[pkg-netfilter-team] Bug#932877: parser rejects blank/comment lines in literal sets/maps

[Trent W. Buck]

Package: nftables
Version: 0.9.1-2
Severity: minor

The nftables file parser allows newlines in literal sets and maps.
It allows comments in them -- but it doesn't allow comments on their own line.
I think this is a mistake, and the parser should be changed to allow them.

A simple example ruleset is below.

    # cat tmp.nft
    table inet x {
        # comments are allowed here
        chain y {
            # comments are allowed here
            icmpv6 type {
                1,                  # comments are allowed here
                2,
            } accept

            icmpv6 type {
                1,
                # comments AREN'T allowed here
                2,
            } accept
        }
    }
    list ruleset

    root at not-omega:~# nft --file tmp.nft
    tmp.nft:12:43-43: Error: syntax error, unexpected newline, expecting comma or '}'
                # comments AREN'T allowed here
                                              ^
    tmp.nft:13:14-14: Error: syntax error, unexpected comma
                2,
                 ^
    tmp.nft:14:11-16: Error: syntax error, unexpected accept, expecting newline or semicolon
            } accept
              ^^^^^^

PS: it also doesn't allow blank lines, e.g.

    add table x
    add chain x y
    add rule x y ip saddr {
        1,

        2,
    } accept



-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled