The following examples show how the pool configuration file is used with the ipf configuration file to enhance the ability for the ipf configuration file to be succinct in meaning.
The first example shows how a filter rule makes reference to a specific pool for matching of the source address.
pass in from pool/100 to any
The pool configuration, which matches IP addresses 1.1.1.1 and any in 2.2.0.0/16, except for those in 2.2.2.0/24.
table role = ipf type = tree number = 100
{ 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
The following ipf.conf extract uses the fr_srcgrpmap/fr_dstgrpmap lookups to use the group-map facility to lookup the next group to use for filter processing, providing the call filter rule is matched.
call now fr_srcgrpmap/1010 in all
call now fr_dstgrpmap/2010 out all
pass in all group 1020
block in all group 1030
pass out all group 2020
block out all group 2040
A ippool configuration to work with the above ipf.conf file might look like this:
group-map in role = ipf number = 1010
{ 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
group-map out role = ipf number = 2010 group = 2020
{ 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };