Discussion:
pf: certain recursive macros causing syntax error
Aham Brahmasmi
2018-04-11 22:33:33 UTC
Permalink
Hello misc,

Recursive macros which include macros containing certain specific
characters cause syntax errors.

Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
iprecursive = $ip
interface = "em0"
interfacerecursive = $interface

pass in on $interfacerecursive proto tcp from $iprecursive \
$string state \
(max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)

$ pfctl -nf pftemp.conf

The above pf.conf is validated successfully by pfctl. However, removing
the comments from the recursive versions of forwardslash and string
macros cause syntax errors upon validation with pfctl.

Interestingly, not all macros containing number+character combinations
and strings get rejected by pfctl. In the above example, ip and
interface macros can be successfully used in a recursive macro.

Am I correct in drawing these conclusions? If yes, is there a listing
of these specific characters, which are allowed in recursive macros?

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--
Theo de Raadt
2018-04-12 03:57:49 UTC
Permalink
Post by Aham Brahmasmi
Hello misc,
Recursive macros which include macros containing certain specific
characters cause syntax errors.
Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
iprecursive = $ip
interface = "em0"
interfacerecursive = $interface
pass in on $interfacerecursive proto tcp from $iprecursive \
$string state \
(max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)
$ pfctl -nf pftemp.conf
The above pf.conf is validated successfully by pfctl. However, removing
the comments from the recursive versions of forwardslash and string
macros cause syntax errors upon validation with pfctl.
You are failing to understand the problem. Let me try to explain it.

In such a grammer, who consumes the "" marks?

Imagine this was the shell. (I'm saying the shell, as one potential
grammer)

set forwardslash="100/10"
echo $forwardslash
"100/100"

No, what you get is
100/100

OK, if that is what happens, you would get

forwardslashrecursive = $forwardslash
converts to
forwardslashrecursive = 100/100

Which doesn't parse.

It is a question of who consumes the "". Is it early, or is it late.
there are grammers which has a "string object" which retains the "" until
very late. This isn't that grammer.

The domain-specific languages used in OpenBSD utilities don't work that
way, sorry.

We could change it 15 years after the fact, but any change we make
will break millions of configurations.

I should have done it differently back in 2001.
Aham Brahmasmi
2018-04-12 21:10:25 UTC
Permalink
Sent: Thursday, April 12, 2018 at 5:57 AM
Subject: Re: pf: certain recursive macros causing syntax error
Post by Aham Brahmasmi
Hello misc,
Recursive macros which include macros containing certain specific
characters cause syntax errors.
Steps
$ cat pftemp.conf
forwardslash = "100/10"
#forwardslashrecursive = $forwardslash
number = "100"
numberrecursive = $number
string = "keep"
#stringrecursive = $string
ip = "0.0.0.0"
iprecursive = $ip
interface = "em0"
interfacerecursive = $interface
pass in on $interfacerecursive proto tcp from $iprecursive \
$string state \
(max-src-conn $numberrecursive, max-src-conn-rate $forwardslash)
$ pfctl -nf pftemp.conf
The above pf.conf is validated successfully by pfctl. However, removing
the comments from the recursive versions of forwardslash and string
macros cause syntax errors upon validation with pfctl.
You are failing to understand the problem. Let me try to explain it.
In such a grammer, who consumes the "" marks?
Imagine this was the shell. (I'm saying the shell, as one potential
grammer)
set forwardslash="100/10"
echo $forwardslash
"100/100"
No, what you get is
100/100
OK, if that is what happens, you would get
forwardslashrecursive = $forwardslash
converts to
forwardslashrecursive = 100/100
Which doesn't parse.
It is a question of who consumes the "". Is it early, or is it late.
there are grammers which has a "string object" which retains the "" until
very late. This isn't that grammer.
Thank you Theo for your reply.

Your shell example along with the explanation helped me understand
the nature of the problem.

While mentally substituting the macros, I had assumed that the macro
value would be always substituted everywhere as is along with the "".
The domain-specific languages used in OpenBSD utilities don't work that
way, sorry.
We could change it 15 years after the fact, but any change we make
will break millions of configurations.
I should have done it differently back in 2001.
Please, no sorry. If anything, I thank you and the entire OpenBSD team.

Regards,
ab
---------|---------|---------|---------|---------|---------|---------|--
Loading...