Date: Tue, 20 Aug 2002 17:04:59 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020821000459.GB70203@blossom.cjclark.org> In-Reply-To: <20020820054206.A45915@iguana.icir.org> References: <20020820054206.A45915@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 20, 2002 at 05:42:06AM -0700, Luigi Rizzo wrote:
[snip]
> I'd be inclined to leave things as they are, surely remark the issue
> in the manpage, and maybe make ipfw2 print out a "Warning" message
> about the use of a potentially unsafe match pattern, same as the
> compiler does when you use a "gets".
>
> Opinions anyone ?
The current behavior makes logical sense. If someone wants to get
complicated and do something like (I'll write in BPF rules since I'm
not up on ipfw2),
icmp || (tcp && port 80)
Would the "applicability" checks kick in? Or only when there is a
negation? For mathematical consistency,
!( icmp || (tcp && port 80))
Must give the same result as,
!icmp && !(tcp && port 80)
And these "aplicability" rules seem to break it.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020821000459.GB70203>