On Sat, Jan 04, 2025 at 04:40:50PM GMT, William Rusnack wrote: > Synopsis: iked.conf(5) needs clearer documentation about which configuration > payload options are supported when receiving configurations and their system > effects. > Description: > The documentation of configuration payloads in iked.conf(5) has two > issues: > > 1. Missing Implementation Details for Receiving Configuration: > - ikev2_pld_cp() only processes INTERNAL_IP4_ADDRESS and > INTERNAL_IP4_DNS > - However, ikev2_add_cp() shows code exists to send many more > options: > * INTERNAL_IP4_NETMASK > * INTERNAL_IP4_NBNS (NetBIOS/WINS) > * INTERNAL_IP4_DHCP > * INTERNAL_IP4_SERVER > - This creates an asymmetric implementation where iked can send > configurations it cannot process when received > > 2. Man Page Documentation Issues: > - No distinction made between sendable and receivable configurations > - System effects of supported configurations not documented > - No details about address configuration using host routes > - No description of DNS configuration via routing socket > - No mention of cleanup behavior > > 3. Real-world Impact: > - Users waste time configuring options that won't work > - Admins may not understand the network configuration effects > - Interoperability problems when peers send configurations that iked > ignores > - Log messages show iked receives but ignores valid configuration > data from peers > Fix: > Update man page to: > 1. Split and clarify config vs request directives: > - Document which features only work when sending > - Document receive limitations > 2. Document system effects of supported configurations: > - Explain host route address configuration > - Detail DNS configuration via routing socket > - Describe automatic cleanup behavior
Thanks for the patch. Out of pure interest: Are you using chatgpt to generate those reports? I think most people with privileges to commit fixes generally understand the risks and benefits of updating a man page. > > Index: iked.conf.5 > =================================================================== > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > diff -u -p -u -r1.98 iked.conf.5 > --- iked.conf.5 13 Jul 2024 12:58:51 -0000 1.98 > +++ iked.conf.5 4 Jan 2025 21:31:18 -0000 > @@ -683,9 +683,9 @@ Use RSA public key authentication with S > .Pp > The default is to allow any signature authentication. > .Pp > + > .It Cm config Ar option address > -.It Cm request Ar option address > -Request or serve one or more optional configuration payloads (CP). > +Configure one or more configuration payloads (CP) to be sent to peers. > The configuration > .Ar option > can be one of the following with the expected address format: > @@ -716,6 +716,44 @@ included. > .It Ic access-server Ar address > The address of an internal remote access server. > .El > +.Pp > +.It Cm request Ar option address > +Request one or more configuration payloads (CP) from peers. > +Currently only the following options are supported when receiving > configuration: > +.Pp > +.Bl -tag -width Ds -compact -offset indent > +.It Ic address Ar address > +Request an IPv4 or IPv6 address on the internal network. > +Only the first received address will be used. > +When applied to an interface, addresses are configured as host routes > +(/32 for IPv4, /128 for IPv6) since netmasks are not negotiated > +in the IKEv2 configuration payload. > +.It Ic name-server Ar address > +Request the DNS server address (IPv4 or IPv6). > +Only the first received DNS server will be used. > +DNS configuration is applied system-wide via routing socket proposals > +which update the system resolver configuration. > +.El > +.Pp > +Other configuration requests may be sent but their values will be ignored if > received. > +Received configurations can be applied to an interface using the > +.Ic iface > +directive. > +When applied, the following changes occur: > +.Bl -dash -offset indent -compact > +.It > +Interface is configured with received address as a host route > +.It > +Routes are added for negotiated subnets using the virtual IP as gateway > +.It > +A direct route to the peer is established > +.It > +DNS configuration is applied via routing socket > +.El > +.Pp > +All configuration changes are automatically cleaned up when the SA is > terminated. > +The cleanup process removes configured addresses, routes, and DNS settings, > +restoring the original network configuration. > .Pp > .It Ic iface Ar interface > Enable automatic network configuration as initiator. >