Le Tue, 3 Jan 2012 17:54:18 +0100, Henning Brauer <lists-open...@bsws.de> a icrit :
Hello, > * Patrick Lamaiziere <patf...@davenulle.org> [2012-01-03 17:45]: > > I think there is a off-by-one error in Packet Filter port ranges, > > for example with an exclude boundary range : port1 >< port2 > > nope. > > Ports and ranges of ports are specified using these > operators: : (range including boundaries) > >< (range excluding boundaries) > > yes, that is from the manpage, of course. > >< explicitely EXCLUDES the boundaries. now where is that off by one? Please forget the off-by-one, I've found that 82:80 differs from 80:82 :) > > PF or pfctl does not check that port1 <= port2 and if port1 > port2 > > the port range is not correct. > > pf does what you, the operator, tells it to do. > > > For example 82 >< 80 is not the same as 80 >< 82 (but should IMO). > > should? why? Well because for me 80:82 is (80, 81, 82) and 82:80 the same items and so the same range. But you are right, the man page is explicit. I should re-read it more often. So what is the meaning for PF of the range 82:80? If this is a non sense, an error from pfctl would be cool. > port 82 >< 80 defines a range that can't match, and it doesn't. as in, > all is good. when you mean 80 >< 82 you ought to write 80 >< 82 and > not 82 >< 80. Sure, but when using service name it's easy to make a mistake. In fact I've found this strange behavior while translating a Cisco acl : permit tcp any any range ftp ftp-data Translated to "port ftp:ftp-data", which if I understand well does not mean anything for PF. Thanks, regards.
