On 16/01/2016 5:52 PM, Theo de Raadt wrote:
I've been using pf for years and really like it. I accidentally discovered
some undesirable behavior from the rule parser that caused some rules to be
skipped. This has happened to me twice and there was much hair pulling.
The short version is rules starting with # but ending in \ get treated as a
multi-line comment instead of a single-line comment and it has the risk of
silently ignoring a wanted rule immediately below. This does not match
the behavior I'd expect, for example a line starting with # is entirely
ignored in /bin/sh:
# echo this is a comment \
echo this is not a comment \
or is it?
# sh test.sh
this is not a comment or is it?
But in pf.conf:
pf is not sh.
it isn't cpp either.
nor is it m4.
I try to keep my firewall rules less than 80 chars in case I need to edit
them on a dumb terminal. Sometimes I end up duplicating a continued line to
make changes to an alternate copy and comment out the original, but if the newly
commented out line ends in a backslash, my intended replacement is ignored.
I think pfctl should act like sh and ignore a line entirely if it begins with
a comment. Thanks for your consideration.
Unfortunately, it is too late to make such a change in the parser.
That ship has sailed.
.
I can feel Joseph's pain, and had the same pain of ignorance myself.
The behaviour is expected and documented.
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf%2econf&sec=5
The web manual interface indicates this documentation has been since
OpenBSD 5.0
The current line can be extended over multiple lines using a
backslash (‘\’). Comments can be put anywhere in the file using a
hash mark (‘#’), and extend to the end of the current line. Care
should be taken when commenting out multi-line text: the comment is
effective until the end of the entire block.
and explained at various times on this list.
http://thread.gmane.org/gmane.os.openbsd.misc/224709/focus=224743
Sam T.
http://www.nomoa.com/bsd/
