CVS commit: src/usr.sbin/npf/npfctl

Fri, 04 Apr 2025 12:32:57 -0700 

Module Name:    src
Committed By:   christos
Date:           Thu Mar 20 17:52:23 UTC 2025

Modified Files:
        src/usr.sbin/npf/npfctl: npf.conf.5 npf_parse.y npf_scan.l

Log Message:
PR/58116: Attaulah: Allow comments inside lists in npf.conf


To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.32 -r1.33 src/usr.sbin/npf/npfctl/npf_scan.l

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.91 src/usr.sbin/npf/npfctl/npf.conf.5:1.92
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.91	Sat May 30 10:16:56 2020
+++ src/usr.sbin/npf/npfctl/npf.conf.5	Thu Mar 20 13:52:23 2025
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.91 2020/05/30 14:16:56 rmind Exp $
+.\"    $NetBSD: npf.conf.5,v 1.92 2025/03/20 17:52:23 christos Exp $
 .\"
 .\" Copyright (c) 2009-2020 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -76,9 +76,14 @@ Variables are defined by assigning a val
 .Dl $var1 = 10.0.0.1
 .Pp
 A variable may also be defined as a set:
+.Bd -literal -offset indent
+$var2 = {
+    10.0.0.1,   # First host
+    10.0.0.2,   # Second host
+}
+.Ed
 .Pp
-.Dl $var2 = { 10.0.0.1, 10.0.0.2 }
-.Pp
+Newlines within curly braces are ignored, and trailing commas are optional.
 Common variable definitions are for IP addresses, networks, ports,
 and interfaces.
 .Ss Tables
@@ -531,6 +536,8 @@ The backslash
 .Pq Sq \e
 character at the end of a line marks a continuation line,
 i.e., the next line is considered an extension of the present line.
+Additionally, within curly braces of variable definitions, newlines are
+allowed without continuation characters.
 .Sh GRAMMAR
 The following is a non-formal BNF-like definition of the grammar.
 The definition is simplified and is intended to be human readable,
@@ -547,7 +554,7 @@ syntax		= var-def | set-param | alg | ta
 
 var-name	= "$" . string
 interface	= interface-name | var-name
-var-def		= var "=" ( var-value | "{" value *[ "," value ] "}" )
+var-def		= var "=" ( var-value | "{" value *[ "," value ] [ "," ] "}" )
 
 # Parameter setting.
 set-param	= "set" param-value
@@ -638,8 +645,15 @@ $int_if = { inet4(wm1) }
 table <blocklist> type ipset file "/etc/npf_blocklist"
 table <limited> type lpm
 
-$services_tcp = { http, https, smtp, domain, 6000, 9022 }
-$services_udp = { domain, ntp, 6000 }
+$services_tcp = {
+	http,    # Web traffic
+	https,   # Secure web traffic
+	smtp,    # Email sending
+	domain,  # DNS queries
+	6000,    # Custom service
+	9022,    # SSH forwarding
+}
+$services_udp = { domain, ntp, 6000, }
 $localnet = { 10.1.1.0/24 }
 
 alg "icmp"

Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.51 src/usr.sbin/npf/npfctl/npf_parse.y:1.52
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.51	Sat May 30 10:16:56 2020
+++ src/usr.sbin/npf/npfctl/npf_parse.y	Thu Mar 20 13:52:23 2025
@@ -135,6 +135,7 @@ yyerror(const char *fmt, ...)
 %token			IPSET
 %token			LPM
 %token			MAP
+%token			NEWLINE
 %token			NO_PORTS
 %token			MINUS
 %token			NAME
@@ -158,7 +159,7 @@ yyerror(const char *fmt, ...)
 %token			RETURNRST
 %token			ROUNDROBIN
 %token			RULESET
-%token			SEPLINE
+%token			SEMICOLON
 %token			SET
 %token			SLASH
 %token			STATEFUL
@@ -193,7 +194,7 @@ yyerror(const char *fmt, ...)
 %type	<var>		filt_port filt_port_list port_range icmp_type_and_code
 %type	<var>		filt_addr addr_and_mask tcp_flags tcp_flags_and_mask
 %type	<var>		procs proc_call proc_param_list proc_param
-%type	<var>		element list_elems list value filt_addr_list
+%type	<var>		element list_elems list_trail list value filt_addr_list
 %type	<var>		opt_proto proto proto_elems
 %type	<addrport>	mapseg
 %type	<filtopts>	filt_opts all_or_filt_opts
@@ -220,7 +221,7 @@ input
 	;
 
 lines
-	: lines SEPLINE line
+	: lines sepline line
 	| line
 	;
 
@@ -242,6 +243,11 @@ alg
 	}
 	;
 
+sepline
+	: NEWLINE
+	| SEMICOLON
+	;
+
 param_val
 	: number	{ $$ = $1; }
 	| ON		{ $$ = true; }
@@ -272,18 +278,17 @@ value
 	;
 
 list
-	: CURLY_OPEN list_elems CURLY_CLOSE
+	: CURLY_OPEN opt_nl list_elems CURLY_CLOSE
 	{
-		$$ = $2;
+		$$ = $3;
 	}
 	;
 
 list_elems
-	: list_elems COMMA element
+	: element list_trail
 	{
-		npfvar_add_elements($1, $3);
+		$$ = npfvar_add_elements($1, $2);
 	}
-	| element
 	;
 
 element
@@ -313,6 +318,24 @@ element
 	| addr_and_mask		{ $$ = $1; }
 	;
 
+list_trail
+	: element_sep element list_trail
+	{
+		$$ = npfvar_add_elements($2, $3);
+	}
+	| opt_nl 		{ $$ = NULL; }
+	| element_sep 		{ $$ = NULL; }
+	;
+
+element_sep
+	: opt_nl COMMA opt_nl
+	;
+
+opt_nl
+	: opt_nl NEWLINE
+	|
+	;
+
 /*
  * Table definition.
  */
@@ -430,7 +453,7 @@ rproc
 	;
 
 procs
-	: procs SEPLINE proc_call
+	: procs sepline proc_call
 	{
 		$$ = npfvar_add_elements($1, $3);
 	}
@@ -531,7 +554,7 @@ ruleset_block
 	;
 
 ruleset_def
-	: ruleset_def SEPLINE rule_group
+	: ruleset_def sepline rule_group
 	| rule_group
 	;
 

Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.32 src/usr.sbin/npf/npfctl/npf_scan.l:1.33
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.32	Sat May 30 10:16:56 2020
+++ src/usr.sbin/npf/npfctl/npf_scan.l	Thu Mar 20 13:52:23 2025
@@ -133,8 +133,8 @@ npt66			return NPT66;
 "-"			return MINUS;
 procedure		return PROCEDURE;
 \\\n			yylineno++; yycolumn = 0;
-\n			yylineno++; yycolumn = 0; return SEPLINE;
-;			return SEPLINE;
+\n			yylineno++; yycolumn = 0; return NEWLINE;
+;			return SEMICOLON;
 name			return NAME;
 group			return GROUP;
 default			return DEFAULT;

Reply via email to