On Thu, Mar 07, 2024 at 05:44:22PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > So IIUC, JSON parser will now collapse all new ruleset items into a tree > > and use the existing nft_cmd_expand() to split things up again. This may > > impose significant overhead depending on input data (bogus/OpenShift use > > cases involving many chains maybe) on one hand, on the other might allow > > for overhead elimination in other cases (e.g. long lists of 'add > > element' commands for different sets in alternating fashion). > > > > We may want to do this for standard syntax as well if the benefits > > outweigh the downsides. Thus generalize the JSON-specific helpers you > > wrote for use within bison parser, too? > > It tries to do same as bison parser when using nft -f with a standard > 'list ruleset' input. > > A 'batch file' with sequential 'add table x', 'add chain x c' etc. > does separate 'add' requests. The json parser is supposed to follow > this, i.e. 'ctx->in_ruleset' is only supoosed to be set when this > is a json listing, not when some input daemon is feeding independent > add requests. > > > An alternative might be to reorder code in table_print_json_full(), > > copying what nft_cmd_expand() does for CMD_OBJ_TABLE. AIUI, it should > > solve the current issue of failing 'nft -j list ruleset | nft -j -f -' > > for special cases. > > Its indeed possible to reorder things but I was not sure if there is > a simple way to do this. It seems there is! Taking nft_cmd_expand() as an example, all that's missing for table_print_json_full() is to move (bare) chain listing first and later list rules only instead of chain + rules. I have a patch at hand and am currently tickling the testsuite to get things tested. It should work though, because what nft_cmd_expand() does is proven to work. [...] > If you prefer to resolve it by sorting the output (input) as needed > please let me know. I'm more confident with the reordering as it must work. Your approach is interesting, but it may fail if e.g. input does not contain the table (user knows it exists already). Though it may still be of value for other purposes. Also my "reorder output" approach does not cover for user-compiled input (although one may call PEBKAC there). Thanks, Phil
