FreeBSD Bugzilla – Attachment 182231 Details for
Bug 218433
Ipfilter ippool table handling source code or man page being incorrect.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
text file listing problems
ippool.testing.results (text/plain), 6.64 KB, created by
Ernie Luzar
on 2017-05-01 19:04:58 UTC
(
hide
)
Description:
text file listing problems
Filename:
MIME Type:
Creator:
Ernie Luzar
Created:
2017-05-01 19:04:58 UTC
Size:
6.64 KB
patch
obsolete
> >Put ipppool through detail testing. >Your patch to ippool did correct the >ippool -R -m table_name >core dump problem. > >But there are many other things that were not addressed. > >************* >Problem #1. >"man 5 ippool" says only ip addresses can be used as table content. >Now its not worded like that but this meaning is implied. >No where does it say fqdn can be used. > >So reading "man 8 ippool" we see the "option" -R as in >ippool -l [-dvR] [-m <name>] [-t <type>] >Which is defined as "-R Do not resolve IP addresses to hostnames. > >This just doesn't make sense. I can not find am situation where any output >to the terminal defaults to showing the hostnames. So why have this option >at all? I would think this option can be removed from "man 8 ippool" >all together. >***************** > >Problem #2. > ippool -R [-dnvR] [-m <name>] [-o <role>] [-t <type>] > -R Remove an existing pool from within the kernel. > >Issuing "ippool -R -m table-name" results in the help syntax >being shown. Issuing "ippool -R -m table-name -t tree" does remove the >named table. > >A table name has to be unique across all table types. >So requiring the -t flag in identifying the table wanted to remove is >unneeded. The ippool source needs to be changed to remove this requirement. >The "man 8 ippool" should show this as the syntax. > ippool -R [-dnv] [-m <name>] >********************* > >Problem #3. > ippool -l [-dvR] [-m <name>] [-t <type>] > >Issuing "ippool -l" lists the contents of all the in-core tables. >Issuing "ippool -l -m table-name" lists the contents of just the named table. >Issuing "ippool -l -t tree" lists the contents of all the in-core tables. >It looks like the [-t <type>] is not being used and logically makes no sense. >The "man 8 ippool" should show this as the syntax. > ippool -l [-dv] [-m <name>] > >Issuing this following command outputs a report containing the number >of matches for each ip address in the named table. >ippool -l -d -m test >poollist: opts = 0x2 >Name: test Role: ipf References: 2 Hits: 0 > Nodes Starting at 0xca312d00 > Address: 1.161.177.165/32 > Hits 0 Bytes 0 Name Ref 2 > Address: 1.171.138.231/32 > Hits 0 Bytes 0 Name Ref 2 > Address: 110.200.28.224/32 > Hits 0 Bytes 0 Name Ref 2 > Address: 110.200.29.248/32 > Hits 0 Bytes 0 Name Ref 2 > Address: 162.243.114.84/32 > >The -d flag is defined as >" -d Toggle debugging of processing the configuration file." >I don't see any debug info being generated here. What I do see is a valuable >report. This should not be happening under the pretenc of debugging. >This report should have its own flag, like -h and the report should be changed >to a single line containing the table ip address node plus number of hits. >********************* > >Problem #4. > ippool -F [-dv] [-o <role>] [-t <type>] > -F Flush loaded pools from the kernel. > >Why is [-dv] missing the n option which means > -n This flag (no-change) prevents ippool from actually making any > ioctl calls or doing anything which would alter the currently > running kernel. > >Reading this I take it to mean that issuing "ippool -F -o or -t" is saying >to flush ALL tables matching the -o or -t value. This doesn't make sense. >The -F option in the ippool source needs to be changed removing any logic for >the -o & -t option processing and add -m logic to select the named table only. >The -n option logic also needs to be added. > >The "man 8 ippool" should show this as the syntax. > ippool -F [-dvn] [-m <name>] >and the " -F Flush loaded pools from the kernel." changed to >" -F Flush loaded pool content from the kernel, leaving only empty pool name." >*************************** > >Problem #5. > ippool -A [-dnvR] [-m <name>] [-o <role>] [-S <seed>] [-t <type>] > -A Add a new (empty) pool to the kernel. > >Issuing "ippool -A -m test2 -o ipf -t tree" results in >ippool: illegal option -- A > >The -A option in the ippool source needs to be corrected. The -o and -t options >are required >******************* > >Problem #6. > ippool -a [-dnvR] [-m <name>] [-o <role>] [-t <type>] [-T ttl] -i > <ipaddr>[/<netmask>] > -a Add a new data node to an existing pool in the kernel. > >The -o & -t options are not needed to identify the target table to >add the node to. >Issuing "ippool -a -m test 99.58.98.79" gives no errors, but issuing >"ippool -l -m test" afterwards lists the content showing it containing >?(0)?/32; which is incorrect. >This needs detail inspection of the ippool source to correct this. > >The "man 8 ippool" should show this as the syntax. > ippool -a [-dnv] [-m <name>] [-T ttl] -i <ipaddr>[/<netmask>] >************************* > >Problem #7. > ippool -r [-dnvR] [-m <name>] [-o <role>] [-t <type>] -i <ipaddr>[/<netmask>] > -r Remove an existing data node from a pool in the kernel. > >The -o & -t options are not needed to identify the target table to >remove the node from. >Issuing "ippool -r -m test 99.58.98.79" gives no errors, but issuing >"ippool -l -m test" afterwards lists the content showing the ?(0)?/32; >is no longer there. >This needs detail inspection of the ippool source to correct this. > >The "man 8 ippool" should show this as the syntax. > ippool -r [-dnv] [-m <name>] -i <ipaddr>[/<netmask>] >******************** > >Problem #8. >During the boot process these messages are issued > >IP Filter: v5.1.2 initialized. Default = pass all, Logging = enabled >Enabling ipfilter. >132:194:ioctl(add/insert rule) cannot find source lookup pool >Installing NAT rules. >0 entries flushed from NAT table >0 entries flushed from NAT list > >In my ipfilter rule set I have this rule; >block in quick from pool/probing_ips to any > >Rebooting IE: reboot, halt, shutdown, commands or power off button; >causes the table hit count to be lost and no table content to be reloaded >into core. This really is a major problem. > >Have to add some kind of way to tell ipfilter to auto dump the in-core table >with it's hit count information and auto restore that dumped information into >core when the system is booted. > >Maybe adding an option flag to rc.conf ipfilter_flags="" statement defaulting >to internally issuing "ippool -f /etc/ippool.conf" command or playing with >the rc.d scripts is needed here. > >Whatever solution gets employed to solve this problem needs to be >documented in "man 5 ippool" >********************* > >Problem #9. >"man 5 ippool" needs to specify the usage of { } and ; in the ippool.conf file >content like shown here; > >pool ipf/tree (name test;) { >1.161.177.165; >1.171.138.231; >110.200.28.224; >110.200.29.248; >162.243.114.84; >162.243.225.157; >88.211.91.195; >88.226.134.147; >99.58.98.78; >99.98.160.77; >}; >************* > >Some of these problems are listed in the pr comments all ready. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=182231">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 218433
:
181554
|
182179
|
182201
| 182231 |
182323