Hello All,
In my application there is a requirement that i block all
packets from a list of IPAddresses (which is generated dynamically) for
certain seconds using IPFilter. As there may be more than one
application is in need of this functionality, i thought of providing a
shared library which would expose APIs to do the job.
My design is I have a data structure in my lib that has the
list of blocked IPs and also a file (ipf_mine.conf) that would have a
copy of the list. Everytime the list is changed (ie., an ip address is
added or blocked) the changes would reflect in the file too. Then i use
ipf command to load the new rules in the kernal.
I also have system wide static rules that will be
permanently in the kernel and will be given higher priority ie., order
of the rules and quick statement.
The problem is : for adding one ipaddress in the blocked
list I have to change the contents if the file ipf_mine.conf and clear
all the rules in the kernel. Load my static rules and then load my
ipf_mine.conf. This is apparantly inefficient. Is there a better
solution ?
1. Is there a way i can use a bucket and say "block in from
<bucket> to 10.0.0.1" ? So that i can directly modify the bucket to
add/remove an ipaddress.
2. Is there a way i can put my static rules permanently into
the kernal ? So that i can modify only my dynamic rules.
Kindly advise.
cheers
Manik
