Thomas Haller <thaller@xxxxxxxxxx> wrote:
> What is the correct JSON syntax for printing a chain?
Thats the problem, the chain has no user-visible name :-)
Its a shortcut syntax alias. Essentially, this:
meta l4proto { tcp, udp } th dport domain jump {
ip6 saddr != $private_ip6 counter reject
accept
}
is the same as
chain $RANDOM_NAME {
ip6 saddr != $private_ip6 counter reject
accept
}
meta l4proto { tcp, udp } th dport domain jump $RANDOM_NAME
Except that, if you remove the rule, then $RANDOM_NAME chain
is deleted as well and that $RANDOM_NAME is readonly after creation
(you cannot add or remove rules from it).
> For example, for test "tests/shell/testcases/nft-f/sample-ruleset" I
> get the following from `nft -j list ruleset`:
>
> [...]
> {
> "rule": {
> "family": "inet",
> "table": "filter",
> "chain": "home_input",
> "handle": 91,
> "expr": [
> {
> "match": {
> "op": "==",
> "left": {
> "meta": {
> "key": "l4proto"
> }
> },
> "right": {
> "set": [
> "tcp",
> "udp"
> ]
> }
> }
> },
> {
> "match": {
> "op": "==",
> "left": {
> "payload": {
> "protocol": "th",
> "field": "dport"
> }
> },
> "right": 53
> }
> },
> "jump {\n\t\t\tip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable\n\t\t\taccept\n\t\t}"
> ]
> }
> },
> [...]
>
>
> In `man libnftables-json`, searching for "jump" only gives:
>
> { "jump": { "target": * STRING *}}
>
> Is there an example how this JSON output should look like?
We need to define a new syntax for this case.
I think it would be best to recurse, i.e. something like:
# i.e., make it clear that this is a jump ("left" :)
and that the target is a complete, anonymous chain with
0 or more rules embedded within.
},
"jump" : {"chain" : { "rule" : {
"family" : "inet",
"table": "t", "chain": "c",
"handle": 5,
"expr":
[{"match": {"op": "!=", "left": {
"payload": {
"protocol": "ip6",
"field": "saddr"}},
"right": {
"set":
[{"prefix": {"addr": "fd00::", "len": 8}}, { ....
