From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 10:20:56 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B83F81065674 for ; Fri, 22 Aug 2008 10:20:56 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 759C88FC2E for ; Fri, 22 Aug 2008 10:20:56 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1KWTak-0004cg-CW for freebsd-security@freebsd.org; Fri, 22 Aug 2008 10:10:02 +0000 Received: from 195.208.174.178 ([195.208.174.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Aug 2008 10:10:02 +0000 Received: from vadim_nuclight by 195.208.174.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 22 Aug 2008 10:10:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Vadim Goncharov Date: Fri, 22 Aug 2008 09:52:49 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 42 Message-ID: References: <488F2B57.7000706@wagsky.com> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 195.208.174.178 X-Comment-To: Jeff Kletsky User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news X-Mailman-Approved-At: Fri, 22 Aug 2008 11:22:27 +0000 Subject: Re: ipfw "bug" - recv any = not recv any X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 10:20:56 -0000 Hi Jeff Kletsky! On Tue, 29 Jul 2008 07:38:15 -0700; Jeff Kletsky wrote about 'Re: ipfw "bug" - recv any = not recv any': >> In practice, both "recv any" and "not recv any" appear to be "no-op" >> phrases. >> > [...] >> In my opinion, the following would be "ideal" >> >> 1) "recv any" -- matches packets that have been received by the host >> through one of its interfaces >> 2) "not recv any" -- does not match packets that have been received by >> the host through one of its interfaces >> >> Unfortunately, implementing (1) would likely break a lot of people's >> rule sets >> >> (2), however, I can't immediately see being used without expecting that >> it would fail to match packets that were received by the current host, >> so its implementation would be a bit "safer" for the community >> > Julian Elishcher suggested: >> how does "not recv *" (appropriatly escaped for your shell) do? > This does appear to "work as desired" -- suggesting documentation > clarification rather than functionality change The trouble is that 'recv any' considered useless (yes, on the input it will always match, so why spend time for additional check) and optimised by parser, effectively cut out - kernel doesn't know anything about "any". I don't know why this keyword still exist at all. BTW, if you need to check for packets originating from local host, why don't you use "from me" as most intuitive approach? > My apologies for not posting to the ipfw list. Yes, that would be better... -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]