test

System Administration Guide: IP Services

Using Oracle Solaris IP Filter's Address Pools Feature

Address pools establish a single reference that is used to name a group of address/netmask pairs. Address pools provide processes to reduce the time needed to match IP addresses with rules. Address pools also make managing large groups of addresses easier.

Address pool configuration rules reside in the ippool.conf file. If you want the address pool rules to be loaded at boot time, create a file called /etc/ipf/ippool.conf in which to put address pool rules. If you do not want the address pool rules loaded at boot time, put the ippool.conf file in a location of your choice, and manually activate packet filtering with the ippool command.

Configuring Address Pools

Use the following syntax to create an address pool:


table role = role-name type = storage-format number = reference-number
table

Defines the reference for the multiple addresses.

role

Specifies the role of the pool in Oracle Solaris IP Filter. At this time, the only role you can reference is ipf.

type

Specifies the storage format for the pool.

number

Specifies the reference number that is used by the filtering rule.

For example, to reference the group of addresses 10.1.1.1 and 10.1.1.2, and the network 192.16.1.0 as pool number 13, you would include the following rule in the address pool configuration file:

table role = ipf type = tree number = 13 
{ 10.1.1.1/32, 10.1.1.2/32, 192.168.1.0/24 };

Then, to reference pool number 13 in a filtering rule, you would construct the rule similar to the following example:


pass in from pool/13 to any

Note that you must load the pool file before loading the rules file that contains a reference to the pool. If you do not, the pool is undefined, as shown in the following output:


# ipfstat -io
empty list for ipfilter(out)
block in from pool/13(!) to any

Even if you add the pool later, the addition of the pool does not update the kernel rule set. You also need to reload the rules file that references the pool.

For the complete grammar and syntax used to write packet filtering rules, see the ippool(4) man page.