On 18/03/2022 15:21, Francisco Albani wrote:
Hi!
Hi Francisco,
I was translating some nft cli bash scripts to python and tried to apply wh= at I learned in https://man.archlinux.org/man/extra/nftables/libnftables-js= on.5.en , but I could not make it work. I made a repo with the minimal example that shows the difference: https://g= ithub.com/franalbani/nftableson
I also have an issue with the netdev/device part. I believe it would be better if you described the issue directly in the message rather than linking to a git repository. Let me describe the netdev/device part:
Calling nft_run_cmd_from_buffer with JSON as input, for the command "add chain netdev table_name chain_name {type filter hook filter device existing_device priority 0 ; policy drop ;}", returns the following error: "internal:0:0-0: Error: Could not process rule: No such file or directory". The same command, given as non-JSON input works.
I do not fully understand yet what json_parse_cmd_add_chain is doing with the "dev" part of the object, I'm only 30 minutes into reading.
I believe this is a bug (in v0.9.3), either in the documentation, or in the nftables code.
There is also the issue of the device of netdev chains not being shown when requesting a JSON output (can be tested with "nft -j list ruleset" when a netdev chain exists). Since the JSON output is loosely documented, I don't know whether we can call this a bug. Either way, it's quite annoying for me because I'd like to rely on the device to select chains to delete when scripting firewalling. I believe the JSON output should show the device(s) for netdev chains.
If the issue is coming from json_parse_cmd_add_chain, and looking at the diff between v0.9.3 and v1.0.2, I believe this isn't fixed in v1.0.2 since nothing related to the "dev" parameter was changed.
I'll try to investigate further until a maintainer take a look at this (they'd be far more efficient than me, as I know nothing about nftables internals).
-- Léo
