Most of the capabilities of wolfSentry can be configured, and dynamically
reconfigured, by supplying JSON documents to the library. To use this
capability, add the following to wolfSentry initialization in the application:
#include <wolfsentry/wolfsentry_json.h>
After initialization and installation of application-supplied callbacks (if any), call one of the APIs to load the config:
wolfsentry_config_json_oneshot()
wolfsentry_config_json_oneshot_ex()
, with an additionaljson_config
arg for fine control of JSON parsing (seestruct JSON_CONFIG
inwolfsentry/centijson_sax.h
)- streaming API:
wolfsentry_config_json_init()
orwolfsentry_config_json_init_ex()
wolfsentry_config_json_feed()
wolfsentry_config_json_fini()
See wolfsentry/wolfsentry_json.h
for details on arguments.
wolfSentry configuration uses standard JSON syntax as defined in RFC 8259, as restricted by RFC 7493, with certain additional requirements. In particular, certain sections in the JSON document are restricted in their sequence of appearance.
-
"wolfsentry-config-version"
shall appear first, and each event definition shall appear before any definitions for events, routes, or default policies that refer to it through"aux-parent-event"
,"parent-event"
, or"default-event"
clauses. -
Within event definitions, the
"label"
,"priority"
, and"config"
elements shall appear before any other elements.
These sequence constraints are necessary to allow for high efficiency SAX-style (sequential-incremental) loading of the configuration.
All wildcard flags are implicitly set on routes, and are cleared for fields with
explicit assignments in the configuration. For example, if a route designates a
particular "family"
, then WOLFSENTRY_ROUTE_FLAG_SA_FAMILY_WILDCARD
will be
implicitly cleared. Thus, wildcard flags need not be explicitly set or
cleared in route definitions.
Note that certain element variants may be unavailable due to build settings:
address_family_name
: available ifdefined(WOLFSENTRY_PROTOCOL_NAMES)
route_protocol_name
: available if!defined(WOLFSENTRY_NO_GETPROTOBY)
address_port_name
: available if!defined(WOLFSENTRY_NO_GETPROTOBY)
json_value_clause
: available ifdefined(WOLFSENTRY_HAVE_JSON_DOM)
Caller-supplied event and action labels shall not begin with
WOLFSENTRY_BUILTIN_LABEL_PREFIX
(by default "%"
), as these are reserved for
built-ins.
"config-update"
allows the default configuration to be updated. It is termed an
“update” because wolfSentry is initially configured by the config
argument to
wolfsentry_init()
(which can be passed in NULL
, signifying built-in
defaults). Note that times (wolfsentry_eventconfig.penaltybox_duration
and
wolfsentry_eventconfig.route_idle_time_for_purge
) shall be passed to wolfsentry_init()
denominated in seconds, notwithstanding the wolfsentry_time_t
type of the
members.
The flags
argument to wolfsentry_config_json_init()
and
wolfsentry_config_json_oneshot()
, constructed by bitwise-or, changes the way
the JSON is processed, as follows:
-
WOLFSENTRY_CONFIG_LOAD_FLAG_NONE
-- Not a flag, but all-zeros, signifying default behavior: The wolfSentry core is locked, the current configuration is flushed, and the new configuration is loaded incrementally. Any error during load leaves wolfSentry in an undefined state that can be recovered with a subsequent flush and load that succeeds. -
WOLFSENTRY_CONFIG_LOAD_FLAG_NO_FLUSH
-- Inhibit initial flush of configuration, to allow incremental load. Error during load leaves wolfSentry in an undefined state that can only be recovered with a subsequent flush and load that succeeds, unlessWOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN
orWOLFSENTRY_CONFIG_LOAD_FLAG_LOAD_THEN_COMMIT
was also supplied. -
WOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN
-- Load into a temporary configuration, and deallocate before return. Running configuration is unchanged. -
WOLFSENTRY_CONFIG_LOAD_FLAG_LOAD_THEN_COMMIT
-- Load into a newly allocated configuration, and install it only if load completes successfully. On error, running configuration is unchanged. On success, the old configuration is deallocated. -
WOLFSENTRY_CONFIG_LOAD_FLAG_NO_ROUTES_OR_EVENTS
-- Inhibit loading of"routes"
and"events"
sections in the supplied JSON. -
WOLFSENTRY_CONFIG_LOAD_FLAG_FLUSH_ONLY_ROUTES
-- At beginning of load process, retain all current configuration except for routes, which are flushed. This is convenient in combination withwolfsentry_route_table_dump_json_*()
for save/restore of dynamically added routes. -
WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_DUPKEY_ABORT
-- When processing user-defined JSON values, abort load on duplicate keys. -
WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_DUPKEY_USEFIRST
-- When processing user-defined JSON values, for any given key in an object use the first occurrence encountered. -
WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_DUPKEY_USELAST
-- When processing user-defined JSON values, for any given key in an object use the last occurrence encountered. -
WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_MAINTAINDICTORDER
-- When processing user-defined JSON values, store sequence information so that subsequent calls towolfsentry_kv_render_value()
orjson_dom_dump(..., JSON_DOM_DUMP_PREFERDICTORDER)
render objects in their supplied sequence, rather than lexically sorted.
Note that WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_*
flags are allowed only if WOLFSENTRY_HAVE_JSON_DOM
is defined in the build, as it is with default settings.
Below is a JSON “lint” pseudodocument demonstrating all available configuration
nodes, with value specifiers that refer to the ABNF definitions below. The
allowed values are as in the ABNF formal syntax later in this document.
{
"wolfsentry-config-version" : 1,
"config-update" : {
"max-connection-count" : uint32,
"penalty-box-duration" : duration,
"route-idle-time-for-purge" : duration,
"derog-thresh-for-penalty-boxing" : uint16,
"derog-thresh-ignore-commendable" : boolean,
"commendable-clears-derogatory" : boolean,
"route-flags-to-add-on-insert" : route_flag_list,
"route-flags-to-clear-on-insert" : route_flag_list,
"action-res-filter-bits-set" : action_res_flag_list,
"action-res-filter-bits-unset" : action_res_flag_list,
"action-res-bits-to-add" : action_res_flag_list,
"action-res-bits-to-clear" : action_res_flag_list,
"max-purgeable-routes" : uint32,
"max-purgeable-idle-time" : duration
},
"events" : [
{ "label" : label,
"priority" : uint16,
"config" : {
"max-connection-count" : uint32,
"penalty-box-duration" : duration,
"route-idle-time-for-purge" : duration,
"derog-thresh-for-penalty-boxing" : uint16,
"derog-thresh-ignore-commendable" : boolean,
"commendable-clears-derogatory" : boolean,
"route-flags-to-add-on-insert" : route_flag_list,
"route-flags-to-clear-on-insert" : route_flag_list,
"action-res-filter-bits-set" : action_res_flag_list,
"action-res-filter-bits-unset" : action_res_flag_list,
"action-res-bits-to-add" : action_res_flag_list,
"action-res-bits-to-clear" : action_res_flag_list
},
"aux-parent-event" : label,
"post-actions" : action_list,
"insert-actions" : action_list,
"match-actions" : action_list,
"update-actions" : action_list,
"delete-actions" : action_list,
"decision-actions" : action_list
}
],
"default-policies" : {
"default-policy" : default_policy_value,
"default-event" ":" label
},
"routes" : [
{
"parent-event" : label,
"af-wild" : boolean,
"raddr-wild" : boolean,
"rport-wild" : boolean,
"laddr-wild" : boolean,
"lport-wild" : boolean,
"riface-wild" : boolean,
"liface-wild" : boolean,
"tcplike-port-numbers" : boolean,
"direction-in" : boolean,
"direction-out" : boolean,
"penalty-boxed" : boolean,
"green-listed" : boolean,
"dont-count-hits" : boolean,
"dont-count-current-connections" : boolean,
"port-reset" : boolean,
"family" : address_family,
"protocol" : route_protocol,
"remote" : {
"interface" : uint8,
"address" : route_address,
"prefix-bits" : uint16,
"bitmask" : route_address,
"port" : endpoint_port
},
"local" : {
"interface" : uint8,
"address" : route_address,
"prefix-bits" : uint16,
"bitmask" : route_address,
"port" : endpoint_port
}
}
],
"user-values" : {
label : null,
label : true,
label : false,
label : number_sint64,
label : number_float,
label : string,
label : { "uint" : number_uint64 },
label : { "sint" : number_sint64 },
label : { "float" : number_float },
label : { "string" : string_value },
label : { "base64" : base64_value },
label : { "json" : json_value }
}
}
wolfsentry-config-version
-- Shall appear first, with the value 1
.
config-update
-- Sets default and global parameters. The default parameters apply to routes that have no parent event, or a parent event with no config of its own.
-
max-connection-count
-- If nonzero, the concurrent connection limit, beyond which additional connection requests are rejected. -
penalty-box-duration
-- If nonzero, the duration that a route stays in penalty box status before automatic release. -
derog-thresh-for-penalty-boxing
-- If nonzero, the threshold at which accumulated derogatory counts (fromWOLFSENTRY_ACTION_RES_DEROGATORY
incidents) automatically penalty boxes a route. -
derog-thresh-ignore-commendable
-- If true, then counts fromWOLFSENTRY_ACTION_RES_COMMENDABLE
are not subtracted from the derogatory count when checking for automatic penalty boxing. -
commendable-clears-derogatory
-- If true, then each count fromWOLFSENTRY_ACTION_RES_COMMENDABLE
zeroes the derogatory count. -
max-purgeable-routes
-- Global limit on the number of ephemeral routes to allow in the route table, beyond which the least recently matched ephemeral route is forced out early. Not allowed inconfig
clauses of events. -
max-purgeable-idle-time
-- Global absolute maximum idle time for ephemeral routes, controlling purges of stale (expired) ephemeral routes with nonzerowolfsentry_route_metadata_exports.connection_count
. Default is no limit. Not allowed inconfig
clauses of events. -
route-idle-time-for-purge
-- If nonzero, the time after the most recent dispatch match for a route to be garbage-collected. Useful primarily inconfig
clauses of events (seeevents
below). -
route-flags-to-add-on-insert
-- List of route flags to set on new routes upon insertion. Useful primarily inconfig
clauses of events (seeevents
below). -
route-flags-to-clear-on-insert
-- List of route flags to clear on new routes upon insertion. Useful primarily inconfig
clauses of events (seeevents
below). -
action-res-filter-bits-set
-- List ofaction_res
flags that must be set at lookup time (dispatch) for referring routes to match. Useful primarily inconfig
clauses of events (seeevents
below). -
action-res-filter-bits-unset
-- List ofaction_res
flags that must be clear at lookup time (dispatch) for referring routes to match. Useful primarily inconfig
clauses of events (seeevents
below). -
action-res-bits-to-add
-- List ofaction_res
flags to be set upon match. -
action-res-bits-to-clear
-- List ofaction_res
flags to be cleared upon match.
events
-- The list of events with their respective definitions. This section can appear more than once, but any given event definition shall precede any definitions that refer to it.
Each event is composed of the following elements, all of which are optional except for label
. label
, priority
, and config
shall appear before the other elements.
-
label
-- The name by which the event is identified. See the definition oflabel
in the ABNF grammar below for permissible values. -
priority
-- The priority of routes that have this event as theirparent-event
(seeroutes
below). Lower number means higher priority. -
config
-- The configuration to associate with routes with thisparent-event
, as above forconfig-update
. -
aux-parent-event
-- An event reference for use by action handlers, e.g. built-in"%track-peer-v1"
creates routes withaux-parent-event
as the new route'sparent-event
. -
post-actions
-- List of actions to take when this event is passed viaevent_label
to a dispatch routine such aswolfsentry_route_event_dispatch()
. -
insert-actions
-- List of actions to take when a route is inserted with this event asparent-event
. -
match-actions
-- List of actions to take when a route is matched by a dispatch routine, and the route has this event as itsparent-event
. -
update-actions
-- List of actions to take when a route has a status update, such as a change of penalty box status, and has this event as itsparent-event
. -
delete-actions
-- List of actions to take when a route is deleted, and has this event as itsparent-event
. -
decision-actions
-- List of actions to take when dispatch final decision (final value ofaction_results
) is determined, and the matched route has this event as itsparent-event
.
default-policies
-- The global fallthrough default policies for dispatch routines such as wolfsentry_route_event_dispatch()
.
-
default-policy
-- A simpleaction_result
flag to set by default, either accept, reject, or reset, the latter of which causes generation of TCP reset and ICMP unreachable reply packets where relevant. -
default-event
-- An event to use when a dispatch routine is called with a nullevent_label
.
routes
-- The list of routes with their respective definitions. This section can appear more than once.
Each route is composed of the following elements, all of which are optional.
-
parent-event
-- The event whose attributes determine the dynamics of the route. -
family
-- The address family to match. Seeaddress_family
definition in the ABNF grammar below for permissible values. -
protocol
-- The protocol to match. Seeroute_protocol
definition in the ABNF grammar below for permissible values. -
remote
-- The attributes to match for the remote endpoint of the traffic.interface
-- Network interface ID, as an arbitrary integer chosen and used consistently by the caller or IP stack integration.address
-- The network address, in idiomatic form. IPv4, IPv6, and MAC addresses shall enumerate all octets. Seeroute_address
definition in the ABNF grammar below for permissible values.prefix-bits
-- The number of bits in theaddress
that traffic must match (mutually exclusive withbitmask
).bitmask
-- A bitmask to be applied to the traffic address before matching with the routeaddress
(mutually exclusive withprefix-bits
).port
-- The port number that traffic must match.
-
local
-- The attributes to match for the local endpoint of the traffic. The same nodes are available as forremote
. -
direction-in
-- If true, match inbound traffic. -
direction-out
-- If true, match outbound traffic. -
penalty-boxed
-- If true, traffic matching the route is penalty boxed (rejected or reset). -
green-listed
-- If true, traffic matching the route is accepted. -
dont-count-hits
-- If true, inhibit statistical bookkeeping (no effect on dynamics). -
dont-count-current-connections
-- If true, inhibit tracking of concurrent connections, so thatmax-connection-count
has no effect on traffic matching this route. -
port-reset
-- If true, set theWOLFSENTRY_ACTION_RES_PORT_RESET
flag in theaction_results
when this route is matched, causing TCP reset or ICMP unreachable reply packet to be generated if IP stack integration is activated (e.g.wolfsentry_install_lwip_filter_callbacks()
).
user-values
-- One or more sections of fully user-defined data available to application code for any use. Each key is a label as defined in the ABNF grammar below. The value can be any of:
null
true
false
- an integral number, implicitly a signed 64 bit integer
- a floating point number, as defined in the ABNF grammar below for
number_float
- a quoted string allowing standard JSON escapes
- any of several explicitly typed constructs, with values as defined in the ABNF grammar below.
{ "uint" : number_uint64 }
{ "sint" : number_sint64 }
{ "float" : number_float }
{ "string" : string_value }
{ "base64" : base64_value }
{ "json" : json_value }
Below is the formal ABNF definition of the configuration syntax and permitted values.
This definition uses ABNF syntax as prescribed in RFC 5234 and 7405, except:
-
Whitespace is ignored, as provided in RFC 8259.
-
a
-
operator is added, accepting a quoted literal string or a group of literal characters, to provide for omitted character(s) in the target text (here, trailing comma separators) by performing all notional matching operations of the containing group up to that point with the target text notionally extended with the argument to the operator.
The length limits used in the definition assume the default values in
wolfsentry_settings.h, 32 octets for labels (WOLFSENTRY_MAX_LABEL_BYTES
), and
16384 octets for user-defined values (WOLFSENTRY_KV_MAX_VALUE_BYTES
). These
values can be overridden at build time with user-supplied values.
"{"
DQUOTE %s"wolfsentry-config-version" DQUOTE ":" uint32
[ "," DQUOTE %s"config-update" DQUOTE ":" top_config_list "," ]
*("," DQUOTE %s"events" ":" "["
event *("," event)
"]")
[ "," DQUOTE %s"default-policies" DQUOTE ":" "{"
default_policy_item *("," default_policy_item)
"}" ]
*("," DQUOTE %s"routes" DQUOTE ":" "["
route *("," route)
"]")
*("," DQUOTE %s"user-values" DQUOTE ":" "{"
user_item *("," user_item)
"}")
"}"
event = "{" label_clause
[ "," priority_clause ]
[ "," event_config_clause ]
[ "," aux_parent_event_clause ]
*("," action_list_clause) "}"
default_policy_item =
(DQUOTE %s"default-policy" DQUOTE ":" default_policy_value) /
(DQUOTE %s"default-event" DQUOTE ":" label)
default_policy_value = (%s"accept" / %s"reject" / %s"reset")
label_clause = DQUOTE %s"label" DQUOTE ":" label
priority_clause = DQUOTE %s"priority" DQUOTE ":" uint16
event_config_clause = DQUOTE %s"config" DQUOTE ":" event_config_list
aux_parent_event_clause = DQUOTE %s"aux-parent-event" DQUOTE ":" label
action_list_clause = DQUOTE (%s"post-actions" / %s"insert-actions" / %s"match-actions"
/ %s"update-actions" / %s"delete-actions" / %s"decision-actions") DQUOTE
":" action_list
action_list = "[" label *("," label) "]"
event_config_list = "{" event_config_item *("," event_config_item) "}"
top_config_list = "{" top_config_item *("," top_config_item) "}"
top_config_item = event_config_item / max_purgeable_routes_clause / max_purgeable_idle_time_clause
event_config_item =
(DQUOTE %s"max-connection-count" DQUOTE ":" uint32) /
(DQUOTE %s"penalty-box-duration" DQUOTE ":" duration) /
(DQUOTE %s"route-idle-time-for-purge" DQUOTE ":" duration) /
(DQUOTE %s"derog-thresh-for-penalty-boxing" DQUOTE ":" uint16 /
(DQUOTE %s"derog-thresh-ignore-commendable" DQUOTE ":" boolean /
(DQUOTE %s"commendable-clears-derogatory" DQUOTE ":" boolean /
(DQUOTE (%s"route-flags-to-add-on-insert" / %s"route-flags-to-clear-on-insert") DQUOTE ":" route_flag_list) /
(DQUOTE (%s"action-res-filter-bits-set" / %s"action-res-filter-bits-unset" / %s"action-res-bits-to-add" / %s"action-res-bits-to-clear") DQUOTE ":" action_res_flag_list)
duration = number_sint64 / (DQUOTE number_sint64 [ %s"d" / %s"h" / %s"m" / %s"s" ] DQUOTE)
max_purgeable_routes_clause = DQUOTE %s"max-purgeable-routes" DQUOTE ":" uint32
max_purgeable_idle_time_clause = DQUOTE %s"max-purgeable-idle-time" DQUOTE ":" duration
route_flag_list = "[" route_flag *("," route_flag) "]"
action_res_flag_list = "[" action_res_flag *("," action_res_flag) "]"
route = "{"
[ parent_event_clause "," ]
*(route_flag_clause ",")
[ family_clause ","
[ route_protocol_clause "," ]
]
[ route_remote_endpoint_clause "," ]
[ route_local_endpoint_clause "," ]
-","
"}"
parent_event_clause = DQUOTE %s"parent-event" DQUOTE ":" label
route_flag_clause = route_flag ":" boolean
family_clause = DQUOTE %s"family" DQUOTE ":" address_family
route_protocol_clause = DQUOTE %s"protocol" DQUOTE ":" route_protocol
route_remote_endpoint_clause = DQUOTE %s"remote" DQUOTE ":" route_endpoint
route_local_endpoint_clause = DQUOTE %s"local" DQUOTE ":" route_endpoint
route_endpoint = "{"
[ route_interface_clause "," ]
[ route_address_clause ","
[ (route_address_prefix_bits_clause / route_address_bitmask_clause) "," ]
]
[ route_port_clause "," ]
-","
"}"
route_interface_clause = DQUOTE %s"interface" DQUOTE ":" uint8
route_address_clause = DQUOTE %s"address" DQUOTE ":" route_address
route_address_bitmask_clause = DQUOTE %s"bitmask" DQUOTE ":" route_address
route_address = DQUOTE (route_address_ipv4 / route_address_ipv6 / route_address_mac / route_address_user) DQUOTE
route_address_ipv4 = uint8 3*3("." uint8)
route_address_ipv6 = < IPv6address from RFC 5954 section 4.1 >
route_address_mac = 1*2HEXDIG ( 5*5(":" 1*2HEXDIG) / 7*7(":" 1*2HEXDIG) )
route_address_user = < an address in a form recognized by a parser
installed with `wolfsentry_addr_family_handler_install()`
>
address_family = uint16 / address_family_name
address_family_name = DQUOTE ( "inet" / "inet6" / "link" / < a value recognized by wolfsentry_addr_family_pton() > ) DQUOTE
route_address_prefix_bits_clause = DQUOTE %s"prefix-bits" DQUOTE ":" uint16
route_protocol = uint16 / route_protocol_name
route_protocol_name = DQUOTE < a value recognized by getprotobyname_r(), requiring address family inet or inet6 >
route_port_clause = DQUOTE %s"port" DQUOTE ":" endpoint_port
endpoint_port = uint16 / endpoint_port_name
endpoint_port_name = DQUOTE < a value recognized by getservbyname_r() for the previously designated protocol > DQUOTE
route_flag = DQUOTE (
%s"af-wild" /
%s"raddr-wild" /
%s"rport-wild" /
%s"laddr-wild" /
%s"lport-wild" /
%s"riface-wild" /
%s"liface-wild" /
%s"tcplike-port-numbers" /
%s"direction-in" /
%s"direction-out" /
%s"penalty-boxed" /
%s"green-listed" /
%s"dont-count-hits" /
%s"dont-count-current-connections" /
%s"port-reset"
) DQUOTE
action_res_flag = DQUOTE (
%s"none" /
%s"accept" /
%s"reject" /
%s"connect" /
%s"disconnect" /
%s"derogatory" /
%s"commendable" /
%s"stop" /
%s"deallocated" /
%s"inserted" /
%s"error" /
%s"fallthrough" /
%s"update" /
%s"port-reset" /
%s"sending" /
%s"received" /
%s"binding" /
%s"listening" /
%s"stopped-listening" /
%s"connecting-out" /
%s"closed" /
%s"unreachable" /
%s"sock-error" /
%s"user+0" /
%s"user+1" /
%s"user+2" /
%s"user+3" /
%s"user+4" /
%s"user+5" /
%s"user+6" /
%s"user+7"
) DQUOTE
user_item = label ":" ( null / true / false / number_sint64_decimal / number_float / string / strongly_typed_user_item )
strongly_typed_user_item =
( "{" DQUOTE %s"uint" DQUOTE ":" number_uint64 "}" ) /
( "{" DQUOTE %s"sint" DQUOTE ":" number_sint64 "}" ) /
( "{" DQUOTE %s"float" DQUOTE ":" number_float "}" ) /
( "{" DQUOTE %s"string" DQUOTE ":" string_value "}" ) /
( "{" DQUOTE %s"base64" DQUOTE ":" base64_value "}" ) /
json_value_clause
json_value_clause = "{" DQUOTE %s"json" DQUOTE ":" json_value "}"
null = %s"null"
true = %s"true"
false = %s"false"
boolean = true / false
number_uint64 = < decimal number in the range 0...18446744073709551615 > /
( DQUOTE < hexadecimal number in the range 0x0...0xffffffffffffffff > DQUOTE ) /
( DQUOTE < octal number in the range 00...01777777777777777777777 > DQUOTE )
number_sint64_decimal = < decimal number in the range -9223372036854775808...9223372036854775807 >
number_sint64 = number_sint64_decimal /
( DQUOTE < hexadecimal number in the range -0x8000000000000000...0x7fffffffffffffff > DQUOTE ) /
( DQUOTE < octal number in the range -01000000000000000000000...0777777777777777777777 > DQUOTE )
number_float = < floating point value in a form and range recognized by the linked strtod() implementation >
string_value = DQUOTE < any RFC 8259 JSON-valid string that decodes to at most 16384 octets > DQUOTE
base64_value = DQUOTE < any valid RFC 4648 base64 encoding that decodes to at most 16384 octets > DQUOTE
json_value = < any valid, complete and balanced RFC 8259 JSON expression, with
keys limited to WOLFSENTRY_MAX_LABEL_BYTES (default 32 bytes),
overall input length limited to WOLFSENTRY_JSON_VALUE_MAX_BYTES
if set (default unset), and overall depth limited to
WOLFSENTRY_MAX_JSON_NESTING (default 16) including the 4 parent
levels
>
label = DQUOTE < any RFC 8259 JSON-valid string that decodes to at at least 1 and at most 32 octets > DQUOTE
uint32 = < decimal integral number in the range 0...4294967295 >
uint16 = < decimal integral number in the range 0...65535 >
uint8 = < decimal integral number in the range 0...255 >