> I can use the same pool for in and out matching: > block in quick from pool/200 to any > block out quick from any to pool/200
Right. > >> Because there can be "exceptions" in the pool, I would suspect > >> it has to traverse the whole thing each time. Again, this leads > >> me to try to presort the really large lists to reduce redundant > >> traversals. > > > > A pool isn't a simple list but rather a more efficient data store. > > Ahhh. So if I understand correctly, the pool is more than a > simple list of addresses/subnets. The target address is matched > against only the portion of the pool that might contain it. A > consistent pool definition is formed from all the address/subnet inputs. Yes, that is one way to think of it. > The pool definition is shaped by, but not defined explicitly by, > the input ranges and excluded ranges. This would mean that if > there were overlaping subnets, the overlap > would be searched only once and if there are exception ranges, > (eg. !1.2.3.0/24) they are removed from the pool before the search, > in fact are probably removed before the pool is stored in memory. No, they're not removed from the pool, they're retained as part of the knowledge that defines the pool. Darren
