In some mail from Saravana Manickam, sie said: > > Hello All, > In my application there is a requirement that i block all > packets from a list of IPAddresses (which is generated dynamically) for > certain seconds using IPFilter. As there may be more than one > application is in need of this functionality, i thought of providing a > shared library which would expose APIs to do the job. > > My design is I have a data structure in my lib that has the > list of blocked IPs and also a file (ipf_mine.conf) that would have a > copy of the list. Everytime the list is changed (ie., an ip address is > added or blocked) the changes would reflect in the file too. Then i use > ipf command to load the new rules in the kernal. > I also have system wide static rules that will be > permanently in the kernel and will be given higher priority ie., order > of the rules and quick statement. > > The problem is : for adding one ipaddress in the blocked > list I have to change the contents if the file ipf_mine.conf and clear > all the rules in the kernel. Load my static rules and then load my > ipf_mine.conf. This is apparantly inefficient. Is there a better > solution ? > > 1. Is there a way i can use a bucket and say "block in from > <bucket> to 10.0.0.1" ? So that i can directly modify the bucket to > add/remove an ipaddress.
Yes, this would be done using address pools. > 2. Is there a way i can put my static rules permanently into > the kernal ? So that i can modify only my dynamic rules. Yes, look for IPFILTER_COMPILED, look at "ipf -cc", ip_rules.c, etc. Darren
