Re: Is ipfilter firewall with ippool working?

[Cy Schubert]

In message <58e656c6.8000...@gmail.com>, Ernie Luzar writes:
> Cy Schubert wrote:
> > In message <58e50379.6090...@gmail.com>, Ernie Luzar writes:
> >> I have been a ipfilter user since Freebsd 3.0 without any complaints. 
> >> Now I'm trying to get ippool to function. I have been able to add a 
> >> pool, but now I want to refresh it's contents. From what I read in "man 
> >> 8 ippool", I have to remove the pool from core and then re-add it with 
> >> the complete new content. When I issue this command to remove the named 
> >> ippool from core, I get message saying "Segmentation fault (core 
> >> dumped)" and the system continues as normal.
> >>
> >> ippool -R -m unsolicited
> >>
> >> I know that in 2016 ipfilter was forked and updated to be freebsd 
> >> friendly. Thinking maybe something in the kernel code was changed that 
> >> now is causing this problem. I'm running release 11.0.
> >>
> >> Is there anyone out there who has ipfilter/ippool working?
> > 
> > Hi,
> > 
> > I use ipfilter (and have for a couple of decades on Solaris and FreeBSD). 
> > We haven't forked it but we are fixing bugs and pushing them upstream.
> > 
> > Looking at the ippool source, this is another case of the source or man 
> > page being incorrect. Looking at earlier versions of the source and man 
> > pages, it appears to have been broken for almost forever. This is not the 
> > first command line parsing issue or man page discrepancy in ipfilter.
> > 
> > Can you please file a PR and assign it to me? The todos will be to:
> > 
> > 1. Determine whether the man page or the code is correct.
> > 2. Verify that all arguments are parsed (and subsequently processes).
> > 3. Verify that correct error messages are produced as appropriate.
> > 
> > For now you can issue ippool -R -m unsolicited POOL_TYPE, where pool type 
> > is documented in the man page with -t (though that will also need to be 
> > verified). The ippool parser thinks the pool type is a positional argument 
> > not an option.
> > 
> > I'd like to verify Darren Reed's (original author's) intention before 
> > blindly "fixing" anything.
> > 
> > 
> 
> Thank you for taking on this project to fix ippool. I have stumbled 
> across many items that don't work as documented or the documentation 
> doesn't provide enough information about the required syntax.

The parser is definitely broken. I discovered another broken parser last 
year.

> 
> Yes I can submit a pr. I will add to your to-do list pointing out things 
> that need addressing.
> 
> I have already tried "ippool -R -m unsolicited -t tree" and it gives 
> error ilegal option --t

That is because -t isn't parsed (via getopt()). Just put in the table name 
but without the "-t" characters.

> 
> The usage of this command is to remove the named pool from running in 
> core so it can be re-added in mass with updated content.
> 
> I can all most do the same thing using this command sequence
> ippool -f /etc/ippool.conf -u
> this unloads all the entries but leaves the pool name in place
> then this command reloads in mass
> ippool -f /etc/ippool.conf
> 
> Can you suggest some other way the get ippool -R command working?

Attached is a patch. Except for basic functionality, I haven't tested it 
but it should get you going for now. I'll add this to my list of things to 
completely fix. There are other parser issues in ippool. I'm going out of 
town in a couple of days. I'll work on a more comprehensive patch when I 
get back in 12 days.

The patch has also been attached to the PR. Let's continue talking there.




Index: contrib/ipfilter/tools/ippool.c
===
--- contrib/ipfilter/tools/ippool.c (revision 316573)
+++ contrib/ipfilter/tools/ippool.c (working copy)
@@ -262,7 +262,7 @@
char *argv[];
 {
int type, role, c, err;
-   char *poolname;
+   char *poolname, *typearg = NULL;
iphtable_t iph;
ip_pool_t pool;
 
@@ -274,7 +274,9 @@
bzero((char *), sizeof(iph));
bzero((char *), sizeof(pool));
 
-   while ((c = getopt(argc, argv, "dm:no:RSv")) != -1)
+   optreset = optind = 1;
+
+   while ((c = getopt(argc, argv, "dm:no:RSvt:")) != -1)
switch (c)
{
case 'd' :
@@ -303,8 +305,18 @@
case 'v' :
opts |= OPT_VERBOSE;
break;
+   case 't' :
+   type = gettype(optarg, _type);
+   typearg = optarg;
+   break;
+   default :
+   usage(argv[0]);
+   break;  /* keep compiler happy */
}
 
+   if (argc - optind > 0)
+   usage(argv[0]);
+
if (opts & OPT_DEBUG)
fprintf(stderr, "poolcommand: opts = %#x\n", opts);
 
@@ -313,9 +325,11 @@
return -1;
}
 
-   type = gettype(argv[optind], 

Re: Is ipfilter firewall with ippool working?

[Ernie Luzar]

Cy Schubert wrote:

In message <58e50379.6090...@gmail.com>, Ernie Luzar writes:
I have been a ipfilter user since Freebsd 3.0 without any complaints. 
Now I'm trying to get ippool to function. I have been able to add a 
pool, but now I want to refresh it's contents. From what I read in "man 
8 ippool", I have to remove the pool from core and then re-add it with 
the complete new content. When I issue this command to remove the named 
ippool from core, I get message saying "Segmentation fault (core 
dumped)" and the system continues as normal.


ippool -R -m unsolicited

I know that in 2016 ipfilter was forked and updated to be freebsd 
friendly. Thinking maybe something in the kernel code was changed that 
now is causing this problem. I'm running release 11.0.


Is there anyone out there who has ipfilter/ippool working?


Hi,

I use ipfilter (and have for a couple of decades on Solaris and FreeBSD). 
We haven't forked it but we are fixing bugs and pushing them upstream.


Looking at the ippool source, this is another case of the source or man 
page being incorrect. Looking at earlier versions of the source and man 
pages, it appears to have been broken for almost forever. This is not the 
first command line parsing issue or man page discrepancy in ipfilter.


Can you please file a PR and assign it to me? The todos will be to:

1. Determine whether the man page or the code is correct.
2. Verify that all arguments are parsed (and subsequently processes).
3. Verify that correct error messages are produced as appropriate.

For now you can issue ippool -R -m unsolicited POOL_TYPE, where pool type 
is documented in the man page with -t (though that will also need to be 
verified). The ippool parser thinks the pool type is a positional argument 
not an option.


I'd like to verify Darren Reed's (original author's) intention before 
blindly "fixing" anything.





Thank you for taking on this project to fix ippool. I have stumbled 
across many items that don't work as documented or the documentation 
doesn't provide enough information about the required syntax.


Yes I can submit a pr. I will add to your to-do list pointing out things 
that need addressing.


I have already tried "ippool -R -m unsolicited -t tree" and it gives 
error ilegal option --t


The usage of this command is to remove the named pool from running in 
core so it can be re-added in mass with updated content.


I can all most do the same thing using this command sequence
ippool -f /etc/ippool.conf -u
this unloads all the entries but leaves the pool name in place
then this command reloads in mass
ippool -f /etc/ippool.conf

Can you suggest some other way the get ippool -R command working?







___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Is ipfilter firewall with ippool working?

[Cy Schubert]

In message <58e50379.6090...@gmail.com>, Ernie Luzar writes:
> I have been a ipfilter user since Freebsd 3.0 without any complaints. 
> Now I'm trying to get ippool to function. I have been able to add a 
> pool, but now I want to refresh it's contents. From what I read in "man 
> 8 ippool", I have to remove the pool from core and then re-add it with 
> the complete new content. When I issue this command to remove the named 
> ippool from core, I get message saying "Segmentation fault (core 
> dumped)" and the system continues as normal.
> 
> ippool -R -m unsolicited
> 
> I know that in 2016 ipfilter was forked and updated to be freebsd 
> friendly. Thinking maybe something in the kernel code was changed that 
> now is causing this problem. I'm running release 11.0.
> 
> Is there anyone out there who has ipfilter/ippool working?

Hi,

I use ipfilter (and have for a couple of decades on Solaris and FreeBSD). 
We haven't forked it but we are fixing bugs and pushing them upstream.

Looking at the ippool source, this is another case of the source or man 
page being incorrect. Looking at earlier versions of the source and man 
pages, it appears to have been broken for almost forever. This is not the 
first command line parsing issue or man page discrepancy in ipfilter.

Can you please file a PR and assign it to me? The todos will be to:

1. Determine whether the man page or the code is correct.
2. Verify that all arguments are parsed (and subsequently processes).
3. Verify that correct error messages are produced as appropriate.

For now you can issue ippool -R -m unsolicited POOL_TYPE, where pool type 
is documented in the man page with -t (though that will also need to be 
verified). The ippool parser thinks the pool type is a positional argument 
not an option.

I'd like to verify Darren Reed's (original author's) intention before 
blindly "fixing" anything.


-- 
Cheers,
Cy Schubert 
FreeBSD UNIX:     Web:  http://www.FreeBSD.org

The need of the many outweighs the greed of the few.


___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Is ipfilter firewall with ippool working?

[Ernie Luzar]

I have been a ipfilter user since Freebsd 3.0 without any complaints. 
Now I'm trying to get ippool to function. I have been able to add a 
pool, but now I want to refresh it's contents. From what I read in "man 
8 ippool", I have to remove the pool from core and then re-add it with 
the complete new content. When I issue this command to remove the named 
ippool from core, I get message saying "Segmentation fault (core 
dumped)" and the system continues as normal.


   ippool -R -m unsolicited

I know that in 2016 ipfilter was forked and updated to be freebsd 
friendly. Thinking maybe something in the kernel code was changed that 
now is causing this problem. I'm running release 11.0.


Is there anyone out there who has ipfilter/ippool working?
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"