[ Charset ISO-8859-1 unsupported, converting... ] > I'm trying to implement blocking of some empirically derived lists > of ip address/subnets known to generate malicious and/or otherwise > undesireable traffic. These lists can be rather large, depending > on which categories of addresses are being blocked - on the order of > 10,000 - 100,000 subnet ranges.
This is the perfect use of a pool. The normal use of a pool of addresses is when you want to classify a large set of address space in the same manner, for very few different rules. Whereas group-map is intended to cover the situation where you might have 100 different subnets and you have 100 different policies to apply to each. So rather than have packet matching work through the list, you define 100 groups and use group-map to jump straight to the right group. > A couple of more questions: > > 5) Why are pools either "in" or "out"? Is there some way to use a > single pool of addresses to match both in and out addresses? I'm not sure I follow as there aren't "in" and "out" addresses. > Just to clarify, > when a packet matches and is assigned a group in a groupmap, > this behaves as an "entry point" to a group just like matching > a rule with a head statement to that group? Yes. > 7) If I have a filter rule like: > block in quick on pppoe0 from pool/333 to any > > If I have a very long list of subnets in pool 333, does first match > win or does it traverse the full list before returning? The most specific mach wins. > Because there can be "exceptions" in the pool, I would suspect > it has to traverse the whole thing each time. Again, this leads > me to try to presort the really large lists to reduce redundant > traversals. A pool isn't a simple list but rather a more efficient data store. Darren
