Hi Darren, OK, I'm beginning to get it...
>> 5) Why are pools either "in" or "out"? Is there some way to use a >> single pool of addresses to match both in and out addresses? > > I'm not sure I follow as there aren't "in" and "out" addresses. My mistake, I was confusing groupmap which requires an in or out designation with the actual table statement which does not. I can use the same pool for in and out matching: block in quick from pool/200 to any block out quick from any to pool/200 >> Because there can be "exceptions" in the pool, I would suspect >> it has to traverse the whole thing each time. Again, this leads >> me to try to presort the really large lists to reduce redundant >> traversals. > > A pool isn't a simple list but rather a more efficient data store. Ahhh. So if I understand correctly, the pool is more than a simple list of addresses/subnets. The target address is matched against only the portion of the pool that might contain it. A consistent pool definition is formed from all the address/subnet inputs. The pool definition is shaped by, but not defined explicitly by, the input ranges and excluded ranges. This would mean that if there were overlaping subnets, the overlap would be searched only once and if there are exception ranges, (eg. !1.2.3.0/24) they are removed from the pool before the search, in fact are probably removed before the pool is stored in memory. I don't think the man page does justice to how clever this is! I gotta give it a try! Now to hack my 500 line perl script. Sorry I'm being thick... --gene
