kern/182819: pfctl interprets "# .... \" as multi-line comment

Adam McDougall mcdouga9 at egr.msu.edu
Tue Oct 8 01:10:00 UTC 2013 

>Number:         182819
>Category:       kern
>Synopsis:       pfctl interprets "# .... \" as multi-line comment
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 08 01:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Adam McDougall
>Release:        9.1-STABLE
>Organization:
>Environment:
FreeBSD hostname 9.1-STABLE FreeBSD 9.1-STABLE #0 r247358: Tue Feb 26 19:02:48 EST 2013     root at build9:/usr/obj/proto/src9/src/sys/AMD64-9  amd64
>Description:
Twice I've been burned by pfctl ignoring a line in pf.conf because it was preceded by a comment that happened to end in a backslash:

# pass in on blah blah blah doesn't matter this is a comment \
pass in on blah blah doesn't matter because this is treated as part of the comment

I try to keep my firewall rules less than 80 chars in case I need to edit them on a dumb terminal.  Sometimes I end up duplicating a line to make changes to an alternate copy and comment out the original, but if the commented out line ends in a backslash, my intended replacement is ignored.  It becomes really confusing why my firewall rule is ignored yet no errors from pfctl -f.  Eventually I figure it out.  But in my opinion, a system that treats lines starting with # as a comment ought to unconditionally treat them as a single line comment, and not "except if it ends in a \".  I don't know if this happens in any other pf implementation, or if it is intentional, but it is troublesome.  I think it would be better to parse and potentially accept lines following comments.  If they are faulty, pfctl will throw an error.  If they are valid, they should be honored.
>How-To-Repeat:
# pass in on blah blah blah doesn't matter this is a comment \
pass in on blah blah doesn't matter because this is treated as part of the comment

pfctl -f yourfilename, it will ignore the second line
>Fix:
When a # is encountered in pf.conf, unconditionally ignore the rest of the line.  Might be a problem with the order things are parsed?

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list