[pkg-netfilter-team] Bug#949248: nftables: nft parsing from stdin fails but works from file

[jaroslav at thinline.cz]

> Package: nftables
> Version: 0.9.0-2
> Severity: normal
> 
> I want to parse rules from a script but parsing them from a pipe files 
> while parsing from file works
> 
> nft -f nft.txt works
> cat nft.txt | nft -f - fails with a handful of syntax errors
> 
> I also noticed a difference when doing full debug output
> Reading Cfrom file shows the filename, the line number and the postion 
> as well as the actual line and the used part of line
> Reading from stdin just shows /dev/stdin, the line number and the 
> position.
> So there seams to be different handling oft reading the input
> 

I encountered this too some time ago - according to strace, nft is 
reading rules in 8kB long blocks (so everything works fine until your 
rules grow) but after the block is read, nft attempts to seek few bytes 
back in the file. I guess it wants to do the next read from some kind of 
boundary. Anyway, seeking in stream obviously fails with ESPIPE - 
Illegal seek (I guess nft doesn't check return value here), another 8kB 
block is read but not from the file position nft wanted, resulting in 
syntax error.

Nft man page says that reading from stdin is supported, but it also says 
that "nft export json" is a thing, so I just written this off as yet 
another error in the docs and worked around it by dumping my rules into 
a temporary file a reading them via -f . You may want to do the same 
thing.