diff options
-rw-r--r-- | doc/nft.txt | 18 | ||||
-rw-r--r-- | src/evaluate.c | 3 | ||||
-rw-r--r-- | src/parser_json.c | 4 |
3 files changed, 14 insertions, 11 deletions
diff --git a/doc/nft.txt b/doc/nft.txt index 45af5bb9..a4ab4a8e 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet filtering and cla SYNOPSIS -------- [verse] -*nft* [ *-nNscaeSupy* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...] +*nft* [ *-nNscaeSupyj* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...] *nft* *-h* *nft* *-v* @@ -74,6 +74,10 @@ For a full summary of options, run *nft --help*. When inserting items into the ruleset using *add*, *insert* or *replace* commands, print notifications just like *nft monitor*. +*-j*:: +*--json*:: + Format output in JSON. See libnftables-json(5) for a schema description. + *-I*:: *--includepath directory*:: Add the directory 'directory' to the list of directories to be searched for included files. This @@ -228,7 +232,6 @@ RULESET ------- [verse] {list | flush} *ruleset* ['family'] -export [*ruleset*] 'format' The *ruleset* keyword is used to identify the whole set of tables, chains, etc. currently in place in kernel. The following *ruleset* commands exist: @@ -241,15 +244,12 @@ all tables and whatever they contain, effectively leading to an empty ruleset - no packet filtering will happen anymore, so the kernel accepts any valid packet it receives. -*export*:: Print the ruleset in machine readable format. The mandatory 'format' -parameter may be either xml or json. - It is possible to limit *list* and *flush* to a specific address family only. For a list of valid family names, see <<ADDRESS_FAMILIES>> above. -Note that contrary to what one might assume, the output generated by *export* is -not parseable by *nft -f*. Instead, the output of *list* command serves well for -that purpose. +By design, *list ruleset* command output may be used as input to *nft -f*. +Effectively, this is the nft-equivalent of *iptables-save* and +*iptables-restore*. TABLES ------ @@ -783,7 +783,7 @@ Netlink socket with 3. SEE ALSO -------- [verse] -iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) +libnftables(3), libnftables-json(5), iptables(8), ip6tables(8), arptables(8), ebtables(8), ip(8), tc(8) There is an official wiki at: https://wiki.nftables.org diff --git a/src/evaluate.c b/src/evaluate.c index 329fd42d..bd25d9ab 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3803,6 +3803,9 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd) if (cmd->markup->format == __NFT_OUTPUT_NOTSUPP) return cmd_error(ctx, &cmd->location, "this output type is not supported"); + else if (cmd->markup->format == NFTNL_OUTPUT_JSON) + return cmd_error(ctx, &cmd->location, + "JSON export is no longer supported, use 'nft -j list ruleset' instead"); return cache_update(ctx->nft, cmd->op, ctx->msgs); } diff --git a/src/parser_json.c b/src/parser_json.c index 412f5cf2..6268ad5b 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -3301,8 +3301,8 @@ static struct cmd *json_parse_cmd(struct json_ctx *ctx, json_t *root) return parse_cb_table[i].cb(ctx, tmp, parse_cb_table[i].op); } - json_error(ctx, "Unknown command object."); - return NULL; + /* to accept 'list ruleset' output 1:1, try add command */ + return json_parse_cmd_add(ctx, root, CMD_ADD); } static int json_verify_metainfo(struct json_ctx *ctx, json_t *root) |