Discussion:
pf: certain recursive macros causing syntax error
(too old to reply)
Aham Brahmasmi
2018-04-11 22:33:33 UTC
Permalink
Raw Message
Hello misc,

Recursive macros which include macros containing certain specific
characters cause syntax errors.

Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
iprecursive = $ip
interface = "em0"
interfacerecursive = $interface

pass in on $interfacerecursive proto tcp from $iprecursive \
$string state \
(max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)

$ pfctl -nf pftemp.conf

The above pf.conf is validated successfully by pfctl. However, removing
the comments from the recursive versions of forwardslash and string
macros cause syntax errors upon validation with pfctl.

Interestingly, not all macros containing number+character combinations
and strings get rejected by pfctl. In the above example, ip and
interface macros can be successfully used in a recursive macro.

Am I correct in drawing these conclusions? If yes, is there a listing
of these specific characters, which are allowed in recursive macros?

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--
Theo de Raadt
2018-04-12 03:57:49 UTC
Permalink
Raw Message
Aham Brahmasmi <***@gmx.com> wrote:

> Hello misc,
>
> Recursive macros which include macros containing certain specific
> characters cause syntax errors.
>
> Steps
> $ cat pftemp.conf
> forwardslash = "100/10"
> #forwardslashrecursive = $forwardslash
> number = "100"
> numberrecursive = $number
> string = "keep"
> #stringrecursive = $string
> ip = "0.0.0.0"
> iprecursive = $ip
> interface = "em0"
> interfacerecursive = $interface
>
> pass in on $interfacerecursive proto tcp from $iprecursive \
> $string state \
> (max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)
>
> $ pfctl -nf pftemp.conf
>
> The above pf.conf is validated successfully by pfctl. However, removing
> the comments from the recursive versions of forwardslash and string
> macros cause syntax errors upon validation with pfctl.

You are failing to understand the problem. Let me try to explain it.

In such a grammer, who consumes the "" marks?

Imagine this was the shell. (I'm saying the shell, as one potential
grammer)

set forwardslash="100/10"
echo $forwardslash
"100/100"

No, what you get is
100/100

OK, if that is what happens, you would get

forwardslashrecursive = $forwardslash
converts to
forwardslashrecursive = 100/100

Which doesn't parse.

It is a question of who consumes the "". Is it early, or is it late.
there are grammers which has a "string object" which retains the "" until
very late. This isn't that grammer.

The domain-specific languages used in OpenBSD utilities don't work that
way, sorry.

We could change it 15 years after the fact, but any change we make
will break millions of configurations.

I should have done it differently back in 2001.
Aham Brahmasmi
2018-04-12 21:10:25 UTC
Permalink
Raw Message
> Sent: Thursday, April 12, 2018 at 5:57 AM
> From: "Theo de Raadt" <***@openbsd.org>
> To: "Aham Brahmasmi" <***@gmx.com>
> Cc: ***@openbsd.org
> Subject: Re: pf: certain recursive macros causing syntax error
>
> Aham Brahmasmi <***@gmx.com> wrote:
>
> > Hello misc,
> >
> > Recursive macros which include macros containing certain specific
> > characters cause syntax errors.
> >
> > Steps
> > $ cat pftemp.conf
> > forwardslash = "100/10"
> > #forwardslashrecursive = $forwardslash
> > number = "100"
> > numberrecursive = $number
> > string = "keep"
> > #stringrecursive = $string
> > ip = "0.0.0.0"
> > iprecursive = $ip
> > interface = "em0"
> > interfacerecursive = $interface
> >
> > pass in on $interfacerecursive proto tcp from $iprecursive \
> > $string state \
> > (max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)
> >
> > $ pfctl -nf pftemp.conf
> >
> > The above pf.conf is validated successfully by pfctl. However, removing
> > the comments from the recursive versions of forwardslash and string
> > macros cause syntax errors upon validation with pfctl.
>
> You are failing to understand the problem. Let me try to explain it.
>
> In such a grammer, who consumes the "" marks?
>
> Imagine this was the shell. (I'm saying the shell, as one potential
> grammer)
>
> set forwardslash="100/10"
> echo $forwardslash
> "100/100"
>
> No, what you get is
> 100/100
>
> OK, if that is what happens, you would get
>
> forwardslashrecursive = $forwardslash
> converts to
> forwardslashrecursive = 100/100
>
> Which doesn't parse.
>
> It is a question of who consumes the "". Is it early, or is it late.
> there are grammers which has a "string object" which retains the "" until
> very late. This isn't that grammer.


Thank you Theo for your reply.

Your shell example along with the explanation helped me understand
the nature of the problem.

While mentally substituting the macros, I had assumed that the macro
value would be always substituted everywhere as is along with the "".


>
> The domain-specific languages used in OpenBSD utilities don't work that
> way, sorry.
>
> We could change it 15 years after the fact, but any change we make
> will break millions of configurations.
>
> I should have done it differently back in 2001.


Please, no sorry. If anything, I thank you and the entire OpenBSD team.

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--
Loading...