Re: Accurate ECN support in tcpdump/libpcap

[Denis Ovsienko <denis () ovsienko info>]

On Wed, 4 Mar 2026 10:46:52 +0100
Francois via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:

> I dont like very much -cleared.
> Why not
> fin-set/fin-unset
> fin-on/fin-off
> fin-yes/fin-no
> fin-y/fin-n
> ?
> The last three are shorter.

> From this list "on" and "off" to me look better than the other
alternatives, but not better than "set" and "cleared".

Considering the user-visible part of the solution, it is desirable to
introduce filter expressions that are as difficult to misunderstand as
possible.  As far as it makes sense to me, "cleared" is the proper term
in bitwise arithmetics and it obviously means "set to 0", whereas
"unset" could be understood as "never set" or "undefined", that is,
"any value".

Considering the implementation details, in terms of the grammar the
string that defines a flag and its state reuses a generic ID, which
typically means a hostname:

[A-Za-z0-9]([-_.A-Za-z0-9]*[.A-Za-z0-9])?

This way the string cannot be, for example, "syn=0" or "!syn" or "syn-"
etc., but that's actually useful because these notations would create a
place for things to go wrong: add an extra space in the middle (as is
typically done in relations of arithmetic expressions) and it becomes
either a syntax error or an entirely different meaning ("tcp flag !
syn" == "not ((ip or ip6) and tcp and tcp flag syn)", as discussed
earlier).  Also reusing of the ID follows the existing code path through
gen_scode() and introduces very little new code.

-- 
    Denis Ovsienko
_______________________________________________
tcpdump-workers mailing list -- tcpdump-workers () lists tcpdump org
To unsubscribe send an email to tcpdump-workers-leave () lists tcpdump org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s