From: Eric Garver <firstname.lastname@example.org> To: Pablo Neira Ayuso <email@example.com>, Phil Sutter <firstname.lastname@example.org>, "Jose M. Guisado Gomez" <email@example.com>, firstname.lastname@example.org Subject: Re: [PATCH nft v2 1/1] src: enable output with "nft --echo --json" and nftables syntax Date: Fri, 31 Jul 2020 16:14:26 -0400 Message-ID: <20200731201426.qzmtdh5mdaoyqk53@egarver> (raw) In-Reply-To: <20200731183633.eyobtrbgrmsgv7b7@egarver> On Fri, Jul 31, 2020 at 02:36:33PM -0400, Eric Garver wrote: > On Fri, Jul 31, 2020 at 07:19:06PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 31, 2020 at 10:17:42AM -0400, Eric Garver wrote: > > > On Fri, Jul 31, 2020 at 03:48:28PM +0200, Phil Sutter wrote: > > > > On Fri, Jul 31, 2020 at 02:58:25PM +0200, Pablo Neira Ayuso wrote: > > > > > On Fri, Jul 31, 2020 at 02:33:42PM +0200, Phil Sutter wrote: > > [...] > > > > I'm assuming scripts will work directly with the Python data structures > > > > that are later passed to libnftables as JSON. If they want to change a > > > > rule, e.g. add a statement, it is no use if other statements disappear > > > > or new ones are added by the commit->retrieve action. > > > > > > > > Maybe Eric can shed some light on how Firewalld uses echo mode and > > > > whether my concerns are relevant or not. > > > > > > How it stands today is exactly as you described above. firewalld relies > > > on the output (--echo) being in the same order as the input. At the > > > time, and I think still today, this was the _only_ way to reliably get > > > the rule handles. It's mostly due to the fact that input != output. > > > > > > In the past we discussed allowing a user defined cookie/handle. This > > > would allow applications to perform in a write only manner. They would > > > not need to parse back the JSON since they already know the > > > cookie/handle. IMO, this would be ideal for firewalld's use case. > > > > The question is: Is this patch breaking anything in firewalld? > > I tried v2 and v3. Neither break firewalld. I rescind this statement - user error on my part. Both versions break firewalld. It looks like the reply is in a different order than the input. So firewalld doesn't know where to find the rule handles. I'm trying to come up with a minimal reproducer.
next prev parent reply index Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-30 19:53 [PATCH nft] " Jose M. Guisado Gomez 2020-07-31 0:00 ` [PATCH nft v2 0/1] " Jose M. Guisado Gomez 2020-07-31 0:00 ` [PATCH nft v2 1/1] " Jose M. Guisado Gomez 2020-07-31 9:22 ` Pablo Neira Ayuso 2020-07-31 10:49 ` [PATCH nft v3] " Jose M. Guisado Gomez 2020-08-04 10:38 ` [PATCH nft v4] src: enable json echo output when reading native syntax Jose M. Guisado Gomez 2020-08-04 11:05 ` Pablo Neira Ayuso 2020-08-04 12:13 ` Jose M. Guisado 2020-08-04 12:15 ` Pablo Neira Ayuso 2020-08-04 12:37 ` Phil Sutter 2020-08-04 13:05 ` Jose M. Guisado 2020-08-04 13:14 ` Phil Sutter 2020-08-04 13:44 ` Jose M. Guisado 2020-08-04 14:04 ` Pablo Neira Ayuso 2020-08-04 14:17 ` Pablo Neira Ayuso 2020-08-04 14:20 ` Phil Sutter 2020-08-04 15:47 ` Jose M. Guisado 2020-08-04 19:10 ` Pablo Neira Ayuso 2020-08-05 9:31 ` Phil Sutter 2020-08-05 9:45 ` Pablo Neira Ayuso 2020-08-06 7:28 ` Phil Sutter 2020-08-04 12:57 ` Eric Garver 2020-07-31 12:33 ` [PATCH nft v2 1/1] src: enable output with "nft --echo --json" and nftables syntax Phil Sutter 2020-07-31 12:58 ` Pablo Neira Ayuso 2020-07-31 13:48 ` Phil Sutter 2020-07-31 14:17 ` Eric Garver 2020-07-31 17:19 ` Pablo Neira Ayuso 2020-07-31 18:36 ` Eric Garver 2020-07-31 20:14 ` Eric Garver [this message] 2020-07-31 17:30 ` Pablo Neira Ayuso 2020-08-01 0:02 ` Phil Sutter 2020-08-01 19:27 ` Pablo Neira Ayuso 2020-08-03 12:52 ` Phil Sutter 2020-08-04 10:20 ` Jose M. Guisado 2020-08-04 10:32 ` Phil Sutter
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200731201426.qzmtdh5mdaoyqk53@egarver \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Netfilter-Devel Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \ firstname.lastname@example.org public-inbox-index netfilter-devel Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git