Hi Arturo, On Tue, Dec 31, 2013 at 07:40:02PM +0100, Arturo Borrero Gonzalez wrote: > This patch add the following operation: > > :~# nft list ruleset [xml|json] > > With this, you can backup your current ruleset in 3 formats: > * nft standar/default > * xml > * json This feature is nice, I prefer if we use the following syntax: nft export <xml|json> So you can implement: nft import <xml|json> filename with the new nft_*_parse_file() function that you posted. > The XML/JSON output is provided raw by libnftables, thus without format. > In case of XML, you can give format with the `xmllint' tool from libxml2-tools: > :~# nft list ruleset xml | xmllint --format - > In case of JSON, you can use `json_pp' from perl standar package: > :~# nft list ruleset json | json_pp > > Exporting your ruleset gives the possibility of a later import. In default > nft format, the workflow is as follow: > > :~# nft list ruleset > ruleset.nft > :~# nft -f ruleset.nft > > In XML/JSON format, the import operation is currently under development. > > About this implementation: > > By now, `struct netlink_ctx' can't handle a complete ruleset, so the ruleset > listing operation is done as follow. > > if XML/JSON: > * Obtain the ruleset from the kernel, 4 queries (one per object type), > using NFPROTO_UNSPEC. Note that this requires sets to be fetched with > NFPROTO_UNSPECT. This is an incoming kernel patch. > * Call libnftables's nft_ruleset_fprintf() directly. > > if default nft format: > * Obtain tables from kernel, using NFPROTO_UNSPEC (one netlink query). > * Iterate these obtained tables calling recursively do_command_list(). This is > done by filling a temporal netlink_ctx, and using it as an index. > * Proceed normally as when listing one single table (several netlink queries). > > I would prefer to have just one path to print the ruleset, but I can't avoid > modifying netlink_ctx, and seems a major change to me. This patch looks relatively small and non-intrusive to the nft internal structure, I think this is the way to go. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
