IPFWCACHE(8) BSD System Manager's Manual IPFWCACHE(8)NAMEipfwcache - set / delete / modify BSD IP Filter address
SYNOPSISipfwcache [-dv] [-s buckets] [-T tag] [address [...]]
DESCRIPTION
The ipfwcache utility is used to create and maintain address caches for
IPFW filters. An address cache is a hashed list of individual IP ad-
dresses and can be used to speed up searching of large set of disjoint
addresses (i.e., network masks are of very little use). For smaller num-
ber of addresses is is typically more efficient to allow the filter to
sequentially search the addresses.
An address cache can also be used to allow dynamic adding and deletion of
IP addresses for a particular class of addresses.
An address cache is always put on the CALL chain and cannot be directly
invoked.
With no arguments, a new cache is created. When adding addresses the -T
option must be used to specify which cache should have the new addresses
added to it.
The following options are available:
-d Delete rather than add entries.
-s The default number of hash buckets is 997. Increasing the number
of buckets for very large number of addresses may improve perfor-
mance.
-T Specify the tag for this cache.
-v Be noisy while adding new entries.
When one or more addresses are specified they are inserted into the spec-
ified cache. The address may have a trailing netmask attached (e.g.,
192.168.42.64/28). This should be used with caution. Each address in
the network is then added. For example, 192.168.0.0/16 will add 65,536
entries to the cache.
FILTER SPECIFIC DATA
An address cache only checks one IP address. By default it checks the
destination address associated with the packet. By using the filter spe-
cific data value of 1 the source address is checked. For instance, sup-
pose a list of IP addresses associated with "bad guys" is installed in a
cache with the tag of "bad-guys". A pre-input filter might be installed
with
call("bad-guys" : 1) { deny; }
This will deny all packets from the bad guys. The pre-output filter, to
prevent us from sending to the bad guys, would then have:
call("bad-guys") { deny; }
SEE ALSOipfw(8), ipfwcmp(8), ipfwlog(8)
January 19, 2000 1