Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2004 23:05:38 +0100
From:      Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@freebsd.org
Subject:   Re: semantics of 'not-applicable' options in ipfw ?
Message-ID:  <20040114220538.GA72981@shellma.zin.lublin.pl>
In-Reply-To: <20040114082004.A43466@xorpc.icir.org>
References:  <20040114082004.A43466@xorpc.icir.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Jan 14, 2004 at 08:20:04AM -0800, Luigi Rizzo wrote:

> As the subject says... what is people's opinion on the
> best semantics for 'not-applicable' options in ipfw rules ?
> 
> As an example, if i say (using ipfw2 syntax, for simplicity)
> 
> 	100 count src-port 100
> 	200 count not src-port 100
> 
> and i receive a fragment, or an ICMP packet (which does not have port
> information available), should it match rule 100, rule 200, none
> or both ? The current implementation in ipfw2 is to use binary
> logic, so the outcome of a 'not-applicable' option is FALSE,
> and its negation is TRUE (so in the above case rule 200 will succeed).

Ports are meaningful for TCP or UDP packets. If one uses src-port in rule,
he assumes such a rule is for TCP or UDP packets.
That's why I think rule 200 shouldn't match ICMP datagram. I also think
ambiguous rules should be forbidden. This will force users to work with
well planned rules. ;)


-- 
Paweł Małachowski



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040114220538.GA72981>