In researching the newer features of IPFilter, and ippools in
particular, I see that there doesn't appear to be a mechanism to flush a
particular pool, only all the pools (of a given type, if you can believe
ippool(8)). For example, say you define an initially empty pool for
spammers. Next, you have a script which reads a list of CIDRs and loads
your spammer pool. Now, on a regular basis, you want to update the spammers
pool contents. As it stands now, it seems we first have to unload the
current spammers pool contents, then load it anew. This is based on what
Darren had to say here:
http://www.mail-archive.com/[email protected]/msg06559.html
In particular...
> If a rule such as:
> pass in from pool/100 to any
> is encountered and pool 100 is empty, what happens?
Then there won't be any addresses to match for packets, so it will
never kick in.
> What if there is no pool 100 defined?
It won't work (actually, it shouldn't even load.)
So, I would infer that if the pool doesn't exist, "bad things" will occur if
an IPF rule that references it is executed.
While we have "-r" to remove an entry (or perhaps many entries in
this context) from a pool, and "-R" to remove a pool in its entirety, what
about a mechanism that merely clears the contents of a pool? On the other
hand, perhaps this is moot if specifying "-R" to remove a pool won't really
adversely affect encountering an IPF rule that references it, and it
essentially becomes a no-op, as Darren indicated having an empty rule would.
Can anyone offer some clarity here?
Thanks,
Mike
--
| Manager for Networking, Admin.
Michael T. Davis (Mike) | & Research Computing: CBE/MSE
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928
** E-mail is the best way to contact me **
