Re: pools of ports (instead of pools of ip addresses)

David Stes wrote:
> Greetings,
>
> I read about the *ippool* feature where the examples show how ippools can
> be defined as groups of ip addresses.
>
> Is it possible to use ippools for other objects as well ?
>
> Like sets (pools) of tcp port numbers, for example.
>
> If this is possible, is it please possible to give an example ?
>
> It would be nice if a pool could be defined for example,
>
> pool ports = { telnet, ftp, rexec, www }
>
> so to speak and then in the /etc/ipf.conf file it could be possible to
> accept traffic (or block traffic) to that pool of "ports", instead of
> enumerating the ports in the ipf.conf file, it could just refer to the pool.
>
> I am also thinking specifically of my application of RPC filtering.
>
> I am trying to setup RPC call/response filtering, and I was thinking that
> it could be nice to use the IPFILTER ippool feature to define pools of RPC
> program numbers.
>
> For example, for NetWorker, I could define the pool as the union of
>
> portmapper and 390100:390120
>
> This is a pool of 1 rpc program number (100000, portmapper) + a set of about
> 20 other rpc program numbers.
>
>
> Is this possible , does it make sense to try to extend the ippool feature
> for tcp / udp or rpc ports and not use pools only for ip addresses ?
>

Interesting idea!

I can't see why it shouldn't be extended like this...

I think the thing to do would be to define a new backend for ip_lookup.c
that
managed a collection of port numbers (plus maybe protocol?).

If you limit it to doing exact port number matches and given that the
port number
space is much smaller, what I think would be interesting to try is to
build a backend
that tried to maintain a perfect hash table, so that both postive and
negative lookups
are O(1).

Darren