OpenBSD Archive openbsd - packet filter

pf ruleset parser re: tag and tagged

classic Classic list List threaded Threaded
4 messages Options
S. Donaldson
Reply | Threaded
Open this post in threaded view
|

pf ruleset parser re: tag and tagged

S. Donaldson
Hi,

        Ran into a user error situation that perhaps the pf ruleset parser could help with.

        I was working on rules and using tag/tagged and the rule that should have 'applied' a tag used 'tagged value' instead of 'tag value'. Thus the tag was never set and the subsequent 'pass .... tagged value' rule never fired.

        It seems that tag references are not dynamically defined [ unless perhaps they are used in authpf scenarios? ]. Would it make sense for the parser to issue a warning if a 'tagged value' references appear but no defining 'tag value' is found in a ruleset?


Scott Donaldson
Saskatoon, SK
Canada

Kenneth Gober
Reply | Threaded
Open this post in threaded view
|

Re: pf ruleset parser re: tag and tagged

Kenneth Gober
On Tue, Jan 30, 2018 at 3:20 PM, S. Donaldson <[hidden email]> wrote:
>         It seems that tag references are not dynamically defined [ unless perhaps they are used in authpf scenarios? ]. Would it make sense for the parser to issue a warning if a 'tagged value' references appear but no defining 'tag value' is found in a ruleset?

A warning would make sense.  Definitely not an error though, since the
'tag value' rule might be added later in an anchor.

I wonder how many people have gotten the bright idea of adding 'tagged
xyz' to comment out a rule without disturbing the rule numbering...

-ken
sadegh solati
Reply | Threaded
Open this post in threaded view
|

Re: pf ruleset parser re: tag and tagged

sadegh solati
In reply to this post by S. Donaldson
Actually I think the problem is not with the tag/tagged. It comes from the rule that If it is a quick one or not. When the rule is not quick it won't be matched with the tagged one for updating the tag value.If it is quick it will never see the next rule which is going to check the new tag value. It will be very hard for the parser to fire an accurate alarm in these cases.

On Jan 31, 2018 09:01, "S. Donaldson" <[hidden email]> wrote:
Hi,

        Ran into a user error situation that perhaps the pf ruleset parser could help with.

        I was working on rules and using tag/tagged and the rule that should have 'applied' a tag used 'tagged value' instead of 'tag value'. Thus the tag was never set and the subsequent 'pass .... tagged value' rule never fired.

        It seems that tag references are not dynamically defined [ unless perhaps they are used in authpf scenarios? ]. Would it make sense for the parser to issue a warning if a 'tagged value' references appear but no defining 'tag value' is found in a ruleset?


Scott Donaldson
Saskatoon, SK
Canada
S. Donaldson
Reply | Threaded
Open this post in threaded view
|

Re: pf ruleset parser re: tag and tagged

S. Donaldson
Well,

I don't expect the parser to be able to fix rulesets but if it can help identify situations that may be an error.

The situation I was describing was a human error in defining the tag (using tagged instead of tag). Which causes the tag to never be defined and thus the rules with 'tagged' for that value ..never execute. 

  Seemed like a standard "parsing is that constant variable ever defined" scenario? except as Kenneth G. pointed out if the defining tag directive appears in an anchor ...(I hinted at that by referencing authpf)...


Scott

On Jan 31, 2018, at 9:42 AM, Sadegh Solati <[hidden email]> wrote:

Actually I think the problem is not with the tag/tagged. It comes from the rule that If it is a quick one or not. When the rule is not quick it won't be matched with the tagged one for updating the tag value.If it is quick it will never see the next rule which is going to check the new tag value. It will be very hard for the parser to fire an accurate alarm in these cases.

On Jan 31, 2018 09:01, "S. Donaldson" <[hidden email]> wrote:
Hi,

        Ran into a user error situation that perhaps the pf ruleset parser could help with.

        I was working on rules and using tag/tagged and the rule that should have 'applied' a tag used 'tagged value' instead of 'tag value'. Thus the tag was never set and the subsequent 'pass .... tagged value' rule never fired.

        It seems that tag references are not dynamically defined [ unless perhaps they are used in authpf scenarios? ]. Would it make sense for the parser to issue a warning if a 'tagged value' references appear but no defining 'tag value' is found in a ruleset?


Scott Donaldson
Saskatoon, SK
Canada


Scott Donaldson
Manager of MIS Special Projects
SED Systems a division of Calian Ltd.
Saskatoon, SK
Canada

Office Phone: 306-933-1577
Free forum by Nabble Edit this page