[ Charset ISO-8859-1 unsupported, converting... ] > Hi Darren, > > I looked in the manpages (sec. 5 and 8)and am intrigued with > the posibilities. > > Is there further documentation somewhere for ippool and ippool.conf?
Not yet. > How large can pools be? Can they be multi-line, 10's, 100's of lines? They can be as large as your kernel memory will allow. > If a rule such as: > pass in from pool/100 to any > is encountered and pool 100 is empty, what happens? Then there won't be any addresses to match for packets, so it will never kick in. > What if there is no pool 100 defined? It won't work (actually, it shouldn't even load.) > In the man page ippool(5) it says: > Two storage formats are provided: hash tables and tree > structure. The hash table is intended for use with objects > all containing the same netmask or a few different sized > netmasks of non-overlapping address space and the tree > is designed for being able to support exceptions to a > covering mask, in addition to normal searching as you would > do with a table. It is not possible to use the tree > data storage type with group-map configuration entries. > ------- > What does: "the tree is designed for being able to support > exceptions to a covering mask..." mean? It means you can have a pool that contains overlapping addresss information that conflicts. e.g. you can have "10.0.0.0/8; !10.0.24.0/24;" > Is there more description of: the group-map command > and the call command which invokes either fr_srcgrpmap or fr_dstgrpmap > somewhere? Not in any real detail. The goal here is to be able to define chanins of rules (groups) that have different meanings and then be able to map a large number of groups of addresses to those rule groups with very little effort. Darren
