[OpenIndiana-discuss] crippling dladm set-linkprop limitations when setting allowed-ips, resulting in dladm: property list too long

[Lou Picciano]

Jonathan - 


Though we do use dladm quite a bit, haven't run into this limitation of the allowed property... 


On the other hand, doesn't this property accept CIDR masking; wouldn't this go a long way toward consolidating your 'allowed' requirements? 


Lou 

----- Original Message ----- 
From: "Jonathan Kinney" <openindiana-discuss at super-geek.com> 
To: openindiana-discuss at openindiana.org 
Sent: Tuesday, January 25, 2011 7:37:37 PM 
Subject: [OpenIndiana-discuss] crippling dladm set-linkprop limitations when setting allowed-ips, resulting in dladm: property list too long 

I was wondering if anyone has insight into this problem I ran into. 
While adjusting the link properties for an existing vnic, I found that 
if you try to add more than 243 characters worth of comma separated IP 
addresses to the allowed-ips= property, it results in the error 
"dladm: property list too long". Here is an example to show what I 
mean. The command (all on one line): 

dladm set-linkprop -t -p 
allowed-ips=28.42.112.131,28.42.112.132,28.42.112.133,28.42.112.134,28.42.112.135,28.42.112.136,28.42.112.137,28.42.112.138,28.42.112.139,28.42.112.140,28.42.112.141,28.42.112.142,28.42.112.143,28.42.112.144,28.42.112.145,28.42.112.146,28.42.112.147,28.42.112.148 
ywo378_0 

Will result in the following error: 

dladm: property list too long 
'allowed-ips=28.42.112.131,28.42.112.132,28.42.112.133,28.42.112.134,28.42.112.135,28.42.112.136,28.42.112.137,28.42.112.138,28.42.112.139,28.42.112.140,28.42.112.141,28.42.112.142,28.42.112.143,28.42.112.144,28.42.112.145,28.42.112.146,28.42.112.147,28.42' 

This simply means that, depending on the IP address length, you can 
fit 15-30 IP addresses with comma separation into the allowed-ips 
property using the dladm command. Just off the top of my head, it 
looks like the DLADM_STRSIZE being set to 256 may be related to this 
issue. I am sure I am not the only security conscious person who has 
ran into this issue. Does anyone have any idea how to get around this 
limitation besides rebuilding from source code? 

Jonathan Kinney 
http://www.simplywebhosting.com 

_______________________________________________ 
OpenIndiana-discuss mailing list 
OpenIndiana-discuss at openindiana.org 
http://openindiana.org/mailman/listinfo/openindiana-discuss