On Sat, Jan 04, 2025 at 04:40:50PM GMT, William Rusnack wrote:
> Synopsis: iked.conf(5) needs clearer documentation about which configuration 
> payload options are supported when receiving configurations and their system 
> effects.
> Description:
>       The documentation of configuration payloads in iked.conf(5) has two 
> issues:
> 
>       1. Missing Implementation Details for Receiving Configuration:
>          - ikev2_pld_cp() only processes INTERNAL_IP4_ADDRESS and 
> INTERNAL_IP4_DNS
>          - However, ikev2_add_cp() shows code exists to send many more 
> options:
>            * INTERNAL_IP4_NETMASK
>            * INTERNAL_IP4_NBNS (NetBIOS/WINS)
>            * INTERNAL_IP4_DHCP
>            * INTERNAL_IP4_SERVER
>          - This creates an asymmetric implementation where iked can send 
> configurations it cannot process when received
> 
>       2. Man Page Documentation Issues:
>          - No distinction made between sendable and receivable configurations
>          - System effects of supported configurations not documented
>          - No details about address configuration using host routes
>          - No description of DNS configuration via routing socket
>          - No mention of cleanup behavior
> 
>       3. Real-world Impact:
>          - Users waste time configuring options that won't work
>          - Admins may not understand the network configuration effects
>          - Interoperability problems when peers send configurations that iked 
> ignores
>          - Log messages show iked receives but ignores valid configuration 
> data from peers
> Fix:
>       Update man page to:
>       1. Split and clarify config vs request directives:
>          - Document which features only work when sending
>          - Document receive limitations
>       2. Document system effects of supported configurations:
>          - Explain host route address configuration
>          - Detail DNS configuration via routing socket
>          - Describe automatic cleanup behavior

Thanks for the patch.

Out of pure interest: Are you using chatgpt to generate those reports?

I think most people with privileges to commit fixes generally understand
the risks and benefits of updating a man page.

> 
> Index: iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> diff -u -p -u -r1.98 iked.conf.5
> --- iked.conf.5       13 Jul 2024 12:58:51 -0000      1.98
> +++ iked.conf.5       4 Jan 2025 21:31:18 -0000
> @@ -683,9 +683,9 @@ Use RSA public key authentication with S
>  .Pp
>  The default is to allow any signature authentication.
>  .Pp
> +
>  .It Cm config Ar option address
> -.It Cm request Ar option address
> -Request or serve one or more optional configuration payloads (CP).
> +Configure one or more configuration payloads (CP) to be sent to peers.
>  The configuration
>  .Ar option
>  can be one of the following with the expected address format:
> @@ -716,6 +716,44 @@ included.
>  .It Ic access-server Ar address
>  The address of an internal remote access server.
>  .El
> +.Pp
> +.It Cm request Ar option address  
> +Request one or more configuration payloads (CP) from peers.
> +Currently only the following options are supported when receiving 
> configuration:
> +.Pp
> +.Bl -tag -width Ds -compact -offset indent
> +.It Ic address Ar address
> +Request an IPv4 or IPv6 address on the internal network.
> +Only the first received address will be used.
> +When applied to an interface, addresses are configured as host routes
> +(/32 for IPv4, /128 for IPv6) since netmasks are not negotiated
> +in the IKEv2 configuration payload.
> +.It Ic name-server Ar address  
> +Request the DNS server address (IPv4 or IPv6).
> +Only the first received DNS server will be used.
> +DNS configuration is applied system-wide via routing socket proposals
> +which update the system resolver configuration.
> +.El
> +.Pp
> +Other configuration requests may be sent but their values will be ignored if 
> received.
> +Received configurations can be applied to an interface using the
> +.Ic iface
> +directive.
> +When applied, the following changes occur:
> +.Bl -dash -offset indent -compact
> +.It
> +Interface is configured with received address as a host route
> +.It
> +Routes are added for negotiated subnets using the virtual IP as gateway
> +.It
> +A direct route to the peer is established
> +.It
> +DNS configuration is applied via routing socket
> +.El
> +.Pp
> +All configuration changes are automatically cleaned up when the SA is 
> terminated.
> +The cleanup process removes configured addresses, routes, and DNS settings,
> +restoring the original network configuration.
>  .Pp
>  .It Ic iface Ar interface
>  Enable automatic network configuration as initiator.
> 

Reply via email to