From 931737a1719824d7945433177e61a6c47530ed69 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 6 Dec 2022 22:59:55 +0100 Subject: scanner: munch full comment lines Munch lines full comment lines, regular expression matches lines that start by space or tab, then # follows, finally anything including one single line break. Call reset_pos() to ensure error reporting location is not puzzled. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1196 Signed-off-by: Pablo Neira Ayuso --- src/scanner.l | 4 +++ tests/shell/testcases/comments/comments_0 | 42 ++++++++++++++++++++++ .../shell/testcases/comments/dumps/comments_0.nft | 12 +++++++ 3 files changed, 58 insertions(+) create mode 100755 tests/shell/testcases/comments/comments_0 create mode 100644 tests/shell/testcases/comments/dumps/comments_0.nft diff --git a/src/scanner.l b/src/scanner.l index 1371cd04..e72a427a 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -124,6 +124,7 @@ string ({letter}|[_.])({letter}|{digit}|[/\-_\.])* quotedstring \"[^"]*\" asteriskstring ({string}\*|{string}\\\*|\\\*|{string}\\\*{string}) comment #.*$ +comment_line ^[ \t]*#.*\n slash \/ timestring ([0-9]+d)?([0-9]+h)?([0-9]+m)?([0-9]+s)?([0-9]+ms)? @@ -858,6 +859,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) {tab}+ {space}+ {comment} +{comment_line} { + reset_pos(yyget_extra(yyscanner), yylloc); + } <> { update_pos(yyget_extra(yyscanner), yylloc, 1); diff --git a/tests/shell/testcases/comments/comments_0 b/tests/shell/testcases/comments/comments_0 new file mode 100755 index 00000000..b272ad67 --- /dev/null +++ b/tests/shell/testcases/comments/comments_0 @@ -0,0 +1,42 @@ +#!/bin/bash + +RULESET="table inet x { # comment + # comment 1 + # comment 2 + set y { # comment here + type ipv4_addr # comment + elements = { + # 1.1.1.1 + 2.2.2.2, # comment + # more comments + 3.3.3.3, # comment + } + # comment + } + + # comments are allowed here + chain y { + # comments are allowed here + icmpv6 type { + 1, # comments are allowed here + 2, + } accept + + icmp type { + 1, + # comments also allowed here + 2, + } accept + + tcp dport { + # normal FTP + 21, + # patched FTP + 2121 + } counter accept + } +} +" + +$NFT -f - <<< "$RULESET" + diff --git a/tests/shell/testcases/comments/dumps/comments_0.nft b/tests/shell/testcases/comments/dumps/comments_0.nft new file mode 100644 index 00000000..82ae510b --- /dev/null +++ b/tests/shell/testcases/comments/dumps/comments_0.nft @@ -0,0 +1,12 @@ +table inet x { + set y { + type ipv4_addr + elements = { 2.2.2.2, 3.3.3.3 } + } + + chain y { + icmpv6 type { destination-unreachable, packet-too-big } accept + icmp type { 1, 2 } accept + tcp dport { 21, 2121 } counter packets 0 bytes 0 accept + } +} -- cgit v1.2.3