On Wed, Jan 16, 2019 at 08:19:00PM +0100, Pablo Neira Ayuso wrote: > Hi Phil, > > On Wed, Jan 16, 2019 at 07:46:13PM +0100, Phil Sutter wrote: > > Nftables claims to allow arbitrary names for ruleset elements (tables, > > chains, objects) but suffers from the known problem of lex/yacc trying > > to interpret those as keywords. As a workaround, users may quote their > > names. Sadly this wasn't supported in most cases and this patch lifts > > this restriction. > > > > In order to not print rulesets which are not accepted anymore by 'nft > > -f' command, unconditionally quote all names on output. > > > > Note that the same problem existed for interface names. I've tested for > > those to work in both netdev family chains and flowtable definitions, > > though automatic testing is troublesome since they must exist (and I'm > > not sure if test scripts should call iproute2 to add an interface with a > > crafted name). > > This is what we are supporting natively, probably not well documented: > > commit 57ecffc9d1e551ecc0546806ca9c008e93c2ecf3 > Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > Date: Tue Aug 16 23:22:51 2016 +0200 > > scanner: allow strings starting by underscores and dots > > POSIX.1-2008 (which is simultaneously IEEE Std 1003.1-2008) says: > "The set of characters from which portable filenames are constructed. > > A B C D E F G H I J K L M N O P Q R S T U V W X Y Z > a b c d e f g h i j k l m n o p q r s t u v w x y z > 0 1 2 3 4 5 6 7 8 9 . _ -" > > I think we can just document this or you need this sort of > flexibility. We can also allow for keywords to be used as names, which > is what is left behind... > > We can of course decide to go for quotes as you propose, this was so > far the only exception since all other user-defined values from rules > are always assumed to enclosed in quotes. My point is that users don't necessarily know what names are forbidden (i.e., keywords) and which are not. Suggesting to prefix names by underscore "just in case" or "if you get a weird error message" is not the best option in my opinion. That said, my solution of "quote names unless you know what you're doing" is not much better to be fair. :) I really don't know what's the best way to handle this, given that we can't work around this quirk in lex/yacc without turning all into a mess. The problem I'm facing is simply that users file tickets because they are not aware of the problem and hence think that nft not accepting certain names is simply a bug one should fix. Cheers, Phil
