On Wed, Feb 06, 2019 at 10:20:35PM +0100, Klemens Nanni wrote:
> When using anchors, they ought to have a non-empty name or none at all.
> By accident, I discovered the following:
>       $ printf 'anchor ""\n' | pfctl -vnf-
>       pass all no state
> No errors and it parses in a potentially harmful way.  Other use cases
> behave badly as well:
>       $ printf 'anchor "" {\n}\n' | pfctl -vnf-
>       pfctl: anchorrule: unable to create ruleset: Permission denied
>       $ printf 'load anchor "" from "/dev/null"\n' | pfctl -vnf-
>       Loading anchor  from /dev/null
> None of them make sense, so I propose to error out on empty anchor names
> as early as possible.  Given that typos happen and folks generate their
> pf.conf automatically, such errors do not seem entirely out of scope.

    makes sense to me. and change also looks good to me.

Also it looks like tables are suffering from the same problem:

    puffy# echo "table <''> const { 10/8, 172.16/12, 192.168/16 }" |pfctl -nf - 
    puffy# echo $?
    puffy# echo "table <''> const { 10/8, 172.16/12, 192.168/16 }" |pfctl -f -
    stdin:1: cannot define table : Invalid argument
    pfctl: Syntax error in config file: pf rules not loaded

We parse.y can be also taught to fail on empty name for table, but it can be
fixed in yet another patch.

OK sashan@

Reply via email to