[PATCH] expr: allow export of notrack expr

[PATCH] expr: allow export of notrack expr

[Ivan Babrou]

Currently it's impossible to export notrack expr as json,
as it lacks snprintf member and triggers segmentation fault.

There are no parameters to notrack, so there's nothing
to do, but it should be an explicit function that does nothing.

Signed-off-by: Ivan Babrou <ivan@cloudflare.com>
---
 src/expr_ops.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/expr_ops.c b/src/expr_ops.c
index 3538dd6..a2e1dd3 100644
--- a/src/expr_ops.c
+++ b/src/expr_ops.c
@@ -42,8 +42,16 @@ extern struct expr_ops expr_ops_tunnel;
 extern struct expr_ops expr_ops_osf;
 extern struct expr_ops expr_ops_xfrm;

+static int
+nftnl_expr_notrack_snprintf(char *buf, size_t len, uint32_t type,
+   uint32_t flags, const struct nftnl_expr *e)
+{
+ return -1;
+}
+
 static struct expr_ops expr_ops_notrack = {
  .name = "notrack",
+ .snprintf = nftnl_expr_notrack_snprintf,
 };

 static struct expr_ops *expr_ops[] = {
--
2.22.0

Re: [PATCH] expr: allow export of notrack expr

[Florian Westphal]

Ivan Babrou <ivan@cloudflare.com> wrote:
> Currently it's impossible to export notrack expr as json,
> as it lacks snprintf member and triggers segmentation fault.

Hmm, works for me:

table ip raw {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                udp dport 53 notrack
}

gets exported as:

nft -j list ruleset
{"nftables": [{"metainfo": {"version": "0.9.1", "release_name": "Headless Horseman", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "raw", "handle": 1}}, {"chain": {"family": "ip", "table": "raw", "name": "prerouting", "handle": 1, "type": "filter", "hook": "prerouting", "prio": -300, "policy": "accept"}}, {"rule": {"family": "ip", "table": "raw", "chain": "prerouting", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 53}}, {"notrack": null}]}}]}

Re: [PATCH] expr: allow export of notrack expr

[Ivan Babrou]

You're right, it does indeed work in master. I've seen the issue on
Debian with libnftnl-1.0.7 and assumed it carried over to the latest
version by glancing over the code without actually trying it.

Sorry about that.

On Fri, Aug 2, 2019 at 2:35 AM Florian Westphal <fw@strlen.de> wrote:
>
> Ivan Babrou <ivan@cloudflare.com> wrote:
> > Currently it's impossible to export notrack expr as json,
> > as it lacks snprintf member and triggers segmentation fault.
>
> Hmm, works for me:
>
> table ip raw {
>         chain prerouting {
>                 type filter hook prerouting priority -300; policy accept;
>                 udp dport 53 notrack
> }
>
> gets exported as:
>
> nft -j list ruleset
> {"nftables": [{"metainfo": {"version": "0.9.1", "release_name": "Headless Horseman", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "raw", "handle": 1}}, {"chain": {"family": "ip", "table": "raw", "name": "prerouting", "handle": 1, "type": "filter", "hook": "prerouting", "prio": -300, "policy": "accept"}}, {"rule": {"family": "ip", "table": "raw", "chain": "prerouting", "handle": 3, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": 53}}, {"notrack": null}]}}]}