Re: issue with pf syntax parser

Wed, 09 Sep 2015 01:24:08 -0700 

just tested this. how nice. makes the configuration file infinitely more 
readable without having to hassle over extra whitespace (which is not 
meaningful).

just for the record, it seems, in lists, the parser treats newline as a space 

so you can have something like this, which is confusing to me but it might be 
readable to somebody else:

pass    in on $DMZ_if                                                           
\
                inet proto { 
                                        tcp udp 
                                        }                                       
                \
                to port $keep_tcp_out


> On 05 Sep 2015, at 18:48, Benny Lofgren <bl-li...@lofgren.biz> wrote:
> 
> On 2015-09-04 14:30, Joseph A Borg wrote:
>> I have something like this in pf.conf:
>> 
>> services                     = "{ 
>>                                                      ssh,                    
>>                                         \
>>                                                      http, https, 8000, 
>> 8080, 8088,                  \
>>                                                      smtp, pop3, pop3s, 
>> imap, imaps,                 \
>>                                                      submission, 465,        
>>                                         \
>>                                                      domain, ntp             
>>                                         \
>>                                              }"
>> 
>> if there’s white space after the back slash the parser barfs by not creating 
>> the macro and then raising an error when it’s first used.
>> 
>> I would assume this to be an inconvenience for the user as it’s not always 
>> possible to check whitespace after the backslash
> 
> 
> Everyone who commented so far seem to have missed the obvious - you
> don't NEED to escape the newline in this case. The parser handles this
> case just fine without them:
> 
> paddan:/etc# cat /tmp/tstpf.conf
> services = "{
>                ssh,
>                http, https, 8000, 8080, 8088,
>                smtp, pop3, pop3s, imap, imaps,
>                submission, 465,
>                domain, ntp
>        }"
> 
> block in proto tcp from any to any port $services
> 
> paddan:/etc# pfctl -f /tmp/tstpf.conf
> paddan:/etc# pfctl -s rules
> block drop in proto tcp from any to any port = 22
> block drop in proto tcp from any to any port = 80
> block drop in proto tcp from any to any port = 443
> block drop in proto tcp from any to any port = 8000
> block drop in proto tcp from any to any port = 8080
> block drop in proto tcp from any to any port = 8088
> block drop in proto tcp from any to any port = 25
> block drop in proto tcp from any to any port = 110
> block drop in proto tcp from any to any port = 995
> block drop in proto tcp from any to any port = 143
> block drop in proto tcp from any to any port = 993
> block drop in proto tcp from any to any port = 587
> block drop in proto tcp from any to any port = 465
> block drop in proto tcp from any to any port = 53
> block drop in proto tcp from any to any port = 123
> paddan:/etc# _
> 
> 
> Regards,
> /Benny

Reply via email to