Date: Thu, 06 Apr 2017 16:53:29 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218433] Ipfilter ippool table handling source code or man page being incorrect. Message-ID: <bug-218433-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218433 Bug ID: 218433 Summary: Ipfilter ippool table handling source code or man page being incorrect. Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: luzar722@gmail.com General to-do list 1. Determine whether the man page or the code is correct. 2. Verify that all arguments are parsed (and subsequently processes). 3. Verify that correct error messages are produced as appropriate. Targeted to-do list 1. Man 5 ippool talks about a evolving configuration syntax. The original syntax was more verbose. Remove all the source code dealing with the origin= al verbose syntax and correct ippool(5) manual content to match. Or if in your opinion the original verbose syntax is easier to comprehend, keep it and get rid of the new syntax.=20=20=20 2. ippool =E2=80=93R -m table-name command has error causing core to dump.= No documentation about where to find the core dump. Is it the in core table contents being dumped or the running code that is dumped? Found /etc/ippool.core file, maybe that=E2=80=99s the core dump file. 3. The command =E2=80=9Cippool -a =E2=80=93m table-name x.x.x.x used for a= dding a single node entry to the table works but =E2=80=9Cippool =E2=80=93l =E2=80=93m table-na= me command does not show that just added ip address in the node list, but does show a ?(0)/32 node instead. If you try to add the node again you get message saying the node exists in the table already. Same thing occurs even if the ip address is suffixed with /32. 4. There is no documented way to dump the number of times a table ip address has been matched. The =E2=80=9Cman 8 ippool=E2=80=9D lists the =E2=80=93d = flag as a global option used for debugging the configuration file processing. Issuing =E2=80=9Cippo= ol -l -d =E2=80=93m table-name=E2=80=9D displays all of the tables nodes with a hit count as a = pair of 2 lines per node. This display needs to be condensed to a single line so it= =E2=80=99s easier to parse through looking for the hits. 5. When the host system is shutdown or rebooted the ippool tables that were running are not restarted and the hit count is lost. 6. The =E2=80=9Cman 5 ippool=E2=80=9D manual is mis-named. It should be nam= ed ippool.config. 7. In the =E2=80=9Cman 5 ippool=E2=80=9D manual it gives this example =E2= =80=9Ctable roll=3Dall type=3Dhash name=3Dservers size=3D5=E2=80=9D. What does =E2=80=9Csize=3D5= =E2=80=9D mean? 8. The =E2=80=9Cman 5 ippool=E2=80=9D manual doesn=E2=80=99t talk about th= e true syntax of the /etc/ippool.conf file.=20=20 pool ipf/tree (name test;) { 1.121.136.228; 1.186.172.218; 1.34.169.204/32; 101.109.155.81/16; 104.121.89.129; }; Notice the position of the left and right { } Notice the usage of : I=E2=80=99m thinking the ending }; is an error, should be just } 9. The maximum table size is not documented any where and/or if its possibl= e to increase it. 10. There is no documentation about the ip address being entered in a sorted order. Or about that ippool handles the placement of the entry in the in-co= re table allowing room for inserted new entry's while maintaining fast search performance. You don=E2=80=99t have to explain to people how this is accomp= lished, but you should tell them that it=E2=80=99s occurring automatically. Possible enchantments.=20 1. Would like to see an option that table entries get posted internally with some kind of auto expire date/time that automatically removes the entry when that timer elapses and the entry has no hits. If the entry gets a hit the t= imer resets and starts timer as of when the hit occurred. Maybe say 3 options, number of minutes, number of hours, and number of days.=20 2. The usage of the =E2=80=9Cippool =E2=80=93R -m table-name=E2=80=9D comm= and is to remove the named table from running in core so it can be re-added in mass with updated conte= nt. I can all most do the same thing using this command sequence=20 ippool -f /etc/ippool.conf -u=20 this unloads all the entries but leaves the table name in place=20 then this command reloads in mass=20 ippool -f /etc/ippool.conf Would like to see the =E2=80=93u unload option have option to write a file = containing all the entries with their hit counts and auto expire value. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218433-8>