From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: "Jose M. Guisado Gomez" <guigom@riseup.net>,
netfilter-devel@vger.kernel.org, Eric Garver <erig@erig.me>
Subject: Re: [PATCH nft v2 1/1] src: enable output with "nft --echo --json" and nftables syntax
Date: Mon, 3 Aug 2020 14:52:10 +0200 [thread overview]
Message-ID: <20200803125210.GR13697@orbyte.nwl.cc> (raw)
In-Reply-To: <20200801192730.GA5485@salvia>
Hi Pablo,
On Sat, Aug 01, 2020 at 09:27:30PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 01, 2020 at 02:02:13AM +0200, Phil Sutter wrote:
> > On Fri, Jul 31, 2020 at 07:30:28PM +0200, Pablo Neira Ayuso wrote:
> > > On Fri, Jul 31, 2020 at 03:48:28PM +0200, Phil Sutter wrote:
> > > > On Fri, Jul 31, 2020 at 02:58:25PM +0200, Pablo Neira Ayuso wrote:
> > > > > On Fri, Jul 31, 2020 at 02:33:42PM +0200, Phil Sutter wrote:
> > > [...]
> > > > The less predictable echo output behaves, the harder it is to write code
> > > > that makes use of it.
> > >
> > > What is it making the output less predictible? The kernel should
> > > return an input that is equal to the output plus the handle. Other
> > > than that, it's a bug.
> >
> > In tests/py, I see 330 lines explicitly stating the expected output as
> > it differs from the input ('grep "ok;" */*.t | wc -l'). Can we fix those
> > bugs first before we assume what the kernel returns is identical to user
> > input?
>
> Semantically speaking those lines are equivalent, it's just that input
> and the output representation differ in some scenarios because the
> decompilation routine differ in the way it builds the expressions.
Obviously, yes, but irrelevant for this discussion. A script won't be
able to identify two different looking rules as identical because of
semantics.
> BTW, why do you qualify this as a bug?
I was just picking up your argument: Above, you wrote "Other than that,
it's a bug". I assume that in "return an input that is equal to the
output plus the handle", equal really means equal and not equivalent.
> > Say a script manages a rule (in JSON-equivalent) of:
> >
> > | ip protocol tcp tcp dport '{ 22 - 23, 24 - 25}'
> >
> > Both matches are elements in an array resembling the rule's "expr"
> > attribute. Nftables drops the first match, so if the script wants to
> > edit the ports in RHS of the second match, it won't find it anymore.
> > Also, the two port ranges are combined into a single one, so removing
> > one of the two ranges turns into a non-trivial problem.
> >
> > Right now a script may apply its ruleset snippet and retrieve the
> > handles by:
> >
> > | rc, ruleset, err = nftables.json_cmd(ruleset)
> >
> > If the returned ruleset is not identical (apart from added attributes),
> > scripts will likely resort to a fire-n-forget type of usage pattern.
>
> You mean, the user in that JSON script is comparing the input and
> output strings to find the rule handle?
I am assuming that a script that uses echo mode wants to update the
input ruleset (snippet) with handles for later reference to the added
rules. Other than copying output to input completely, it will have to
iterate through output and extract the handle properties, identifying
it's own rules based on current index. More or less what libnftables is
doing when updating JSON input with handles.
> If so, we should explore a better way to do this, eg. expose some user
> defined identifier in JSON that userspace sets on when sending the
> batch to identify the object coming back from the kernel.
Eric suggested to accept a "cookie" property with arbitrary value to
stay in place at least for echo output. He even suggested to accept this
as an alternative to the handle for rule referencing. The latter would
need kernel support, though.
> > > This is also saving quite a bit of code and streamlining this further:
> > >
> > > 4 files changed, 49 insertions(+), 153 deletions(-)
> >
> > Proudly presenting reduced code size by dropping functionality is
> > cheating. Assume nobody needs the JSON interface, easily drop 5k LoC.
>
> The existing approach ignores the kernel echo netlink message almost
> entirely, it only takes the handle.
I know, I wrote the code.
> We need an unified way to deal with --json --echo, whether the input
> is native nft or json syntax.
We don't need, but seems we want. We have JSON output and JSON echo for
a while now and code for both is distinct. I fail to see why this was OK
but is no longer. From my perspective, Jose simply failed to see that
JSON output code should be used for JSON echo if input is not JSON.
I could come up with a patch implementing that if all this is merely
about the missing feature.
> If the problem is described in the question I made above, how will
> users passing native nft syntax and requesing json output will
> identify the rule? They cannot make string matching comparison in that
> case since there is no input JSON representation.
That is not a sensible use-case. For once, I would assume native syntax
to be used by humans, so if this is combined with JSON output, the goal
is translation. If input really comes from a script, it is likely not
retaining the input for later reuse but will take whatever it receives
back.
Cheers, Phil
next prev parent reply other threads:[~2020-08-03 12:52 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 19:53 [PATCH nft] src: enable output with "nft --echo --json" and nftables syntax Jose M. Guisado Gomez
2020-07-31 0:00 ` [PATCH nft v2 0/1] " Jose M. Guisado Gomez
2020-07-31 0:00 ` [PATCH nft v2 1/1] " Jose M. Guisado Gomez
2020-07-31 9:22 ` Pablo Neira Ayuso
2020-07-31 10:49 ` [PATCH nft v3] " Jose M. Guisado Gomez
2020-08-04 10:38 ` [PATCH nft v4] src: enable json echo output when reading native syntax Jose M. Guisado Gomez
2020-08-04 11:05 ` Pablo Neira Ayuso
2020-08-04 12:13 ` Jose M. Guisado
2020-08-04 12:15 ` Pablo Neira Ayuso
2020-08-04 12:37 ` Phil Sutter
2020-08-04 13:05 ` Jose M. Guisado
2020-08-04 13:14 ` Phil Sutter
2020-08-04 13:44 ` Jose M. Guisado
2020-08-04 14:04 ` Pablo Neira Ayuso
2020-08-04 14:17 ` Pablo Neira Ayuso
2020-08-04 14:20 ` Phil Sutter
2020-08-04 15:47 ` Jose M. Guisado
2020-08-04 19:10 ` Pablo Neira Ayuso
2020-08-05 9:31 ` Phil Sutter
2020-08-05 9:45 ` Pablo Neira Ayuso
2020-08-06 7:28 ` Phil Sutter
2020-08-04 12:57 ` Eric Garver
2020-07-31 12:33 ` [PATCH nft v2 1/1] src: enable output with "nft --echo --json" and nftables syntax Phil Sutter
2020-07-31 12:58 ` Pablo Neira Ayuso
2020-07-31 13:48 ` Phil Sutter
2020-07-31 14:17 ` Eric Garver
2020-07-31 17:19 ` Pablo Neira Ayuso
2020-07-31 18:36 ` Eric Garver
2020-07-31 20:14 ` Eric Garver
2020-07-31 17:30 ` Pablo Neira Ayuso
2020-08-01 0:02 ` Phil Sutter
2020-08-01 19:27 ` Pablo Neira Ayuso
2020-08-03 12:52 ` Phil Sutter [this message]
2020-08-04 10:20 ` Jose M. Guisado
2020-08-04 10:32 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803125210.GR13697@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=erig@erig.me \
--cc=guigom@riseup.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.