From owner-freebsd-ipfw Wed Aug 21 17:30:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 455A237B400 for ; Wed, 21 Aug 2002 17:30:04 -0700 (PDT) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 627B443E3B for ; Wed, 21 Aug 2002 17:30:03 -0700 (PDT) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id RAA96082; Wed, 21 Aug 2002 17:21:42 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g7M0Kue08368; Wed, 21 Aug 2002 17:20:56 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200208220020.g7M0Kue08368@arch20m.dellroad.org> Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) In-Reply-To: <20020820054206.A45915@iguana.icir.org> "from Luigi Rizzo at Aug 20, 2002 05:42:06 am" To: Luigi Rizzo Date: Wed, 21 Aug 2002 17:20:56 -0700 (PDT) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > when you specify a match pattern that is not applicable to the > packet being processed (e.g. "src-port 80" on an ICMP packet), > the match will simply fail and the packet will not be selected. > > However, when you put in a "not" operator (as in "not src-port 80") > there are really two ways to implement the operation: > > 1. the basic match fails, so its negation will succeed. > This is the way tcpdump operates (try a "tcpdump not port 80" > and see how it matches all sort of non-tcp traffic), and also > ipfw2 does the same thing for consistency with tcpdump > (that is the official excuse -- in reality, i did not think of > the issue in the first place, maybe the same happened to > the tcpdump/libpcap authors). > > 2. The match operator is "not applicable" so both the > direct form and the negation will fail. > > Now, using the first approach in a firewall might be somewhat dangerous, > in the sense that, yes, the rule does exactly what you write, but > that might not be what you really want. E.g. consider > > ipfw add allow not src-port 80 I think this problem is really caused by the 'optimization' of pcap(3) that allows you to say "dst port 80" when what you really mean is "udp dst port 80 or tcp dst port 80". If we got rid of that 'optimization' then your issue would become less of a problem, i.e., "allow not tcp dst port 80" pretty clearly is going to allow ICMP, etc. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message