Bug 182819 - pfctl(8) interprets "# .... \" as multi-line comment
Summary: pfctl(8) interprets "# .... \" as multi-line comment
Status: Open
Alias: None
Product: Documentation
Classification: Unclassified
Component: Manual Pages (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-pf (Nobody)
URL: https://github.com/freebsd/freebsd-sr...
Keywords: needs-patch
Depends on:
Blocks:
 
Reported: 2013-10-08 02:10 UTC by Adam McDougall
Modified: 2024-03-25 12:16 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adam McDougall 2013-10-08 02:10:00 UTC 
Twice I've been burned by pfctl ignoring a line in pf.conf because it
was preceded by a comment that happened to end in a backslash:

# pass in on blah blah blah doesn't matter this is a comment \
pass in on blah blah doesn't matter because this is treated as part of the comment

I try to keep my firewall rules less than 80 chars in case I need to edit
them on a dumb terminal.  Sometimes I end up duplicating a line to make
changes to an alternate copy and comment out the original, but if the
commented out line ends in a backslash, my intended replacement is ignored.
It becomes really confusing why my firewall rule is ignored yet no errors
from pfctl -f.  Eventually I figure it out.  But in my opinion, a system
that treats lines starting with # as a comment ought to unconditionally
treat them as a single line comment, and not "except if it ends in a \".
I don't know if this happens in any other pf implementation, or if it is
intentional, but it is troublesome.  I think it would be better to parse
and potentially accept lines following comments.  If they are faulty,
pfctl will throw an error.  If they are valid, they should be honored.

Fix: 

When a # is encountered in pf.conf, unconditionally ignore the rest of
the line.  Might be a problem with the order things are parsed?
How-To-Repeat: # pass in on blah blah blah doesn't matter this is a comment \
pass in on blah blah doesn't matter because this is treated as part of the comment

pfctl -f yourfilename, it will ignore the second line
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2014-04-16 01:40:48 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

assign.
Comment 2 Adam McDougall 2016-01-16 15:48:39 UTC 
I checked upstream and OpenBSD has the same behavior.  It is intentional and unlikely to change since the parser used is shared with a number of other utilities.  The behavior in this regard is described better in more recent versions of the OpenBSD manpage, for example this commit is one of several:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/pf.conf.5#rev1.495

I'll change the metadata on this ticket to suggest it is a Doc issue.
Comment 3 Thanos 2018-05-17 10:38:10 UTC 
MARKED AS SPAM
Comment 4 priyanka 2023-09-16 07:37:23 UTC 
MARKED AS SPAM
Comment 5 Emma Brown 2023-09-20 03:23:34 UTC 
MARKED AS SPAM
Comment 6 Graham Perrin 2023-09-23 18:50:28 UTC 
Sorry for the lack of activity. 

(In reply to Adam McDougall from comment #2)

> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/pf.conf.5#rev1.495

Unfortunately, no longer available. 

Re: <https://man.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+15.0-CURRENT> please, can someone suggest improvements?

This might be a candidate for a simple pull request; <https://github.com/freebsd/freebsd-src/blob/main/CONTRIBUTING.md>.
Comment 7 sakshi 2023-09-29 08:15:17 UTC 
MARKED AS SPAM
Comment 8 Maru Kari 2024-03-25 03:46:33 UTC 
MARKED AS SPAM