Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 14 Jan 2004 23:05:38 +0100
From:      Pawel Malachowski <>
To:        Luigi Rizzo <>
Subject:   Re: semantics of 'not-applicable' options in ipfw ?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Jan 14, 2004 at 08:20:04AM -0800, Luigi Rizzo wrote:

> As the subject says... what is people's opinion on the
> best semantics for 'not-applicable' options in ipfw rules ?
> As an example, if i say (using ipfw2 syntax, for simplicity)
> 	100 count src-port 100
> 	200 count not src-port 100
> and i receive a fragment, or an ICMP packet (which does not have port
> information available), should it match rule 100, rule 200, none
> or both ? The current implementation in ipfw2 is to use binary
> logic, so the outcome of a 'not-applicable' option is FALSE,
> and its negation is TRUE (so in the above case rule 200 will succeed).

Ports are meaningful for TCP or UDP packets. If one uses src-port in rule,
he assumes such a rule is for TCP or UDP packets.
That's why I think rule 200 shouldn't match ICMP datagram. I also think
ambiguous rules should be forbidden. This will force users to work with
well planned rules. ;)

Paweł Małachowski

Want to link to this message? Use this URL: <>