Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.
Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.
To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Changes since v1:
- Drop export command from man page.
- Implement fallback in JSON parser.
---
doc/nft.txt | 18 +++++++++---------
src/evaluate.c | 3 +++
src/parser_json.c | 4 ++--
3 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 45af5bb9e7e51..a4ab4a8e5ca0a 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet filtering and cla
SYNOPSIS
--------
[verse]
-*nft* [ *-nNscaeSupy* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
+*nft* [ *-nNscaeSupyj* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
*nft* *-h*
*nft* *-v*
@@ -74,6 +74,10 @@ For a full summary of options, run *nft --help*.
When inserting items into the ruleset using *add*, *insert* or *replace* commands, print notifications
just like *nft monitor*.
+*-j*::
+*--json*::
+ Format output in JSON. See libnftables-json(5) for a schema description.
+
*-I*::
*--includepath directory*::
Add the directory 'directory' to the list of directories to be searched for included files. This
@@ -228,7 +232,6 @@ RULESET
-------
[verse]
{list | flush} *ruleset* ['family']
-export [*ruleset*] 'format'
The *ruleset* keyword is used to identify the whole set of tables, chains, etc.
currently in place in kernel. The following *ruleset* commands exist:
@@ -241,15 +244,12 @@ all tables and whatever they contain, effectively leading to an empty ruleset -
no packet filtering will happen anymore, so the kernel accepts any valid packet
it receives.
-*export*:: Print the ruleset in machine readable format. The mandatory 'format'
-parameter may be either xml or json.
-
It is possible to limit *list* and *flush* to a specific address family only.
For a list of valid family names, see <<ADDRESS_FAMILIES>> above.
-Note that contrary to what one might assume, the output generated by *export* is
-not parseable by *nft -f*. Instead, the output of *list* command serves well for
-that purpose.
+By design, *list ruleset* command output may be used as input to *nft -f*.
+Effectively, this is the nft-equivalent of *iptables-save* and
+*iptables-restore*.
TABLES
------
@@ -783,7 +783,7 @@ Netlink socket with 3.
SEE ALSO
--------
[verse]
-iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+libnftables(3), libnftables-json(5), iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
There is an official wiki at: https://wiki.nftables.org
diff --git a/src/evaluate.c b/src/evaluate.c
index c0edf8f6e7702..fc0eabd0adad0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3804,6 +3804,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
if (cmd->markup->format == __NFT_OUTPUT_NOTSUPP)
return cmd_error(ctx, &cmd->location,
"this output type is not supported");
+ else if (cmd->markup->format == NFTNL_OUTPUT_JSON)
+ return cmd_error(ctx, &cmd->location,
+ "JSON export is no longer supported, use 'nft -j list ruleset' instead");
return cache_update(ctx->nft, cmd->op, ctx->msgs);
}
diff --git a/src/parser_json.c b/src/parser_json.c
index 1c4aedee4657d..ab3000c09162e 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3301,8 +3301,8 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root)
return parse_cb_table[i].cb(ctx, tmp, parse_cb_table[i].op);
}
- json_error(ctx, "Unknown command object.");
- return NULL;
+ /* to accept 'list ruleset' output 1:1, try add command */
+ return json_parse_cmd_add(ctx, root, CMD_ADD);
}
static int json_verify_metainfo(struct json_ctx *ctx, json_t *root)
--
2.19.0
