src: Reject 'export vm json' command

Since libnftnl recently dropped JSON output support, this form of JSON
export is not available anymore. Point at 'nft -j list ruleset' command
for a replacement in error message.

Since 'export' command is not useable anymore, remove it from
documentation. Instead point out that 'list ruleset' command serves well
for dumping and later restoring.

To not cause pointless inconvenience for users wishing to store their
ruleset in JSON format, make JSON parser fallback to CMD_ADD if no
recognized command property was found. This allows to feed the output of
'nft -j list ruleset' into 'nft -f' without any modification.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.txt b/doc/nft.txt
index 45af5bb9e7e5145d96507a8d8952dd39856f3abb..a4ab4a8e5ca0ae12b76059db8b773a923225aa70 100644 (file)
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet filtering and cla
 SYNOPSIS
 --------
 [verse]
-*nft* [ *-nNscaeSupy* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
+*nft* [ *-nNscaeSupyj* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
 *nft* *-h*
 *nft* *-v*
 
@@ -74,6 +74,10 @@ For a full summary of options, run *nft --help*.
        When inserting items into the ruleset using *add*, *insert* or *replace* commands, print notifications
        just like *nft monitor*.
 
+*-j*::
+*--json*::
+       Format output in JSON. See libnftables-json(5) for a schema description.
+
 *-I*::
 *--includepath directory*::
        Add the directory 'directory' to the list of directories to be searched for included files. This
@@ -228,7 +232,6 @@ RULESET
 -------
 [verse]
 {list | flush} *ruleset* ['family']
-export [*ruleset*] 'format'
 
 The *ruleset* keyword is used to identify the whole set of tables, chains, etc.
 currently in place in kernel. The following *ruleset* commands exist:
@@ -241,15 +244,12 @@ all tables and whatever they contain, effectively leading to an empty ruleset -
 no packet filtering will happen anymore, so the kernel accepts any valid packet
 it receives.
 
-*export*:: Print the ruleset in machine readable format. The mandatory 'format'
-parameter may be either xml or json.
-
 It is possible to limit *list* and *flush* to a specific address family only.
 For a list of valid family names, see <<ADDRESS_FAMILIES>> above.
 
-Note that contrary to what one might assume, the output generated by *export* is
-not parseable by *nft -f*. Instead, the output of *list* command serves well for
-that purpose.
+By design, *list ruleset* command output may be used as input to *nft -f*.
+Effectively, this is the nft-equivalent of *iptables-save* and
+*iptables-restore*.
 
 TABLES
 ------
@@ -783,7 +783,7 @@ Netlink socket with 3.
 SEE ALSO
 --------
 [verse]
-iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
+libnftables(3), libnftables-json(5), iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8)
 
 There is an official wiki at: https://wiki.nftables.org
 

diff --git a/src/evaluate.c b/src/evaluate.c
index 329fd42dd0a896c8f0364ddb69ce1ae51780fd67..bd25d9ab56805f533d7e06c05ce0e321823deec5 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3803,6 +3803,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
        if (cmd->markup->format == __NFT_OUTPUT_NOTSUPP)
                return cmd_error(ctx, &cmd->location,
                                 "this output type is not supported");
+       else if (cmd->markup->format == NFTNL_OUTPUT_JSON)
+               return cmd_error(ctx, &cmd->location,
+                                "JSON export is no longer supported, use 'nft -j list ruleset' instead");
 
        return cache_update(ctx->nft, cmd->op, ctx->msgs);
 }

diff --git a/src/parser_json.c b/src/parser_json.c
index 412f5cf2d2bf4b4ae6f27516711868e1bf4b0fe4..6268ad5b7d748dcbe2a7ff80a6844bb5edcd8651 100644 (file)
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3301,8 +3301,8 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root)
 
                return parse_cb_table[i].cb(ctx, tmp, parse_cb_table[i].op);
        }
-       json_error(ctx, "Unknown command object.");
-       return NULL;
+       /* to accept 'list ruleset' output 1:1, try add command */
+       return json_parse_cmd_add(ctx, root, CMD_ADD);
 }
 
 static int json_verify_metainfo(struct json_ctx *ctx, json_t *root)