1IPSET(8)                                                              IPSET(8)
2
3
4

NAME

6       ipset — administration tool for IP sets
7

SYNOPSIS

9       ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
10
11       COMMANDS  :=  {  create  |  add  | del | test | destroy | list | save |
12       restore | flush | rename | swap | help | version | - }
13
14       OPTIONS := { -exist | -output { plain  |  save  |  xml  }  |  -quiet  |
15       -resolve | -sorted | -name | -terse }
16
17       ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
18
19       ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
20
21       ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
22
23       ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
24
25       ipset destroy [ SETNAME ]
26
27       ipset list [ SETNAME ]
28
29       ipset save [ SETNAME ]
30
31       ipset restore
32
33       ipset flush [ SETNAME ]
34
35       ipset rename SETNAME-FROM SETNAME-TO
36
37       ipset swap SETNAME-FROM SETNAME-TO
38
39       ipset help [ TYPENAME ]
40
41       ipset version
42
43       ipset -
44

DESCRIPTION

46       ipset  is used to set up, maintain and inspect so called IP sets in the
47       Linux kernel. Depending on the type of the set, an  IP  set  may  store
48       IP(v4/v6)  addresses, (TCP/UDP) port numbers, IP and MAC address pairs,
49       IP address and port number pairs, etc. See  the  set  type  definitions
50       below.
51
52       Iptables matches and targets referring to sets create references, which
53       protect the given sets in the kernel. A set cannot be  destroyed  while
54       there is a single reference pointing to it.
55

OPTIONS

57       The  options  that  are recognized by ipset can be divided into several
58       different groups.
59
60   COMMANDS
61       These options specify the desired action to perform.  Only one of  them
62       can  be specified on the command line unless otherwise specified below.
63       For all the long versions of the command names, you need  to  use  only
64       enough letters to ensure that ipset can differentiate it from all other
65       commands. The ipset parser follows the order here when looking for  the
66       shortest match in the long command names.
67
68       n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
69              Create  a  set  identified  with setname and specified type. The
70              type may require type specific options. If the -exist option  is
71              specified,  ipset  ignores  the  error otherwise raised when the
72              same set (setname and create parameters are  identical)  already
73              exists.
74
75       add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
76              Add a given entry to the set. If the -exist option is specified,
77              ipset ignores if the entry already added to the set.
78
79       del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
80              Delete an entry from a set. If the -exist option  is  specified,
81              ipset  ignores  if  the entry does not added to (already expired
82              from) the set.
83
84       test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
85              Test wether an entry is in a set or not. Exit status  number  is
86              zero  if  the  tested  entry  is in the set and nonzero if it is
87              missing from the set.
88
89       x, destroy [ SETNAME ]
90              Destroy the specified set or all the sets if none is given.
91
92              If the set has got reference(s), nothing  is  done  and  no  set
93              destroyed.
94
95       list [ SETNAME ] [ OPTIONS ]
96              List  the  header data and the entries for the specified set, or
97              for all sets if none is given. The -resolve option can  be  used
98              to  force  name  lookups  (which  may be slow). When the -sorted
99              option is given, the entries are listed sorted (if the given set
100              type  supports the operation). The option -output can be used to
101              control the format of the listing: plain,  save  or  xml.   (The
102              default  is  plain.)  If the option -name is specified, just the
103              names of the existing sets are listed. If the option  -terse  is
104              specified, just the set names and headers are listed.
105
106       save [ SETNAME ]
107              Save  the given set, or all sets if none is given to stdout in a
108              format that restore can read.
109
110       restore
111              Restore a saved session generated by save.   The  saved  session
112              can be fed from stdin.
113
114       flush [ SETNAME ]
115              Flush  all  entries  from the specified set or flush all sets if
116              none is given.
117
118       e, rename SETNAME-FROM SETNAME-TO
119              Rename a set. Set identified by SETNAME-TO must not exist.
120
121       w, swap SETNAME-FROM SETNAME-TO
122              Swap the content of two sets, or in another words, exchange  the
123              name  of  two  sets.  The referred sets must exist and identical
124              type of sets can be swapped only.
125
126       help [ TYPENAME ]
127              Print help and set type specific help if TYPENAME is specified.
128
129       version
130              Print program version.
131
132       -      If a dash is specified as command, then ipset  enters  a  simple
133              interactive  mode  and  the  commands are read from the standard
134              input.  The interactive mode can be  finished  by  entering  the
135              pseudo-command quit.
136
137   OTHER OPTIONS
138       The  following  additional  options  can  be specified. The long option
139       names cannot be abbreviated.
140
141       -!, -exist
142              Ignore errors when the exactly the same set is to be created  or
143              already added entry is added or missing entry is deleted.
144
145       -o, -output { plain | save | xml }
146              Select the output format to the list command.
147
148       -q, -quiet
149              Suppress any output to stdout and stderr.  ipset will still exit
150              with error if it cannot continue.
151
152       -r, -resolve
153              When listing sets, enforce name lookup. The program will try  to
154              display  the  IP  entries  resolved to host names which requires
155              slow DNS lookups.
156
157       -s, -sorted
158              Sorted output. When listing sets entries are listed sorted.  Not
159              supported yet.
160
161       -n, -name
162              List  just the names of the existing sets, i.e. suppress listing
163              of set headers and members.
164
165       -t, -terse
166              List the set names and headers, i.e.  suppress  listing  of  set
167              members.
168
169

SET TYPES

171       A  set type comprises of the storage method by which the data is stored
172       and the data type(s) which are stored in the set. Therefore  the  TYPE‐
173       NAME parameter of the create command follows the syntax
174
175       TYPENAME := method:datatype[,datatype[,datatype]]
176
177       where  the  current  list of the methods are bitmap, hash, and list and
178       the possible data types are ip, net, mac, port and iface.   The  dimen‐
179       sion of a set is equal to the number of data types in its type name.
180
181       When adding, deleting or testing entries in a set, the same comma sepa‐
182       rated data syntax must be used for the entry parameter of the commands,
183       i.e
184
185       ipset add foo ipaddr,portnum,ipaddr
186
187       The bitmap and list types use a fixed sized storage. The hash types use
188       a hash to store the elements. In order to avoid clashes in the hash,  a
189       limited  number  of chaining, and if that is exhausted, the doubling of
190       the hash size is performed when adding entries by  the  ipset  command.
191       When  entries  added  by the SET target of iptables/ip6tables, then the
192       hash size is fixed and the set won't be duplicated,  even  if  the  new
193       entry cannot be added to the set.
194
195       All set types support the optional
196
197       timeout value
198
199       parameter  when  creating  a  set  and adding entries. The value of the
200       timeout parameter for the create  command  means  the  default  timeout
201       value  (in  seconds)  for new entries. If a set is created with timeout
202       support,  then  the  same  timeout  option  can  be  used  to   specify
203       non-default  timeout  values  when  adding  entries. Zero timeout value
204       means the entry is added permanent to the set.  The  timeout  value  of
205       already added elements can be changed by readding the element using the
206       -exist option.
207
208       The hash set types which can store net type of data  (i.e.  hash:*net*)
209       support the optional
210
211       nomatch
212
213       option  when adding entries. When matching elements in the set, entries
214       marked as nomatch are skipped as if those were no  added  to  the  set,
215       which  makes possible to build up sets with exceptions. See the example
216       at hash type hash:net below.
217
218       If host names or service names with dash in the name are  used  instead
219       of  IP addresses or service numbers, then the host name or service name
220       must be enclosed in square brackets. Example:
221
222
223              ipset add foo [test-hostname],[ftp-data]
224
225   bitmap:ip
226       The bitmap:ip set type uses a memory range to store  either  IPv4  host
227       (default)  or IPv4 network addresses. A bitmap:ip type of set can store
228       up to 65536 entries.
229
230       CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [  timeout
231       value ]
232
233       ADD-ENTRY := { ip | fromip-toip | ip/cidr }
234
235       ADD-OPTIONS := [ timeout value ]
236
237       DEL-ENTRY := { ip | fromip-toip | ip/cidr }
238
239       TEST-ENTRY := ip
240
241       Mandatory create options:
242
243       range fromip-toip|ip/cidr
244              Create  the  set  from  the  specified  inclusive  address range
245              expressed in an IPv4 address range or network. The size  of  the
246              range (in entries) cannot exceed the limit of maximum 65536 ele‐
247              ments.
248
249       Optional create options:
250
251       netmask cidr
252              When the optional netmask parameter specified, network addresses
253              will be stored in the set instead of IP host addresses. The cidr
254              prefix value must be between 1-32.  An IP address will be in the
255              set  if  the  network  address, which is resulted by masking the
256              address with the specified netmask calculated from  the  prefix,
257              can be found in the set.
258
259       The  bitmap:ip type supports adding or deleting multiple entries in one
260       command.
261
262       Examples:
263
264              ipset create foo bitmap:ip range 192.168.0.0/16
265
266              ipset add foo 192.168.1/24
267
268              ipset test foo 192.168.1.1
269
270   bitmap:ip,mac
271       The bitmap:ip,mac set type uses a memory range to store IPv4 and a  MAC
272       address  pairs.  A  bitmap:ip,mac  type  of  set  can store up to 65536
273       entries.
274
275       CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]
276
277       ADD-ENTRY := ip[,macaddr]
278
279       ADD-OPTIONS := [ timeout value ]
280
281       DEL-ENTRY := ip[,macaddr]
282
283       TEST-ENTRY := ip[,macaddr]
284
285       Mandatory options to use when creating a bitmap:ip,mac type of set:
286
287       range fromip-toip|ip/cidr
288              Create the  set  from  the  specified  inclusive  address  range
289              expressed  in  an IPv4 address range or network. The size of the
290              range cannot exceed the limit of maximum 65536 entries.
291
292       The bitmap:ip,mac type is exceptional in the sense that  the  MAC  part
293       can  be left out when adding/deleting/testing entries in the set. If we
294       add an entry without the MAC address specified,  then  when  the  first
295       time the entry is matched by the kernel, it will automatically fill out
296       the missing MAC address with the source MAC address from the packet. If
297       the entry was specified with a timeout value, the timer starts off when
298       the IP and MAC address pair is complete.
299
300       The bitmap:ip,mac type of sets require two src/dst  parameters  of  the
301       set  match  and  SET target netfilter kernel modules and the second one
302       must be src to match, add or delete entries because the set  match  and
303       SET target have access to the source MAC address only.
304
305       Examples:
306
307              ipset create foo bitmap:ip,mac range 192.168.0.0/16
308
309              ipset add foo 192.168.1.1,12:34:56:78:9A:BC
310
311              ipset test foo 192.168.1.1
312
313   bitmap:port
314       The  bitmap:port set type uses a memory range to store port numbers and
315       such a set can store up to 65536 ports.
316
317       CREATE-OPTIONS := range fromport-toport [ timeout value ]
318
319       ADD-ENTRY := { port | fromport-toport }
320
321       ADD-OPTIONS := [ timeout value ]
322
323       DEL-ENTRY := { port | fromport-toport }
324
325       TEST-ENTRY := port
326
327       Mandatory options to use when creating a bitmap:port type of set:
328
329       range fromport-toport
330              Create the set from the specified inclusive port range.
331
332       The set match and SET target netfilter  kernel  modules  interpret  the
333       stored numbers as TCP or UDP port numbers.
334
335       Examples:
336
337              ipset create foo bitmap:port range 0-1024
338
339              ipset add foo 80
340
341              ipset test foo 80
342
343   hash:ip
344       The  hash:ip  set type uses a hash to store IP host addresses (default)
345       or network addresses. Zero valued IP address  cannot  be  stored  in  a
346       hash:ip type of set.
347
348       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
349       maxelem value ] [ netmask cidr ] [ timeout value ]
350
351       ADD-ENTRY := ipaddr
352
353       ADD-OPTIONS := [ timeout value ]
354
355       DEL-ENTRY := ipaddr
356
357       TEST-ENTRY := ipaddr
358
359       Optional create options:
360
361       family { inet | inet6 }
362              The protocol family of the IP addresses to be stored in the set.
363              The default is inet, i.e IPv4.
364
365       hashsize value
366              The  initial  hash  size  for the set, default is 1024. The hash
367              size must be a power of two, the kernel automatically rounds  up
368              non power of two hash sizes to the first correct value.
369
370       maxelem value
371              The  maximal  number of elements which can be stored in the set,
372              default 65536.
373
374       netmask cidr
375              When the optional netmask parameter specified, network addresses
376              will be stored in the set instead of IP host addresses. The cidr
377              prefix value must be between 1-32 for IPv4 and between 1-128 for
378              IPv6.  An  IP address will be in the set if the network address,
379              which is resulted by masking the address with the netmask calcu‐
380              lated from the prefix, can be found in the set.
381
382       For  the inet family one can add or delete multiple entries by specify‐
383       ing a range or a network:
384
385       ipaddr := { ip | fromaddr-toaddr | ip/cidr }
386
387       Examples:
388
389              ipset create foo hash:ip netmask 30
390
391              ipset add foo 192.168.1.0/24
392
393              ipset test foo 192.168.1.2
394
395   hash:net
396       The hash:net set type uses a hash to store different sized  IP  network
397       addresses.   Network  address with zero prefix size cannot be stored in
398       this type of sets.
399
400       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
401       maxelem value ] [ timeout value ]
402
403       ADD-ENTRY := netaddr
404
405       ADD-OPTIONS := [ timeout value ] [ nomatch ]
406
407       DEL-ENTRY := netaddr
408
409       TEST-ENTRY := netaddr
410
411       where netaddr := ip[/cidr]
412
413       Optional create options:
414
415       family { inet | inet6 }
416              The protocol family of the IP addresses to be stored in the set.
417              The default is inet, i.e IPv4.
418
419       hashsize value
420              The initial hash size for the set, default  is  1024.  The  hash
421              size  must be a power of two, the kernel automatically rounds up
422              non power of two hash sizes to the first correct value.
423
424       maxelem value
425              The maximal number of elements which can be stored in  the  set,
426              default 65536.
427
428       For  the inet family one can add or delete multiple entries by specify‐
429       ing a range, which is converted internally to network(s) equal  to  the
430       range:
431
432       netaddr := { ip[/cidr] | fromaddr-toaddr }
433
434       When  adding/deleting/testing  entries, if the cidr prefix parameter is
435       not  specified,  then  the  host  prefix   value   is   assumed.   When
436       adding/deleting  entries,  the exact element is added/deleted and over‐
437       lapping elements are not checked by the kernel.  When testing  entries,
438       if  a  host  address is tested, then the kernel tries to match the host
439       address in the networks added to the set and reports the result accord‐
440       ingly.
441
442       From  the  set  netfilter match point of view the searching for a match
443       always  starts  from  the smallest  size  of  netblock  (most  specific
444       prefix)  to  the  largest one (least specific prefix) added to the set.
445       When  adding/deleting IP addresses  to the set  by  the  SET  netfilter
446       target,  it   will   be added/deleted by the most specific prefix which
447       can be found in  the set, or by the host prefix value  if  the  set  is
448       empty.
449
450       The  lookup time grows linearly with the number of the different prefix
451       values added to the set.
452
453       Example:
454
455              ipset create foo hash:net
456
457              ipset add foo 192.168.0.0/24
458
459              ipset add foo 10.1.0.0/16
460
461              ipset add foo 192.168.0/24
462
463              ipset add foo 192.168.0/30 nomatch
464
465       When matching the elements in the set  above,  all  IP  addresses  will
466       match  from  the  networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24
467       except 192.168.0/30.
468
469   hash:ip,port
470       The hash:ip,port set type uses a hash to store IP address and port num‐
471       ber  pairs.   The  port  number is interpreted together with a protocol
472       (default TCP) and zero protocol number cannot be used.
473
474       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
475       maxelem value ] [ timeout value ]
476
477       ADD-ENTRY := ipaddr,[proto:]port
478
479       ADD-OPTIONS := [ timeout value ]
480
481       DEL-ENTRY := ipaddr,[proto:]port
482
483       TEST-ENTRY := ipaddr,[proto:]port
484
485       Optional create options:
486
487       family { inet | inet6 }
488              The protocol family of the IP addresses to be stored in the set.
489              The default is inet, i.e IPv4.
490
491       hashsize value
492              The initial hash size for the set, default  is  1024.  The  hash
493              size  must be a power of two, the kernel automatically rounds up
494              non power of two hash sizes to the first correct value
495
496       maxelem value
497              The maximal number of elements which can be stored in  the  set,
498              default 65536.
499
500       For  the inet family one can add or delete multiple entries by specify‐
501       ing a range or a network of IPv4 addresses in the IP  address  part  of
502       the entry:
503
504       ipaddr := { ip | fromaddr-toaddr | ip/cidr }
505
506       The [proto:]port part of the elements may be expressed in the following
507       forms, where the range variations are valid  when  adding  or  deleting
508       entries:
509
510       portname[-portname]
511              TCP port or range of ports expressed in TCP portname identifiers
512              from /etc/services
513
514       portnumber[-portnumber]
515              TCP port or range of ports expressed in TCP port numbers
516
517       tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
518              TCP, SCTP, UDP or UDPLITE port or port range expressed  in  port
519              name(s) or port number(s)
520
521       icmp:codename|type/code
522              ICMP  codename or type/code. The supported ICMP codename identi‐
523              fiers can always be listed by the help command.
524
525       icmpv6:codename|type/code
526              ICMPv6 codename or  type/code.  The  supported  ICMPv6  codename
527              identifiers can always be listed by the help command.
528
529       proto:0
530              All  other  protocols,  as  an identifier from /etc/protocols or
531              number. The pseudo port number must be zero.
532
533       The hash:ip,port type of sets require two src/dst parameters of the set
534       match and SET target kernel modules.
535
536       Examples:
537
538              ipset create foo hash:ip,port
539
540              ipset add foo 192.168.1.0/24,80-82
541
542              ipset add foo 192.168.1.1,udp:53
543
544              ipset add foo 192.168.1.1,vrrp:0
545
546              ipset test foo 192.168.1.1,80
547
548   hash:net,port
549       The hash:net,port set type uses a hash to store different sized IP net‐
550       work address and port pairs. The port number  is  interpreted  together
551       with  a protocol (default TCP) and zero protocol number cannot be used.
552       Network address with zero prefix size is not accepted either.
553
554       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
555       maxelem value ] [ timeout value ]
556
557       ADD-ENTRY := netaddr,[proto:]port
558
559       ADD-OPTIONS := [ timeout value ]  [ nomatch ]
560
561       DEL-ENTRY := netaddr,[proto:]port
562
563       TEST-ENTRY := netaddr,[proto:]port
564
565       where netaddr := ip[/cidr]
566
567       Optional create options:
568
569       family { inet | inet6 }
570              The protocol family of the IP addresses to be stored in the set.
571              The default is inet, i.e IPv4.
572
573       hashsize value
574              The initial hash size for the set, default  is  1024.  The  hash
575              size  must be a power of two, the kernel automatically rounds up
576              non power of two hash sizes to the first correct value.
577
578       maxelem value
579              The maximal number of elements which can be stored in  the  set,
580              default 65536.
581
582       For  the  netaddr  part  of  the  elements  see  the description at the
583       hash:net set type. For the [proto:]port part of the  elements  see  the
584       description at the hash:ip,port set type.
585
586       When  adding/deleting/testing  entries, if the cidr prefix parameter is
587       not  specified,  then  the  host  prefix   value   is   assumed.   When
588       adding/deleting  entries,  the exact element is added/deleted and over‐
589       lapping elements are not checked by the kernel.  When testing  entries,
590       if  a  host  address is tested, then the kernel tries to match the host
591       address in the networks added to the set and reports the result accord‐
592       ingly.
593
594       From  the  set netfilter match point of view the searching for a  match
595       always  starts  from  the smallest  size  of  netblock  (most  specific
596       prefix)  to  the  largest one (least specific prefix) added to the set.
597       When  adding/deleting IP addresses  to the set  by  the  SET  netfilter
598       target,  it   will   be added/deleted by the most specific prefix which
599       can be found in  the set, or by the host prefix value  if  the  set  is
600       empty.
601
602       The  lookup time grows linearly with the number of the different prefix
603       values added to the set.
604
605       Examples:
606
607              ipset create foo hash:net,port
608
609              ipset add foo 192.168.0/24,25
610
611              ipset add foo 10.1.0.0/16,80
612
613              ipset test foo 192.168.0/24,25
614
615   hash:ip,port,ip
616       The hash:ip,port,ip set type uses a hash to store IP address, port num‐
617       ber  and  a  second  IP address triples. The port number is interpreted
618       together with a protocol (default TCP) and zero protocol number  cannot
619       be used.
620
621       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
622       maxelem value ] [ timeout value ]
623
624       ADD-ENTRY := ipaddr,[proto:]port,ip
625
626       ADD-OPTIONS := [ timeout value ]
627
628       DEL-ENTRY := ipaddr,[proto:]port,ip
629
630       TEST-ENTRY := ipaddr,[proto:]port,ip
631
632       For the first ipaddr and [proto:]port parts of  the  elements  see  the
633       descriptions at the hash:ip,port set type.
634
635       Optional create options:
636
637       family { inet | inet6 }
638              The protocol family of the IP addresses to be stored in the set.
639              The default is inet, i.e IPv4.
640
641       hashsize value
642              The initial hash size for the set, default  is  1024.  The  hash
643              size  must be a power of two, the kernel automatically rounds up
644              non power of two hash sizes to the first correct value.
645
646       maxelem value
647              The maximal number of elements which can be stored in  the  set,
648              default 65536.
649
650       The  hash:ip,port,ip  type  of sets require three src/dst parameters of
651       the set match and SET target kernel modules.
652
653       Examples:
654
655              ipset create foo hash:ip,port,ip
656
657              ipset add foo 192.168.1.1,80,10.0.0.1
658
659              ipset test foo 192.168.1.1,udp:53,10.0.0.1
660
661   hash:ip,port,net
662       The hash:ip,port,net set type uses a hash to  store  IP  address,  port
663       number  and  IP network address triples. The port number is interpreted
664       together with a protocol (default TCP) and zero protocol number  cannot
665       be used. Network address with zero prefix size cannot be stored either.
666
667       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
668       maxelem value ] [ timeout value ]
669
670       ADD-ENTRY := ipaddr,[proto:]port,netaddr
671
672       ADD-OPTIONS := [ timeout value ]  [ nomatch ]
673
674       DEL-ENTRY := ipaddr,[proto:]port,netaddr
675
676       TEST-ENTRY := ipaddr,[proto:]port,netaddr
677
678       where netaddr := ip[/cidr]
679
680       For the ipaddr and [proto:]port parts of the elements see the  descrip‐
681       tions  at  the  hash:ip,port set type. For the netaddr part of the ele‐
682       ments see the description at the hash:net set type.
683
684       Optional create options:
685
686       family { inet | inet6 }
687              The protocol family of the IP addresses to be stored in the set.
688              The default is inet, i.e IPv4.
689
690       hashsize value
691              The  initial  hash  size  for the set, default is 1024. The hash
692              size must be a power of two, the kernel automatically rounds  up
693              non power of two hash sizes to the first correct value.
694
695       maxelem value
696              The  maximal  number of elements which can be stored in the set,
697              default 65536.
698
699       From the set netfilter match point of view the searching  for  a  match
700       always   starts   from   the smallest  size  of netblock (most specific
701       cidr) to the largest one (least specific cidr) added to the set.   When
702       adding/deleting  triples  to  the  set  by the SET netfilter target, it
703       will  be added/deleted by the most specific cidr which can be found  in
704       the set, or by the host cidr value if the set is empty.
705
706       The  lookup  time  grows linearly with the number of the different cidr
707       values added to the set.
708
709       The hash:ip,port,net type of sets require three src/dst  parameters  of
710       the set match and SET target kernel modules.
711
712       Examples:
713
714              ipset create foo hash:ip,port,net
715
716              ipset add foo 192.168.1,80,10.0.0/24
717
718              ipset add foo 192.168.2,25,10.1.0.0/16
719
720              ipset test foo 192.168.1,80.10.0.0/24
721
722   hash:net,iface
723       The  hash:net,iface  set  type  uses a hash to store different sized IP
724       network address and interface name pairs.  Network  address  with  zero
725       prefix size is not accepted.
726
727       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
728       maxelem value ] [ timeout value ]
729
730       ADD-ENTRY := netaddr,[physdev:]iface
731
732       ADD-OPTIONS := [ timeout value ]  [ nomatch ]
733
734       DEL-ENTRY := netaddr,[physdev:]iface
735
736       TEST-ENTRY := netaddr,[physdev:]iface
737
738       where netaddr := ip[/cidr]
739
740       Optional create options:
741
742       family { inet | inet6 }
743              The protocol family of the IP addresses to be stored in the set.
744              The default is inet, i.e IPv4.
745
746       hashsize value
747              The  initial  hash  size  for the set, default is 1024. The hash
748              size must be a power of two, the kernel automatically rounds  up
749              non power of two hash sizes to the first correct value.
750
751       maxelem value
752              The  maximal  number of elements which can be stored in the set,
753              default 65536.
754
755       For the netaddr part  of  the  elements  see  the  description  at  the
756       hash:net set type.
757
758       When  adding/deleting/testing  entries, if the cidr prefix parameter is
759       not  specified,  then  the  host  prefix   value   is   assumed.   When
760       adding/deleting  entries,  the exact element is added/deleted and over‐
761       lapping elements are not checked by the kernel.  When testing  entries,
762       if  a  host  address is tested, then the kernel tries to match the host
763       address in the networks added to the set and reports the result accord‐
764       ingly.
765
766       From  the  set netfilter match point of view the searching for a  match
767       always  starts  from  the smallest  size  of  netblock  (most  specific
768       prefix)  to  the  largest one (least specific prefix) added to the set.
769       When  adding/deleting IP addresses  to the set  by  the  SET  netfilter
770       target,  it   will   be added/deleted by the most specific prefix which
771       can be found in  the set, or by the host prefix value  if  the  set  is
772       empty.
773
774       The  second direction parameter of the set match and SET target modules
775       corresponds to the incoming/outgoing interface : src to  the  incoming,
776       while dst to the outgoing. When the interface is flagged with physdev:,
777       the interface is interpreted as the incoming/outgoing bridge port.
778
779       The lookup time grows linearly with the number of the different  prefix
780       values added to the set.
781
782       The  internal  restriction  of  the hash:net,iface set type is that the
783       same network prefix cannot be stored with more than 64 different inter‐
784       faces in a single set.
785
786       Examples:
787
788              ipset create foo hash:net,iface
789
790              ipset add foo 192.168.0/24,eth0
791
792              ipset add foo 10.1.0.0/16,eth1
793
794              ipset test foo 192.168.0/24,eth0
795
796   list:set
797       The list:set type uses a simple list in which you can store set names.
798
799       CREATE-OPTIONS := [ size value ] [ timeout value ]
800
801       ADD-ENTRY := setname [ { before | after } setname ]
802
803       ADD-OPTIONS := [ timeout value ]
804
805       DEL-ENTRY := setname [ { before | after } setname ]
806
807       TEST-ENTRY := setname [ { before | after } setname ]
808
809       Optional create options:
810
811       size value
812              The size of the list, the default is 8.
813
814       By  the  ipset  commad  you   can  add,  delete and test set names in a
815       list:set type of set.
816
817       By the set match or SET target of netfilter you can test, add or delete
818       entries  in  the sets added to the list:set type of set. The match will
819       try to find a matching entry in the sets and the target will try to add
820       an  entry  to  the  first  set to which it can be added.  The number of
821       direction options of the match and target  are  important:  sets  which
822       require  more  parameters  than  specified are skipped, while sets with
823       equal or less parameters are checked, elements added/deleted. For exam‐
824       ple if a and b are list:set type of sets then in the command
825
826              iptables -m set --match-set a src,dst -j SET --add-set b src,dst
827
828       the  match  and  target  will skip any set in a and b which stores data
829       triples, but will match all sets with single or double data storage  in
830       a set and stop matching at the first successful set, and add src to the
831       first single or src,dst to the first double data storage set  in  b  to
832       which the entry can be added. You can imagine a list:set type of set as
833       an ordered union of the set elements.
834
835       Please note: by the ipset commad you can add, delete and test the  set‐
836       names in a list:set type of set, and not the presence of a set's member
837       (such as an IP address).
838

GENERAL RESTRICTIONS

840       Zero valued set entries cannot be used with hash methods. Zero protocol
841       value with ports cannot be used.
842

COMMENTS

844       If  you  want  to store same size subnets from a given network (say /24
845       blocks from a /8 network), use the bitmap:ip set type.  If you want  to
846       store  random  same  size  networks  (say  random  /24 blocks), use the
847       hash:ip set type. If  you  have  got  random  size  of  netblocks,  use
848       hash:net.
849
850       Backward compatibility is maintained and old ipset syntax is still sup‐
851       ported.
852
853       The iptree and iptreemap set types are removed: if you refer  to  them,
854       they are automatically replaced by hash:ip type of sets.
855

DIAGNOSTICS

857       Various error messages are printed to standard error.  The exit code is
858       0 for correct functioning.
859

BUGS

861       Bugs? No, just funny features. :-) OK, just kidding...
862

SEE ALSO

864       iptables(8), ip6tables(8)
865

AUTHORS

867       Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axels‐
868       son, Patrick Schaaf and Martin Josefsson.
869       Sven Wegener wrote the iptreemap type.
870

LAST REMARK

872       I stand on the shoulders of giants.
873
874
875
876Jozsef Kadlecsik                 Oct 15, 2010                         IPSET(8)
Impressum