Date: Tue, 20 Aug 2002 23:53:18 -0700 From: Luigi Rizzo <rizzo@icir.org> To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020820235317.B54133@iguana.icir.org> In-Reply-To: <20020821064119.GA72013@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Aug 20, 2002 at 11:41:19PM -0700 References: <20020820054206.A45915@iguana.icir.org> <20020821000459.GB70203@blossom.cjclark.org> <20020820222540.A53549@iguana.icir.org> <20020821064119.GA72013@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 20, 2002 at 11:41:19PM -0700, Crist J. Clark wrote: ... > > There is not a lot of mathematical consistency even now -- if a > > field has a limited range, one would expect things like > > > > port 0-79 or port 81-65535 > > not port 80 > > > > to be the same thing, but they aren't... > > Dunno if it is just me, but those don't look like the same > thing even at a glance. 'port' implies a matching packet must also be > TCP or UDP. I guess I automatically add the "implied conditions," but you see, it is all around the "implied conditions" that are added behind the scenes. Limiting just to tcp for simplicity: You write "port 80" and you mean "tcp and port 80" (and this is really what the match engine does). Then when you write "not port 80" it is not obvious that the negation should go before or after the added tcp check -- both rewrites, "tcp and (not port 80)" or "not (tcp and port 80)" make sense. But the bottom line is that both agree to stick with the current behaviour. However i just wanted to point out that it can lead to unexpected leaks. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020820235317.B54133>