Date: Wed, 21 Aug 2002 17:20:56 -0700 (PDT) From: Archie Cobbs <archie@dellroad.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <200208220020.g7M0Kue08368@arch20m.dellroad.org> In-Reply-To: <20020820054206.A45915@iguana.icir.org> "from Luigi Rizzo at Aug 20, 2002 05:42:06 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo writes: > when you specify a match pattern that is not applicable to the > packet being processed (e.g. "src-port 80" on an ICMP packet), > the match will simply fail and the packet will not be selected. > > However, when you put in a "not" operator (as in "not src-port 80") > there are really two ways to implement the operation: > > 1. the basic match fails, so its negation will succeed. > This is the way tcpdump operates (try a "tcpdump not port 80" > and see how it matches all sort of non-tcp traffic), and also > ipfw2 does the same thing for consistency with tcpdump > (that is the official excuse -- in reality, i did not think of > the issue in the first place, maybe the same happened to > the tcpdump/libpcap authors). > > 2. The match operator is "not applicable" so both the > direct form and the negation will fail. > > Now, using the first approach in a firewall might be somewhat dangerous, > in the sense that, yes, the rule does exactly what you write, but > that might not be what you really want. E.g. consider > > ipfw add allow not src-port 80 I think this problem is really caused by the 'optimization' of pcap(3) that allows you to say "dst port 80" when what you really mean is "udp dst port 80 or tcp dst port 80". If we got rid of that 'optimization' then your issue would become less of a problem, i.e., "allow not tcp dst port 80" pretty clearly is going to allow ICMP, etc. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208220020.g7M0Kue08368>