ipfw "bug" - recv any = not recv any
Vadim Goncharov
vadim_nuclight at mail.ru
Fri Aug 22 10:20:56 UTC 2008
Hi Jeff Kletsky!
On Tue, 29 Jul 2008 07:38:15 -0700; Jeff Kletsky wrote about 'Re: ipfw "bug" - recv any = not recv any':
>> In practice, both "recv any" and "not recv any" appear to be "no-op"
>> phrases.
>>
> [...]
>> In my opinion, the following would be "ideal"
>>
>> 1) "recv any" -- matches packets that have been received by the host
>> through one of its interfaces
>> 2) "not recv any" -- does not match packets that have been received by
>> the host through one of its interfaces
>>
>> Unfortunately, implementing (1) would likely break a lot of people's
>> rule sets
>>
>> (2), however, I can't immediately see being used without expecting that
>> it would fail to match packets that were received by the current host,
>> so its implementation would be a bit "safer" for the community
>>
> Julian Elishcher suggested:
>> how does "not recv *" (appropriatly escaped for your shell) do?
> This does appear to "work as desired" -- suggesting documentation
> clarification rather than functionality change
The trouble is that 'recv any' considered useless (yes, on the input it will
always match, so why spend time for additional check) and optimised by parser,
effectively cut out - kernel doesn't know anything about "any". I don't know
why this keyword still exist at all.
BTW, if you need to check for packets originating from local host, why don't
you use "from me" as most intuitive approach?
> My apologies for not posting to the ipfw list.
Yes, that would be better...
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight at mail.ru
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
More information about the freebsd-security
mailing list