[nft PATCH] doc: nft.8: Add BUGS section about command line parsing

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

* [nft PATCH] doc: nft.8: Add BUGS section about command line parsing
@ 2019-12-11 16:10 Phil Sutter
  0 siblings, 0 replies; only message in thread
From: Phil Sutter @ 2019-12-11 16:10 UTC (permalink / raw
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Illustrate potential pitfalls when entering nft commands on command
line and list possible counter-measures.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 doc/nft.txt | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/doc/nft.txt b/doc/nft.txt
index abb9260d3f2f6..d69c2283f52db 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -802,6 +802,32 @@ On success, nft exits with a status of 0. Unspecified errors cause it to exit
 with a status of 1, memory allocation errors with a status of 2, unable to open
 Netlink socket with 3.
 
+BUGS
+-----
+COMMAND LINE PARSING
+~~~~~~~~~~~~~~~~~~~~
+The syntax used in nftables is prone to cause problems when given on command
+line. For instance, *semi-colon* is used in all relevant shells to delimit
+commands.
+
+In some places, *quoted strings* are expected. If not escaped, the shell will
+silently eat them away.
+
+There is also an internal problem regarding *negative priority values* (e.g.,
+when defining base-chains or flowtables): The leading dash catches getopt's
+attention which in turn assumes user specified an unknown option flag. Getopt
+allows to ignore any option-like parameter after the first non-option, but
+that would prevent typical commands like *nft list ruleset -a*.
+
+There are multiple ways to mitigate these issues: Shells can be prevented from
+interpreting special characters by prefixing them with the escape character
+(typically *backslash*), getopt won't recognize options following a parameter
+consisting of *two dashes* alone (which in turn is ignored as well). Probably
+the easiest way to avoid even unforseen issues is to enclose the whole
+nftables syntax in *single quotes*. This turns the multiple non-option words
+on command line into a single argument which is passed to the parser just like
+before but the shell as well as getopt will leave it alone.
+
 SEE ALSO
 --------
 [verse]
-- 
2.24.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-12-11 16:10 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-11 16:10 [nft PATCH] doc: nft.8: Add BUGS section about command line parsing Phil Sutter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.