unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



IPPOOL(5)							    IPPOOL(5)



NAME
  ippool, ippool.conf -	IP Pool	file format

DESCRIPTION
  The format for files accepted	by ippool is described by the following	gram-
  mar:

  line ::= table | groupmap .
  table	::= "table" role tabletype .
  groupmap ::= "group-map" inout role number ipfgroup
  tabletype ::=	ipftree	| ipfhash .

  role ::= "role" "=" "ipf" .
  inout	::= "in" | "out" .

  ipftree ::= "type" "=" "tree"	number "{" addrlist "}"	.
  ipfhash ::= "type" "=" "hash"	number hashopts	"{" hashlist "}" .

  ipfgroup ::= setgroup	hashopts "{" grouplist "}" |
	       hashopts	"{" setgrouplist "}" .
  setgroup ::= "group" "=" groupname .

  hashopts ::= size [ seed ] | seed .

  size ::= "size" number .
  seed ::= "seed" number .

  addrlist ::= range [ "," addrlist ] .
  grouplist ::=	groupentry [ ";" grouplist ] | groupentry ";" |
		addrmask ";" | addrmask	";" [ grouplist	] .

  setgrouplist ::= groupentry ";" [ setgrouplist ] .

  groupentry ::= addrmask "," setgroup .

  range	::= addrmask | "!" addrmask .

  hashlist ::= hashentry ";" [ hashlist	] .
  hashentry ::=	addrmask .

  addrmask ::= ipaddr |	ipaddr "/" mask	.

  mask ::= number | ipaddr .

  groupname ::=	number | name .

  number ::= digit { digit } .

  ipaddr  = host-num "." host-num "." host-num "." host-num .
  host-num = digit [ digit [ digit ] ] .

  digit	::= "0"	| "1" |	"2" | "3" | "4"	| "5" |	"6" | "7" | "8"	| "9" .
  name ::= letter { letter | digit } .

  The IP pool configuration file is used for defining a	single object that
  contains a reference to multiple IP address/netmask pairs.  A	pool may con-
  sist of a mixture of netmask sizes, from 0 to	32.


  At this point	in time, only IPv4 addressing is supported.

  The IP pool configuration file provides for defining two different mechan-
  isms for improving speed in matching IP addresses with rules.	 The first,
  table	, defines a lookup table to provide a single reference in a filter
  rule to multiple targets and the second, group-map , provides	a mechanism
  to target multiple groups from a single filter line.

  The group-map	command	can only be used with filter rules that	use the	call
  command to invoke either fr_srcgrpmap	or fr_dstgrpmap	, to use the source
  or destination address, respectively,	for determining	which filter group to
  jump to next for continuation	of filter packet processing.

POOL TYPES

  Two storage formats are provided: hash tables	and tree structure.  The hash
  table	is intended for	use with objects all containing	the same netmask or a
  few different	sized netmasks of non-overlapping address space	and the	tree
  is designed for being	able to	support	exceptions to a	covering mask, in
  addition to normal searching as you would do with a table.  It is not	pos-
  sible	to use the tree	data storage type with group-map configuration
  entries.

POOL ROLES

  When a pool is defined in the	configruation file, it must have an associ-
  ated role.  At present the only supported role is ipf. Future	development
  will see futher expansion of their use by other sections of IPFilter code.

EXAMPLES
  The following	examples show how the pool configuration file is used with
  the ipf configuration	file to	enhance	the ability for	the ipf	configuration
  file to be succinct in meaning.

  1    The first example shows how a filter rule makes reference to a
       specific	pool for matching of the source	address.
       pass in from pool/100 to	any

  The pool configuration, which	matches	IP addresses 1.1.1.1 and any in
  2.2.0.0/16, except for those in 2.2.2.0/24.

  table	role = ipf type	= tree number =	100
	  { 1.1.1.1/32,	2.2.0.0/16, !2.2.2.0/24	};

  2    The following ipf.conf extract uses the fr_srcgrpmap/fr_dstgrpmap
       lookups to use the group-map facility to	lookup the next	group to use
       for filter processing, providing	the call filter	rule is	matched.
       call now	fr_srcgrpmap/1010 in all
       call now	fr_dstgrpmap/2010 out all
       pass in all group 1020
       block in	all group 1030
       pass out	all group 2020
       block out all group 2040

  A ippool configuration to work with the above	ipf.conf file might look like
  this:

  group-map in role = ipf number = 1010
	  { 1.1.1.1/32,	group =	1020; 3.3.0.0/16, group	= 1030;	};
  group-map out	role = ipf number = 2010 group = 2020
	  { 2.2.2.2/32;	4.4.0.0/16; 5.0.0.0/8, group = 2040; };

FILES
  /dev/ippool
  /etc/ippool.conf
  /etc/hosts

SEE ALSO
  ippool(8), hosts(5), ipf(5), ipf(8), ipnat(8)