16 января 2020 г. 15:58:09 GMT+03:00, Klemens Nanni <k...@openbsd.org> пишет:
>On Thu, Jan 16, 2020 at 01:16:27PM +0100, Alexandr Nedvedicky wrote:
>> sentence 'The syntax is similar to the one for ports' sets my
>expectations
>> I can define a range of users in the same way I define a range of
>ports.
>> Looks useful to me, though a bug in parse.y might be just a tip
>of iceberg
>> here.
>I *assume* Vadim tripped over this implication, but that's what I
>wanted
>to know. That said, probably being biased here, "similar to the one
>for
>ports" does not read like "the same as ports" to me.
(2Theo: yes, I'm lazy, sorry :) )
I agree, that "X:Y" syntax for "user" could be confusing, and "X><Y" is simply
ugly. I do not have a silver bullet here, though.
If you oppose the proposed change, I'll add "... except 'uid1:uid2' syntax,
which could be mistakenly interpreted as 'uid:gid'" to pf.conf(5). Will be that
okay?
Regarding better syntax... I see the following options:
a) 'uid1-uid2', using the same logic as in proposed patch. Possibly, port
ranges also can be migrated.
b) '(uid1; uid2)' instead of 'uid><uid2', '[uid1; uid2]' instead of
'uid1:uid2', and ever '(uid1; uid2]' and '[uid1; uid2)'. Mathematicians might
be happy.
c) 'uid1 till uid2'. A bit wordy, but PF-style.
>After convincing Sasha in the hackroom that the range syntax for
>user/group is rather misleading and not worth the effort, he in turn
>made a convincing point about how mapping user ranges with existing
>syntax might go wrong:
>
> $ echo 'pass on lo proto tcp user { >= 1000 , <= 2000 }' | pfctl
>-vnf-
> pass on lo proto tcp all user >= 1000 flags S/SA
> pass on lo proto tcp all user <= 2000 flags S/SA
>
>Note how --depending on other keywords-- the provided inclusive range
>might evaluate to rules that pass more than desired; above example
>will
>pass all users since the [1000, 2000] is eventually used as [1000, inf]
>and [0, 2000] which together make for [0, inf], that is all users.
>
>With proper ranges as for ports the ruleset would evaluate to what
>users
>actually wanted. So ranges *can* already be covered but not in a sane
>and actually safe way.
The "expansion" feature could be used wrong for other config clauses as well,
especially when negation comes to play. I'm not sure if this should be changed
at all... We may force that only one of two syntaxes may be used:
user { foo, bar }
user { 1000 till 1999, >=10000 }
--
With best regards,
Vadim Zhukov
