[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-pf
Subject: Re: pf ruleset parser re: tag and tagged
From: "S. Donaldson" <donaldson () sedsystems ! ca>
Date: 2018-01-31 15:49:19
Message-ID: A844BF81-1BB0-46B5-9743-66A2360F2F84 () sedsystems ! ca
[Download RAW message or body]
Well,
I don't expect the parser to be able to fix rulesets but if it can help identify \
situations that may be an error.
The situation I was describing was a human error in defining the tag (using tagged \
instead of tag). Which causes the tag to never be defined and thus the rules with \
'tagged' for that value ..never execute.
Seemed like a standard "parsing is that constant variable ever defined" scenario? \
except as Kenneth G. pointed out if the defining tag directive appears in an anchor \
...(I hinted at that by referencing authpf)...
Scott
> On Jan 31, 2018, at 9:42 AM, Sadegh Solati <solati.sadegh@gmail.com> wrote:
>
> Actually I think the problem is not with the tag/tagged. It comes from the rule \
> that If it is a quick one or not. When the rule is not quick it won't be matched \
> with the tagged one for updating the tag value.If it is quick it will never see the \
> next rule which is going to check the new tag value. It will be very hard for the \
> parser to fire an accurate alarm in these cases.
> On Jan 31, 2018 09:01, "S. Donaldson" <donaldson@sedsystems.ca \
> <mailto:donaldson@sedsystems.ca>> wrote: Hi,
>
> Ran into a user error situation that perhaps the pf ruleset parser could help with.
>
> I was working on rules and using tag/tagged and the rule that should have 'applied' \
> a tag used 'tagged value' instead of 'tag value'. Thus the tag was never set and \
> the subsequent 'pass .... tagged value' rule never fired.
> It seems that tag references are not dynamically defined [ unless perhaps they are \
> used in authpf scenarios? ]. Would it make sense for the parser to issue a warning \
> if a 'tagged value' references appear but no defining 'tag value' is found in a \
> ruleset?
>
> Scott Donaldson
> Saskatoon, SK
> Canada
>
Scott Donaldson
Manager of MIS Special Projects
SED Systems a division of Calian Ltd.
Saskatoon, SK
Canada
Office Phone: 306-933-1577
[Attachment #3 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;" class="">Well,<div class=""><br \
class=""></div><div class=""><span class="Apple-tab-span" \
style="white-space:pre"> </span>I don't expect the parser to be able to fix rulesets \
but if it can help identify situations that may be an error.</div><div class=""><br \
class=""></div><div class=""><span class="Apple-tab-span" \
style="white-space:pre"> </span>The situation I was describing was a human error in \
defining the tag (using tagged instead of tag). Which causes the tag to never be \
defined and thus the rules with 'tagged' for that value ..never \
execute. </div><div class=""><br class=""></div><div class=""> <span \
class="Apple-tab-span" style="white-space:pre"> </span>Seemed like a standard \
"parsing is that constant variable ever defined" scenario? except as Kenneth G. \
pointed out if the defining tag directive appears in an anchor ...(I hinted at that \
by referencing authpf)...</div><div class=""><br class=""></div><div class=""><br \
class=""></div><div class="">Scott</div><div class=""><br class=""><div><blockquote \
type="cite" class=""><div class="">On Jan 31, 2018, at 9:42 AM, Sadegh Solati <<a \
href="mailto:solati.sadegh@gmail.com" class="">solati.sadegh@gmail.com</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" \
class="">Actually I think the problem is not with the tag/tagged. It comes from the \
rule that If it is a quick one or not. When the rule is not quick it won't be matched \
with the tagged one for updating the tag value.If it is quick it will never see the \
next rule which is going to check the new tag value. It will be very hard for the \
parser to fire an accurate alarm in these cases.</div><div class="gmail_extra"><br \
class=""><div class="gmail_quote">On Jan 31, 2018 09:01, "S. Donaldson" <<a \
href="mailto:donaldson@sedsystems.ca" class="">donaldson@sedsystems.ca</a>> \
wrote:<br type="attribution" class=""><blockquote class="gmail_quote" style="margin:0 \
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br class=""> <br class="">
Ran into a user error situation that perhaps the pf \
ruleset parser could help with.<br class=""> <br class="">
I was working on rules and using tag/tagged and the rule \
that should have 'applied' a tag used 'tagged value' instead of 'tag value'. Thus the \
tag was never set and the subsequent 'pass .... tagged value' rule never fired.<br \
class=""> <br class="">
It seems that tag references are not dynamically defined \
[ unless perhaps they are used in authpf scenarios? ]. Would it make sense for the \
parser to issue a warning if a 'tagged value' references appear but no defining 'tag \
value' is found in a ruleset?<br class=""> <br class="">
<br class="">
Scott Donaldson<br class="">
Saskatoon, SK<br class="">
Canada<br class="">
<br class="">
</blockquote></div></div>
</div></blockquote></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; \
word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span \
class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); \
font-family: 'Lucida Grande'; font-style: normal; font-variant-ligatures: normal; \
font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: \
normal; font-variant-alternates: normal; font-variant-east-asian: normal; \
font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; \
-webkit-text-stroke-width: 0px;"><div style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Scott \
Donaldson<br class="">Manager of MIS Special Projects<br class="">SED Systems a \
division of Calian Ltd.<br class="">Saskatoon, SK<br class="">Canada</div><div \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;" class=""><br class=""></div><div style="word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Office \
Phone: 306-933-1577</div></span></div></div></div></div> </div>
<br class=""></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic