Is ipfilter firewall with ippool working?

Thu Apr 6 14:54:51 UTC 2017

Cy Schubert wrote:
> In message <58E50379.6090406 at gmail.com>, Ernie Luzar writes:
>> I have been a ipfilter user since Freebsd 3.0 without any complaints. 
>> Now I'm trying to get ippool to function. I have been able to add a 
>> pool, but now I want to refresh it's contents. From what I read in "man 
>> 8 ippool", I have to remove the pool from core and then re-add it with 
>> the complete new content. When I issue this command to remove the named 
>> ippool from core, I get message saying "Segmentation fault (core 
>> dumped)" and the system continues as normal.
>>
>>     ippool -R -m unsolicited
>>
>> I know that in 2016 ipfilter was forked and updated to be freebsd 
>> friendly. Thinking maybe something in the kernel code was changed that 
>> now is causing this problem. I'm running release 11.0.
>>
>> Is there anyone out there who has ipfilter/ippool working?
> 
> Hi,
> 
> I use ipfilter (and have for a couple of decades on Solaris and FreeBSD). 
> We haven't forked it but we are fixing bugs and pushing them upstream.
> 
> Looking at the ippool source, this is another case of the source or man 
> page being incorrect. Looking at earlier versions of the source and man 
> pages, it appears to have been broken for almost forever. This is not the 
> first command line parsing issue or man page discrepancy in ipfilter.
> 
> Can you please file a PR and assign it to me? The todos will be to:
> 
> 1. Determine whether the man page or the code is correct.
> 2. Verify that all arguments are parsed (and subsequently processes).
> 3. Verify that correct error messages are produced as appropriate.
> 
> For now you can issue ippool -R -m unsolicited POOL_TYPE, where pool type 
> is documented in the man page with -t (though that will also need to be 
> verified). The ippool parser thinks the pool type is a positional argument 
> not an option.
> 
> I'd like to verify Darren Reed's (original author's) intention before 
> blindly "fixing" anything.
> 
> 

Thank you for taking on this project to fix ippool. I have stumbled 
across many items that don't work as documented or the documentation 
doesn't provide enough information about the required syntax.

Yes I can submit a pr. I will add to your to-do list pointing out things 
that need addressing.

I have already tried "ippool -R -m unsolicited -t tree" and it gives 
error ilegal option --t

The usage of this command is to remove the named pool from running in 
core so it can be re-added in mass with updated content.

I can all most do the same thing using this command sequence
ippool -f /etc/ippool.conf -u
this unloads all the entries but leaves the pool name in place
then this command reloads in mass
ippool -f /etc/ippool.conf

Can you suggest some other way the get ippool -R command working?