[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: Unbreak X:Y user/group spec in pf.conf
From:       Vadim Zhukov <persgray () gmail ! com>
Date:       2020-01-16 14:17:01
Message-ID: 0BFD7D17-3862-4D73-834E-0AD4EB90855A () gmail ! com
[Download RAW message or body]

16 января 2020 г. 15:58:09 GMT+03:00, Klemens Nanni <kn@openbsd.org> \
пишет:
> On Thu, Jan 16, 2020 at 01:16:27PM +0100, Alexandr Nedvedicky wrote:
> > sentence 'The syntax is similar to the one for ports' sets my
> expectations
> > I can define a range of users in the same way I define a range of
> ports.
> > Looks useful to me, though a bug in parse.y might be just a tip
> of iceberg
> > here.
> I *assume* Vadim tripped over this implication, but that's what I
> wanted
> to know.  That said, probably being biased here, "similar to the one
> for
> ports" does not read like "the same as ports" to me.

(2Theo: yes, I'm lazy, sorry :) )

I agree, that "X:Y" syntax for "user" could be confusing, and "X><Y" is simply ugly. \
I do not have a silver bullet here, though.

If you oppose the proposed change, I'll add "... except 'uid1:uid2' syntax, which \
could be mistakenly interpreted as 'uid:gid'" to pf.conf(5). Will be that okay?

Regarding better syntax... I see the following options:

a) 'uid1-uid2', using the same logic as in proposed patch. Possibly, port ranges also \
can be migrated. 

b) '(uid1; uid2)' instead of 'uid><uid2', '[uid1; uid2]' instead of 'uid1:uid2', and \
ever '(uid1; uid2]' and '[uid1; uid2)'. Mathematicians might be happy.

c) 'uid1 till uid2'. A bit wordy, but PF-style.

> After convincing Sasha in the hackroom that the range syntax for
> user/group is rather misleading and not worth the effort, he in turn
> made a convincing point about how mapping user ranges with existing
> syntax might go wrong:
> 
> 	$  echo 'pass on lo proto tcp user { >= 1000 , <= 2000 }' | pfctl
> -vnf-
> 	pass on lo proto tcp all user >= 1000 flags S/SA
> 	pass on lo proto tcp all user <= 2000 flags S/SA
> 
> Note how --depending on other keywords-- the provided inclusive range
> might evaluate to rules that pass more than desired;  above example
> will
> pass all users since the [1000, 2000] is eventually used as [1000, inf]
> and [0, 2000] which together make for [0, inf], that is all users.
> 
> With proper ranges as for ports the ruleset would evaluate to what
> users
> actually wanted.  So ranges *can* already be covered but not in a sane
> and actually safe way.

The "expansion" feature could be used wrong for other config clauses as well, \
especially when negation comes to play. I'm not sure if this should be changed at \
all... We may force that only one of two syntaxes may be used:

user { foo, bar }
user { 1000 till 1999, >=10000 }

-- 
With best regards,
Vadim Zhukov


[prev in list] [next in list] [prev in thread] [next in thread]