ippool(5)
IPPOOL(5) FILE FORMATS IPPOOL(5)
NAME
ippool, ippool.conf - IP Pool file format
DESCRIPTION
The format for files accepted by ippool is described by the
following grammar:
line ::= table | groupmap .
table ::= "table" role tabletype .
groupmap ::= "group-map" inout role number ipfgroup
tabletype ::= ipftree | ipfhash .
role ::= "role" "=" "ipf" .
inout ::= "in" | "out" .
ipftree ::= "type" "=" "tree" number "{" addrlist "}" .
ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" .
ipfgroup ::= setgroup hashopts "{" grouplist "}" |
hashopts "{" setgrouplist "}" .
setgroup ::= "group" "=" groupname .
hashopts ::= size [ seed ] | seed .
size ::= "size" number .
seed ::= "seed" number .
addrlist ::= [ "!" ] addrmask ";" [ addrlist ] .
grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] .
setgrouplist ::= groupentry ";" [ setgrouplist ] .
groupentry ::= addrmask "," setgroup .
hashlist ::= hashentry ";" [ hashlist ] .
hashentry ::= addrmask .
addrmask ::= ipaddr | ipaddr "/" mask .
mask ::= number | ipaddr .
groupname ::= number | name .
number ::= digit { digit } .
ipaddr = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
name ::= letter { letter | digit } .
Last change: 1
IPPOOL(5) FILE FORMATS IPPOOL(5)
The IP pool configuration file is used for defining a single
object that contains a reference to multiple IP
address/netmask pairs. A pool may consist of a mixture of
netmask sizes, from 0 to 32.
At this point in time, only IPv4 addressing is supported.
The IP pool configuration file provides for defining two
different mechanisms for improving speed in matching IP
addresses with rules. The first, table , defines a lookup
table to provide a single reference in a filter rule to mul-
tiple targets and the second, group-map , provides a mechan-
ism to target multiple groups from a single filter line.
The group-map command can only be used with filter rules
that use the call command to invoke either fr_srcgrpmap or
fr_dstgrpmap , to use the source or destination address,
respectively, for determining which filter group to jump to
next for continuation of filter packet processing.
POOL TYPES
Two storage formats are provided: hash tables and tree
structure. The hash table is intended for use with objects
all containing the same netmask or a few different sized
netmasks of non-overlapping address space and the tree is
designed for being able to support exceptions to a covering
mask, in addition to normal searching as you would do with a
table. It is not possible to use the tree data storage type
with group-map configuration entries.
POOL ROLES
When a pool is defined in the configruation file, it must
have an associated role. At present the only supported role
is ipf. Future development will see futher expansion of
their use by other sections of IPFilter code.
EXAMPLES
The following examples show how the pool configuration file
is used with the ipf configuration file to enhance the abil-
ity for the ipf configuration file to be succinct in mean-
ing.
1 The first example shows how a filter rule makes refer-
ence to a specific pool for matching of the source
address.
pass in from pool/100 to any
The pool configuration, which matches IP addresses 1.1.1.1
and any in 2.2.0.0/16, except for those in 2.2.2.0/24.
table role = ipf type = tree number = 100
{ 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
Last change: 2
IPPOOL(5) FILE FORMATS IPPOOL(5)
2 The following ipf.conf extract uses the
fr_srcgrpmap/fr_dstgrpmap lookups to use the group-map
facility to lookup the next group to use for filter
processing, providing the call filter rule is matched.
call now fr_srcgrpmap/1010 in all
call now fr_dstgrpmap/2010 out all
pass in all group 1020
block in all group 1030
pass out all group 2020
block out all group 2040
A ippool configuration to work with the above ipf.conf file
might look like this:
group-map in role = ipf number = 1010
{ 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
group-map out role = ipf number = 2010 group = 2020
{ 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
FILES
/dev/iplookup
/etc/ippool.conf
/etc/hosts
SEE ALSO
ippool(8), hosts(5), ipf(5), ipf(8), ipnat(8)
Last change: 3
Man(1) output converted with
man2html