[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF BNF typo?



On Thu, Jun 02, 2005 at 05:50:05PM +0200, Magne Andreassen wrote:
> e.g.
>         ...   proto proto www   ...
> 
> is allowed according to the BNF.
Yes, that's simply a mistake in the BNF description, I'll remove the
spurious "proto" from the anchor line.
> And while I am at it...
> ..in the filteropt rule, there is probably missing a logical or
> between '"tagged" string' and "queue" :
> 
>             [ ! ] "tagged" string       
>             "queue" ( string | "(" string [ [ "," ] string ] ")" )
Yes, missing | at the end of that first line, I'll add it.
> exactly what kind of characters are allowed in a "string" as referred
> to in the BNF?
> reading the source for parse.y ( pfctl ) it seems that alphanumeric
> strings -or- strings corresponding to ispunct() and not containing 
> any of the characters "(){}<>!=/#," should be legal strings...
> I tried to figure out what ispunct() does, but could not understand
> exactly what the man page was trying to say...
> 
> As far as I can figure out, there are two types of user-defined 
> strings in PF. litteral strings enclosed in double quotes, and 
> identifiers as used in e.g. a macro definition (later referred 
> to with a preceding $ ).
Anything starting with a double quote is parsed as a string until a
closing double quote is found. Hence, such strings may contain any
character, except a double quote (no escaping or such is possible).
Without enclosing in double quotes, a string may only contain some set
of valid characters, basically alpha-numerical characters and
underscores.
I won't give you a definition of what should be legal, because then I'd
have to fix the parser for each violation you find. Instead, here's a
script that tries all possible characters and lists the ASCII codes of
the valid ones:
  $ jot -w "%o" 255 1 255 | while read o; do
  > printf "pass all tag \\$o keep state\n" | pfctl -nf - 2>/dev/null &&
  > printf "%d " 0$o; done
  48 49 50 51 52 53 54 55 56 57 58 65 66 67 68 69 70 71 72 73 74 75 76 77
  78 79 80 81 82 83 84 85 86 87 88 89 90 95 97 98 99 100 101 102 103 104
  105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
Notably, blanks (ASCII 32) are not legal, hence any string that's
supposed to contain a blank must be quoted.
Possibly, CLOCALE or such might even influence the set.
I don't bother relying on a list, I use only alpha-numerics and
sometimes underscores in the middle, nothing else. Less hassle, less
breakage.
If you want to be safe, start strings with a letter, continue with
letters, digits or underscores. Just like most people would for user-
and hostnames, even if some other things might sometimes be legal.
> of course you also have the keywords defined in the bnf such as "block", 
> "global" and so on, but are *all* these counted reserved? (I know "block" 
> is, but not sure about "global")
If you truly think you need to call an anchor or table "global" or "block"
(or any of the syntax' keywords), you'll have to try and see if they work.
I don't know. :)
HTH,
Daniel