Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Aug 2002 23:41:19 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: ambiguity of filter expressions (tcpdump and ipfw2)
Message-ID:  <20020821064119.GA72013@blossom.cjclark.org>
In-Reply-To: <20020820222540.A53549@iguana.icir.org>
References:  <20020820054206.A45915@iguana.icir.org> <20020821000459.GB70203@blossom.cjclark.org> <20020820222540.A53549@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Aug 20, 2002 at 10:25:40PM -0700, Luigi Rizzo wrote:
> On Tue, Aug 20, 2002 at 05:04:59PM -0700, Crist J. Clark wrote:
> ...
> > The current behavior makes logical sense. If someone wants to get
> > complicated and do something like (I'll write in BPF rules since I'm
> > not up on ipfw2),
> > 
> >   icmp || (tcp && port 80)
> > 
> > Would the "applicability" checks kick in? Or only when there is a
> > negation? For mathematical consistency,
> 
> The problem is that "non-applicable" tests should fail both ways,
> whereas now (both in libpcap and ipfw2) the implementor has to
> choose which one fails and which one succeeds (we both chose
> the direct form to fail and the negated form to succeed).
> 
> There is not a lot of mathematical consistency even now -- if a
> field has a limited range, one would expect things like
> 
> 	port 0-79 or port 81-65535
> 	not port 80
> 
> to be the same thing, but they aren't...

Dunno if it is just me, but those don't look like the same
thing even at a glance. 'port' implies a matching packet must also be
TCP or UDP. I guess I automatically add the "implied conditions,"

    port 0-79 or port 81-65535
 == ((tcp || udp) && port 0-79) or ((tcp || udp) && port 81-65535)
 == (tcp || udp) && (port 0-79 || 81-65535)

    not port 80
 == !((tcp || udp) && port 80)
 == !(tcp || udp) || !(port 80)

Which _are_ clearly different.

Anyway, I stick with the current behavior. If you want to say all TCP
excluding port 80/tcp, then just say so,

  tcp && ! port 80

If you want _everything_ except 80/udp or 80/tcp,

  ! port 80

They are not the same thing, and they shouldn't be.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020821064119.GA72013>