On Tue, Dec 25, 2018 at 10:19:35AM -0700, Theo de Raadt wrote:
> I have always disliked the reliance on include, because errors detected
> during parse are poorly handled. Garbage format in the file will adjust
> the global scope and the parser is clueless to cope well.
Can you elaborate on this?
$ cat a.in
pass
# invalid inside anchors
set optimization aggressive
# error
garbage
With `include', errors in included files are detected after the line is
finished and *all* errors are reported with their correct line numbers:
$ cat include.conf
anchor a {
include a.in
}
block
$ pfctl -vnf include.conf
a.in:3: syntax error
a.in:5: syntax error
include.conf:3: syntax error
While with `load anchor' it parses everything, prints the offending
line with an off-by-one but stops after the first error, which means
I need to reparse again to find the other:
$ cat load.conf
anchor a
load anchor a from a.in
block
$ pfctl -vnf load.conf
anchor "a" all
block drop all
Loading anchor a from a.in
set optimization aggressive
a.in:4: syntax error
pfctl: load anchors
Personally, I prefer the terse format of the former. We can still
improve error messages to distinguish between invalid syntax like
setting global options inside anchors and, actual synta errors, etc.
> An implicit load directive of a specifically formatted file can be made
> far more robust.
How is the file specifically formatted? Or would you prefer more
specific formats for different type of load/include directives?
