In some mail from Saravana Manickam, sie said:
>
> Hello All,
> In my application there is a requirement that i block all
> packets from a list of IPAddresses (which is generated dynamically) for
> certain seconds using IPFilter. As there may be more than one
> application is in need of this functionality, i thought of providing a
> shared library which would expose APIs to do the job.
>
> My design is I have a data structure in my lib that has the
> list of blocked IPs and also a file (ipf_mine.conf) that would have a
> copy of the list. Everytime the list is changed (ie., an ip address is
> added or blocked) the changes would reflect in the file too. Then i use
> ipf command to load the new rules in the kernal.
> I also have system wide static rules that will be
> permanently in the kernel and will be given higher priority ie., order
> of the rules and quick statement.
>
> The problem is : for adding one ipaddress in the blocked
> list I have to change the contents if the file ipf_mine.conf and clear
> all the rules in the kernel. Load my static rules and then load my
> ipf_mine.conf. This is apparantly inefficient. Is there a better
> solution ?
>
> 1. Is there a way i can use a bucket and say "block in from
> <bucket> to 10.0.0.1" ? So that i can directly modify the bucket to
> add/remove an ipaddress.
Yes, this would be done using address pools.
> 2. Is there a way i can put my static rules permanently into
> the kernal ? So that i can modify only my dynamic rules.
Yes, look for IPFILTER_COMPILED, look at "ipf -cc", ip_rules.c, etc.
Darren
|