semantics of 'not-applicable' options in ipfw ?
Luigi Rizzo
rizzo at icir.org
Wed Jan 14 08:20:10 PST 2004
As the subject says... what is people's opinion on the
best semantics for 'not-applicable' options in ipfw rules ?
As an example, if i say (using ipfw2 syntax, for simplicity)
100 count src-port 100
200 count not src-port 100
and i receive a fragment, or an ICMP packet (which does not have port
information available), should it match rule 100, rule 200, none
or both ? The current implementation in ipfw2 is to use binary
logic, so the outcome of a 'not-applicable' option is FALSE,
and its negation is TRUE (so in the above case rule 200 will succeed).
Do other firewalls use ternary logic where not-applicable
options and their negation will both fail ?
(please do not complain on the example and the fact you could
insert a "{ proto tcp or proto udp }" block to make the
behaviour less ambiguous, my point is just to clarify and
specify what is the actual behaviour).
cheers
luigi
More information about the freebsd-ipfw
mailing list