Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2004 08:20:04 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        ipfw@freebsd.org
Subject:   semantics of 'not-applicable' options in ipfw ?
Message-ID:  <20040114082004.A43466@xorpc.icir.org>

Next in thread | Raw E-Mail | Index | Archive | Help
As the subject says... what is people's opinion on the
best semantics for 'not-applicable' options in ipfw rules ?

As an example, if i say (using ipfw2 syntax, for simplicity)

	100 count src-port 100
	200 count not src-port 100

and i receive a fragment, or an ICMP packet (which does not have port
information available), should it match rule 100, rule 200, none
or both ? The current implementation in ipfw2 is to use binary
logic, so the outcome of a 'not-applicable' option is FALSE,
and its negation is TRUE (so in the above case rule 200 will succeed).

Do other firewalls use ternary logic where not-applicable
options and their negation will both fail ?

(please do not complain on the example and the fact you could
insert a "{ proto tcp or proto udp }" block to make the
behaviour less ambiguous, my point is just to clarify and
specify what is the actual behaviour).

	cheers
	luigi



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040114082004.A43466>