Discussion:
nft json export interpretation
Alex Chapman
2014-08-27 14:06:37 UTC
Permalink
Hi,

I am working on getting the nftables ruleset into a human readable JSON=
format and would like to understand how the output of the built in JSO=
N export functionality should be interpreted. Does it require a deep le=
vel of understanding of the application? Are there some reference point=
s that could be followed? And by that I mean how the output would relat=
e to an IP address or port number for example.

The other option would be to do this through text manipulation on the s=
tandard nft list output but it makes sense to try and use the built in =
export functionality if possible.

Any pointers would be greatly appreciated!

Thanks!=A0 --
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2014-08-27 14:50:03 UTC
Permalink
Hi,
I am working on getting the nftables ruleset into a human readable JS=
ON format and would like to understand how the output of the built in J=
SON export functionality should be interpreted. Does it require a deep =
level of understanding of the application? Are there some reference poi=
nts that could be followed? And by that I mean how the output would rel=
ate to an IP address or port number for example.
The other option would be to do this through text manipulation on the=
standard nft list output but it makes sense to try and use the built i=
n export functionality if possible.
The JSON is a representation of the low-level 'pseudocode' of nftables
objects. By objects I mean tables, chains, sets, set_elems, rules,
expressions.

=46or example, the statement 'tcp dport 22' is translated by nft to
several expressions: payload, cmp:

[ payload load 1b @ network header + 9 =3D> reg 1 ]
[ cmp eq reg 1 0x00000006 ]
[ payload load 2b @ transport header + 2 =3D> reg 1 ]
[ cmp eq reg 1 0x00001600 ]

To translate this low level code back to a higher level statement, you
need to perform the same operations that nft does internally.

Same applies to the XML format, both generated by libnftnl.
--=20
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Alex Chapman
2014-08-28 10:30:05 UTC
Permalink
Thanks Arturo. That makes sense. I think for my use case it would be fa=
r easier to convert the nft high level output to json.


----------------------------------------
Date: Wed, 27 Aug 2014 16:50:03 +0200
Subject: Re: nft json export interpretation
Hi,
I am working on getting the nftables ruleset into a human readable J=
SON format and would like to understand how the output of the built in =
JSON export functionality should be interpreted. Does it require a deep=
level of understanding of the application? Are there some reference po=
ints that could be followed? And by that I mean how the output would re=
late to an IP address or port number for example.
The other option would be to do this through text manipulation on th=
e standard nft list output but it makes sense to try and use the built =
in export functionality if possible.
The JSON is a representation of the low-level 'pseudocode' of nftable=
s
objects. By objects I mean tables, chains, sets, set_elems, rules,
expressions.
For example, the statement 'tcp dport 22' is translated by nft to
[ cmp eq reg 1 0x00000006 ]
[ cmp eq reg 1 0x00001600 ]
To translate this low level code back to a higher level statement, yo=
u
need to perform the same operations that nft does internally.
Same applies to the XML format, both generated by libnftnl.
--
Arturo Borrero Gonz=E1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...