matching a list of IP's

bof@oknodo.bof.de bof@oknodo.bof.de
Sun, 16 Jul 2000 14:25:32 +0200 (MEST) 

> I did find it, in the April archive, and that can do even more than I need ! 
> The pools I wanted to use dont need to be dynamically modified. I guess this 
> dynamical behaviour can be useful for maintaining a "black list" of IP's for
> the firewall to block, as the defensive response of an Intrusion Detection
> System..

My application is a bit different. I am working on a transparent proxy server,
using '-t nat -j REDIRECT' rules, and the pools provide the possibility to
selectively serve only a small set of IP addresses (think "freshly dialed in
user"); using the pool bit setting/resetting, the transproxy server process
can disable transproxy for a certain IP once it has done its thing.

> I think the other types of pools and lookups (binary searches, hash,
> sequential) are not very useful with IPv4, but might be absolutely needed
> for IPv6 adresses, when the adresses live in a space too big to be stored
> in a bitmap..

Yep. Haven't thought much about IPv6 yet, but those may come in handy.
The hash idea may be also useful for a service selection type gateway,
which does not serve a well-defined range of addresses, but instead has
a big number of clients from all over the place. Anyway, right now we
have bitmaps, and I'll keep it like that for now.

> Is there any issue with ippool, about stability, or crashes when put under
> heavy load, or anything ?

Well, not to my knowledge :)

I am pretty sure that nearly nobody really used the code, outside the test
setups I've done here. At least I did not have much feedback from active use
(read: none at all). However, the code is pretty straight forward, and I
really don't expect problems. The bit setting/getting operations are the
usual kernel stuff, so they should be OK and race-free.

The biggest drawback of the implementation from back then was that once defined
you cannot remove a pool. For your application that should be OK.

> The altest version I found is 0.0.3, from April 25. It really is the latest ?

Apart from some code that does not compile, yes. Sorry for that. I have the
newest and greatest netfilter / kernel combo running now (booted 10 minutes
ago :-), and will work on reintegration now as time permits. No promises.

I'll try to port over the functionality from April, without much change,
so you have something to play with. In the long run, I'd like to make
the pool (or ipmap, I want to change the name...) another type of iptables
tables, like nat, mangle, and filter. It will have somewhat strange semantics,
but provide for a more integrated whole.

best regards
  Patrick