What's the best way to manage a huge list of ip packet filtering?

I suppose the best way here depends on a few factors, particularly:

1. What you mean by "huge" - I'd use a data group to support large sets of "rules" with an iRule, but that and packet filter rules can handle fairly large sets of data.

    

2. What types of rules you'd need to implement - is it port/IP ranges? Static source IPs?

    

3. Your comfort with PF rules and/or iRules - if using a data group with an iRule, the iRule itself would probably be pretty simple and management would fall to maintaining the data group.

    

4. Where and how you need the traffic to be filtered - an iRule would allow a complete 3-way handshake before potentially denying a request. A packet filter would not allow the handshake at all.

    

You can technically add a description field to a packet filter rule with TMSH, but oddly that doesn't show up in the GUI (only the shell).