Date: Wed, 14 Jan 2004 23:05:38 +0100 From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@freebsd.org Subject: Re: semantics of 'not-applicable' options in ipfw ? Message-ID: <20040114220538.GA72981@shellma.zin.lublin.pl> In-Reply-To: <20040114082004.A43466@xorpc.icir.org> References: <20040114082004.A43466@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 14, 2004 at 08:20:04AM -0800, Luigi Rizzo wrote: > As the subject says... what is people's opinion on the > best semantics for 'not-applicable' options in ipfw rules ? > > As an example, if i say (using ipfw2 syntax, for simplicity) > > 100 count src-port 100 > 200 count not src-port 100 > > and i receive a fragment, or an ICMP packet (which does not have port > information available), should it match rule 100, rule 200, none > or both ? The current implementation in ipfw2 is to use binary > logic, so the outcome of a 'not-applicable' option is FALSE, > and its negation is TRUE (so in the above case rule 200 will succeed). Ports are meaningful for TCP or UDP packets. If one uses src-port in rule, he assumes such a rule is for TCP or UDP packets. That's why I think rule 200 shouldn't match ICMP datagram. I also think ambiguous rules should be forbidden. This will force users to work with well planned rules. ;) -- Paweł Małachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040114220538.GA72981>