* Patrick Lamaiziere <patf...@davenulle.org> [2012-01-03 17:45]:
> I think there is a off-by-one error in Packet Filter port ranges, for
> example with an exclude boundary range : port1 >< port2
nope.
Ports and ranges of ports are specified using these operators:
: (range including boundaries)
>< (range excluding boundaries)
yes, that is from the manpage, of course.
>< explicitely EXCLUDES the boundaries. now where is that off by one?
> PF or pfctl does not check that port1 <= port2 and if port1 > port2 the
> port range is not correct.
pf does what you, the operator, tells it to do.
> For example 82 >< 80 is not the same as 80 >< 82 (but should IMO).
should? why?
port 82 >< 80 defines a range that can't match, and it doesn't. as in,
all is good. when you mean 80 >< 82 you ought to write 80 >< 82 and
not 82 >< 80.
> Then, port 81 is not filtered out.
correct, that is exactly what you told pf to do and it does.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
