> Sent: Thursday, April 12, 2018 at 5:57 AM > From: "Theo de Raadt" <dera...@openbsd.org> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: pf: certain recursive macros causing syntax error > > Aham Brahmasmi <aham.brahma...@gmx.com> wrote: > > > Hello misc, > > > > Recursive macros which include macros containing certain specific > > characters cause syntax errors. > > > > Steps > > $ cat pftemp.conf > > forwardslash = "100/10" > > #forwardslashrecursive = $forwardslash > > number = "100" > > numberrecursive = $number > > string = "keep" > > #stringrecursive = $string > > ip = "0.0.0.0" > > iprecursive = $ip > > interface = "em0" > > interfacerecursive = $interface > > > > pass in on $interfacerecursive proto tcp from $iprecursive \ > > $string state \ > > (max-src-conn $numberrecursive, max-src-conn-rate $forwardslash) > > > > $ pfctl -nf pftemp.conf > > > > The above pf.conf is validated successfully by pfctl. However, removing > > the comments from the recursive versions of forwardslash and string > > macros cause syntax errors upon validation with pfctl. > > You are failing to understand the problem. Let me try to explain it. > > In such a grammer, who consumes the "" marks? > > Imagine this was the shell. (I'm saying the shell, as one potential > grammer) > > set forwardslash="100/10" > echo $forwardslash > "100/100" > > No, what you get is > 100/100 > > OK, if that is what happens, you would get > > forwardslashrecursive = $forwardslash > converts to > forwardslashrecursive = 100/100 > > Which doesn't parse. > > It is a question of who consumes the "". Is it early, or is it late. > there are grammers which has a "string object" which retains the "" until > very late. This isn't that grammer.
Thank you Theo for your reply. Your shell example along with the explanation helped me understand the nature of the problem. While mentally substituting the macros, I had assumed that the macro value would be always substituted everywhere as is along with the "". > > The domain-specific languages used in OpenBSD utilities don't work that > way, sorry. > > We could change it 15 years after the fact, but any change we make > will break millions of configurations. > > I should have done it differently back in 2001. Please, no sorry. If anything, I thank you and the entire OpenBSD team. Regards, ab ---------|---------|---------|---------|---------|---------|---------|--
