semantics of 'not-applicable' options in ipfw ?
Pawel Malachowski
pawmal-posting at freebsd.lublin.pl
Wed Jan 14 13:54:20 PST 2004
On Wed, Jan 14, 2004 at 08:20:04AM -0800, Luigi Rizzo wrote:
> As the subject says... what is people's opinion on the
> best semantics for 'not-applicable' options in ipfw rules ?
>
> As an example, if i say (using ipfw2 syntax, for simplicity)
>
> 100 count src-port 100
> 200 count not src-port 100
>
> and i receive a fragment, or an ICMP packet (which does not have port
> information available), should it match rule 100, rule 200, none
> or both ? The current implementation in ipfw2 is to use binary
> logic, so the outcome of a 'not-applicable' option is FALSE,
> and its negation is TRUE (so in the above case rule 200 will succeed).
Ports are meaningful for TCP or UDP packets. If one uses src-port in rule,
he assumes such a rule is for TCP or UDP packets.
That's why I think rule 200 shouldn't match ICMP datagram. I also think
ambiguous rules should be forbidden. This will force users to work with
well planned rules. ;)
--
Paweł Małachowski
More information about the freebsd-ipfw
mailing list