| IPPOOL(5) | File Formats Manual | IPPOOL(5) | 
line ::= table | groupmap .
table ::= "table" role tabletype .
groupmap ::= "group-map" inout role number ipfgroup
tabletype ::= ipftree | ipfhash .
role ::= "role" "=" "ipf" .
inout ::= "in" | "out" .
ipftree ::= "type" "=" "tree" number "{" addrlist "}" .
ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" .
ipfgroup ::= setgroup hashopts "{" grouplist "}" |
             hashopts "{" setgrouplist "}" .
setgroup ::= "group" "=" groupname .
hashopts ::= size [ seed ] | seed .
size ::= "size" number .
seed ::= "seed" number .
addrlist ::= [ "!" ] addrmask ";" [ addrlist ] .
grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] .
setgrouplist ::= groupentry ";" [ setgrouplist ] .
groupentry ::= addrmask "," setgroup .
hashlist ::= hashentry ";" [ hashlist ] .
hashentry ::= addrmask .
addrmask ::= ipaddr | ipaddr "/" mask .
mask ::= number | ipaddr .
groupname ::= number | name .
number ::= digit { digit } .
ipaddr  = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
name ::= letter { letter | digit } .
The IP pool configuration file is used for defining a single object that contains a reference to multiple IP address/netmask pairs. A pool may consist of a mixture of netmask sizes, from 0 to 32.
At this point in time, only IPv4 addressing is supported.
The group-map command can only be used with filter rules that use the call command to invoke either fr_srcgrpmap or fr_dstgrpmap , to use the source or destination address, respectively, for determining which filter group to jump to next for continuation of filter packet processing.
pass in from pool/100 to any
    
  The pool configuration, which matches IP addresses 1.1.1.1 and any in 2.2.0.0/16, except for those in 2.2.2.0/24.
table role = ipf type = tree number = 100
        { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
call now fr_srcgrpmap/1010 in all
call now fr_dstgrpmap/2010 out all
pass in all group 1020
block in all group 1030
pass out all group 2020
block out all group 2040
    
  A ippool configuration to work with the above ipf.conf file might look like this:
group-map in role = ipf number = 1010
	{ 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
group-map out role = ipf number = 2010 group = 2020
	{ 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
| BSD |