So, if I dump a table in JSON, all the rules for all the chains appear together, apparently ordered by chain. Each rule is a complex JSON object (I don't know what you mean by line in this context).
For example, the following configuration:
table ip filter {
chain input {
tcp dport 22 counter packets 0 bytes 0 accept
tcp dport 443 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
chain second_chain {
udp dport 53 counter packets 0 bytes 0 accept
udp dport 68 counter packets 0 bytes 0 accept
counter packets 0 bytes 0 drop
}
}
produces this json:
{
"nftables": [
{
"metainfo": {
"version": "0.9.8",
"release_name": "E.D.S.",
"json_schema_version": 1
}
},
{
"table": {
"family": "ip",
"name": "filter",
"handle": 14
}
},
{
"chain": {
"family": "ip",
"table": "filter",
"name": "input",
"handle": 1
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 2,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 22
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 3,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 443
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "input",
"handle": 4,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"chain": {
"family": "ip",
"table": "filter",
"name": "second_chain",
"handle": 5
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "second_chain",
"handle": 6,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 53
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "second_chain",
"handle": 7,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 68
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "filter",
"chain": "second_chain",
"handle": 8,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
}
]
}
My question is will the order of the rules when output in JSON always be in the correct order (like it is for non-JSON output).
-----Original Message-----
From: Kamil Jońca <kjonca@xxxxx>
Sent: Wednesday, April 20, 2022 2:17 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: Re: nft JSON rule output order
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
"Atkins, Brian" <Brian.Atkins@xxxxxxxxxx> writes:
> Will the rules for a given chain always appear in the correct order when using JSON?
> I didn't see it explicitly stated, and the data structures used in JSON don't suggest a required ordering (as might be assumed if rules where an array within a chain).
>
If I understand correctly (please correct me if I am wrong) Whole nftables config is dumped as json table where simple record in table is "line" - this should prevent oredr.
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
