[Bug 218433] Ipfilter ippool table handling source code or man page being incorrect.

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Apr 6 16:53:29 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218433

            Bug ID: 218433
           Summary: Ipfilter ippool table handling source code or man page
                    being incorrect.
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: luzar722 at gmail.com

General to-do list
1. Determine whether the man page or the code is correct.
2. Verify that all arguments are parsed (and subsequently processes).
3. Verify that correct error messages are produced as appropriate.

Targeted to-do list
1. Man 5 ippool  talks about a evolving configuration syntax. The original
syntax was more verbose. Remove all the source code dealing with the original
verbose syntax and correct ippool(5) manual content to match. Or if in your
opinion the original verbose syntax is easier to comprehend, keep it and get
rid of the new syntax.   

2. ippool –R  -m table-name command has error causing core to dump. No
documentation about where to find the core dump. Is it the in core table
contents being dumped or the running code that is dumped? Found
/etc/ippool.core file, maybe that’s the core dump file.

3. The command “ippool  -a –m table-name x.x.x.x used for adding a single node
entry to the table works but “ippool –l –m table-name command does not show
that just added ip address in the node list, but does show a ?(0)/32 node
instead. If you try to add the node again you get message saying the node
exists in the table already. Same thing occurs even if the ip address is
suffixed with /32.

4. There is no documented way to dump the number of times a table ip address
has been matched. The “man 8 ippool”  lists the –d  flag as a global option
used for debugging the configuration file processing. Issuing “ippool -l -d –m
table-name” displays all of the tables nodes with a hit count as a pair of 2
lines per node. This display needs to be condensed to a single line so it’s
easier to parse through looking for the hits.

5. When the host system is shutdown or rebooted the ippool tables that were
running are not restarted and the hit count is lost.

6. The “man 5 ippool” manual is mis-named. It should be named ippool.config.

7. In the  “man 5 ippool” manual it gives this example “table roll=all
type=hash name=servers size=5”. What does “size=5” mean?

8. The  “man 5 ippool” manual doesn’t talk about the true syntax of the
/etc/ippool.conf file.  
          pool ipf/tree (name test;) {
          1.121.136.228;
          1.186.172.218;
          1.34.169.204/32;
          101.109.155.81/16;
          104.121.89.129;
          };
        Notice the position of the left and right { }
        Notice the usage of :
        I’m thinking the ending }; is an error, should be just }

9. The maximum table size is not documented any where and/or if its possible to
        increase it.

10. There is no documentation about the ip address being entered in a sorted
order. Or about that ippool handles the placement of the entry in the in-core
table allowing room for inserted new entry's while maintaining fast search
performance. You don’t have to explain to people how this is accomplished, but
you should tell them that it’s occurring automatically.

Possible enchantments. 
1. Would like to see an option that table entries get posted internally with
some kind of auto expire date/time that automatically removes the entry when
that timer elapses and the entry has no hits. If the entry gets a hit the timer
resets and starts timer as of when the hit occurred. Maybe say 3 options,
number of minutes, number of hours, and number of days. 

2. The usage of the “ippool –R  -m table-name” command is to remove the named
table from running in core so it can be re-added in mass with updated content.
I can all most do the same thing using this command sequence 
ippool -f /etc/ippool.conf -u 
this unloads all the entries but leaves the table name in place 
then this command reloads in mass 
ippool -f /etc/ippool.conf
Would like to see the –u unload option have option to write a file containing
all the entries with their hit counts and auto expire value.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list