > > following transaction:
> > > * add table
> > > * add set
> > > * add setelem
> > > * add chain
> > >
> > > This is rejected by the kernel, because the set element references a chain
> > > that does (not yet) exist.
> > >
> > > Normal input parser only allocates a CMD_ADD request for the table.
> > >
> > > Rest of the transactional commands are created much later, via nft_cmd_expand(),
> > > which walks "struct table" and then creates the needed CMD_ADD for the objects
> > > owned by that table.
> >
> > JSON parser simply does not support nested syntax, like, for instance:
>
> You mean, WONTFIX? Fine with me.
Not quite, I see the problem you're trying to solve in patch 5. Sorting
elements in the JSON "nftables" array properly for later insertion may
become a non-trivial task given how maps and rules may refer to chains.
So IIUC, JSON parser will now collapse all new ruleset items into a tree
and use the existing nft_cmd_expand() to split things up again. This may
impose significant overhead depending on input data (bogus/OpenShift use
cases involving many chains maybe) on one hand, on the other might allow
for overhead elimination in other cases (e.g. long lists of 'add
element' commands for different sets in alternating fashion).
We may want to do this for standard syntax as well if the benefits
outweigh the downsides. Thus generalize the JSON-specific helpers you
wrote for use within bison parser, too?
An alternative might be to reorder code in table_print_json_full(),
copying what nft_cmd_expand() does for CMD_OBJ_TABLE. AIUI, it should
solve the current issue of failing 'nft -j list ruleset | nft -j -f -'
for special cases.
Cheers, Phil
next prev parent reply other threads:[~2024-03-07 15:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 12:26 [PATCH nft 0/5] parser_json: fix up transaction ordering Florian Westphal
2024-03-07 12:26 ` [PATCH nft 1/5] parser_json: move some code around Florian Westphal
2024-03-07 12:26 ` [PATCH nft 2/5] parser_json: move list_add into json_parse_cmd Florian Westphal
2024-03-07 14:31 ` Phil Sutter
2024-03-07 15:10 ` Florian Westphal
2024-03-07 15:52 ` Phil Sutter [this message]
2024-03-07 16:44 ` Florian Westphal
2024-03-07 17:58 ` Phil Sutter
2024-03-07 12:26 ` [PATCH nft 3/5] parser_json: add and use CMD_ERR helpers Florian Westphal
2024-03-07 12:26 ` [PATCH nft 4/5] parser_json: defer command allocation to nft_cmd_expand Florian Westphal
2024-03-07 12:26 ` [PATCH nft 5/5] tests: shell: add more json-nft dumps Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zeni1X75HHJYpu_l@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).