1IPSET(8) IPSET(8)
2
6 ipset — administration tool for IP sets
7
9 ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
10 COMMANDS := { create | add | del | test | destroy | list | save |
12 restore | flush | rename | swap | help | version | - }
13 OPTIONS := { -exist | -output { plain | save | xml } | -quiet |
15 -resolve | -sorted | -name | -terse }
16 ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
18 ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
20 ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
22 ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
24 ipset destroy [ SETNAME ]
26 ipset list [ SETNAME ]
28 ipset save [ SETNAME ]
30 ipset restore
32 ipset flush [ SETNAME ]
34 ipset rename SETNAME-FROM SETNAME-TO
36 ipset swap SETNAME-FROM SETNAME-TO
38 ipset help [ TYPENAME ]
40 ipset version
42 ipset -
44
46 ipset is used to set up, maintain and inspect so called IP sets in the
47 Linux kernel. Depending on the type of the set, an IP set may store
48 IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs,
49 IP address and port number pairs, etc. See the set type definitions
50 below.
51 Iptables matches and targets referring to sets create references, which
53 protect the given sets in the kernel. A set cannot be destroyed while
54 there is a single reference pointing to it.
55
57 The options that are recognized by ipset can be divided into several
58 different groups.
59 COMMANDS
61 These options specify the desired action to perform. Only one of them
62 can be specified on the command line unless otherwise specified below.
63 For all the long versions of the command names, you need to use only
64 enough letters to ensure that ipset can differentiate it from all other
65 commands. The ipset parser follows the order here when looking for the
66 shortest match in the long command names.
67 n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
69 Create a set identified with setname and specified type. The
70 type may require type specific options. If the -exist option is
71 specified, ipset ignores the error otherwise raised when the
72 same set (setname and create parameters are identical) already
73 exists.
74 add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
76 Add a given entry to the set. If the -exist option is specified,
77 ipset ignores if the entry already added to the set.
78 del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
80 Delete an entry from a set. If the -exist option is specified,
81 ipset ignores if the entry does not added to (already expired
82 from) the set.
83 test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
85 Test wether an entry is in a set or not. Exit status number is
86 zero if the tested entry is in the set and nonzero if it is
87 missing from the set.
88 x, destroy [ SETNAME ]
90 Destroy the specified set or all the sets if none is given.
91 If the set has got reference(s), nothing is done and no set
93 destroyed.
94 list [ SETNAME ] [ OPTIONS ]
96 List the header data and the entries for the specified set, or
97 for all sets if none is given. The -resolve option can be used
98 to force name lookups (which may be slow). When the -sorted
99 option is given, the entries are listed sorted (if the given set
100 type supports the operation). The option -output can be used to
101 control the format of the listing: plain, save or xml. (The
102 default is plain.) If the option -name is specified, just the
103 names of the existing sets are listed. If the option -terse is
104 specified, just the set names and headers are listed.
105 save [ SETNAME ]
107 Save the given set, or all sets if none is given to stdout in a
108 format that restore can read.
109 restore
111 Restore a saved session generated by save. The saved session
112 can be fed from stdin.
113 flush [ SETNAME ]
115 Flush all entries from the specified set or flush all sets if
116 none is given.
117 e, rename SETNAME-FROM SETNAME-TO
119 Rename a set. Set identified by SETNAME-TO must not exist.
120 w, swap SETNAME-FROM SETNAME-TO
122 Swap the content of two sets, or in another words, exchange the
123 name of two sets. The referred sets must exist and identical
124 type of sets can be swapped only.
125 help [ TYPENAME ]
127 Print help and set type specific help if TYPENAME is specified.
128 version
130 Print program version.
131 - If a dash is specified as command, then ipset enters a simple
133 interactive mode and the commands are read from the standard
134 input. The interactive mode can be finished by entering the
135 pseudo-command quit.
136 OTHER OPTIONS
138 The following additional options can be specified. The long option
139 names cannot be abbreviated.
140 -!, -exist
142 Ignore errors when the exactly the same set is to be created or
143 already added entry is added or missing entry is deleted.
144 -o, -output { plain | save | xml }
146 Select the output format to the list command.
147 -q, -quiet
149 Suppress any output to stdout and stderr. ipset will still exit
150 with error if it cannot continue.
151 -r, -resolve
153 When listing sets, enforce name lookup. The program will try to
154 display the IP entries resolved to host names which requires
155 slow DNS lookups.
156 -s, -sorted
158 Sorted output. When listing sets entries are listed sorted. Not
159 supported yet.
160 -n, -name
162 List just the names of the existing sets, i.e. suppress listing
163 of set headers and members.
164 -t, -terse
166 List the set names and headers, i.e. suppress listing of set
167 members.
168
171 A set type comprises of the storage method by which the data is stored
172 and the data type(s) which are stored in the set. Therefore the TYPE‐
173 NAME parameter of the create command follows the syntax
174 TYPENAME := method:datatype[,datatype[,datatype]]
176 where the current list of the methods are bitmap, hash, and list and
178 the possible data types are ip, net, mac, port and iface. The dimen‐
179 sion of a set is equal to the number of data types in its type name.
180 When adding, deleting or testing entries in a set, the same comma sepa‐
182 rated data syntax must be used for the entry parameter of the commands,
183 i.e
184 ipset add foo ipaddr,portnum,ipaddr
186 The bitmap and list types use a fixed sized storage. The hash types use
188 a hash to store the elements. In order to avoid clashes in the hash, a
189 limited number of chaining, and if that is exhausted, the doubling of
190 the hash size is performed when adding entries by the ipset command.
191 When entries added by the SET target of iptables/ip6tables, then the
192 hash size is fixed and the set won't be duplicated, even if the new
193 entry cannot be added to the set.
194 All set types support the optional
196 timeout value
198 parameter when creating a set and adding entries. The value of the
200 timeout parameter for the create command means the default timeout
201 value (in seconds) for new entries. If a set is created with timeout
202 support, then the same timeout option can be used to specify
203 non-default timeout values when adding entries. Zero timeout value
204 means the entry is added permanent to the set. The timeout value of
205 already added elements can be changed by readding the element using the
206 -exist option.
207 The hash set types which can store net type of data (i.e. hash:*net*)
209 support the optional
210 nomatch
212 option when adding entries. When matching elements in the set, entries
214 marked as nomatch are skipped as if those were no added to the set,
215 which makes possible to build up sets with exceptions. See the example
216 at hash type hash:net below.
217 If host names or service names with dash in the name are used instead
219 of IP addresses or service numbers, then the host name or service name
220 must be enclosed in square brackets. Example:
221 ipset add foo [test-hostname],[ftp-data]
224 bitmap:ip
226 The bitmap:ip set type uses a memory range to store either IPv4 host
227 (default) or IPv4 network addresses. A bitmap:ip type of set can store
228 up to 65536 entries.
229 CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout
231 value ]
232 ADD-ENTRY := { ip | fromip-toip | ip/cidr }
234 ADD-OPTIONS := [ timeout value ]
236 DEL-ENTRY := { ip | fromip-toip | ip/cidr }
238 TEST-ENTRY := ip
240 Mandatory create options:
242 range fromip-toip|ip/cidr
244 Create the set from the specified inclusive address range
245 expressed in an IPv4 address range or network. The size of the
246 range (in entries) cannot exceed the limit of maximum 65536 ele‐
247 ments.
248 Optional create options:
250 netmask cidr
252 When the optional netmask parameter specified, network addresses
253 will be stored in the set instead of IP host addresses. The cidr
254 prefix value must be between 1-32. An IP address will be in the
255 set if the network address, which is resulted by masking the
256 address with the specified netmask calculated from the prefix,
257 can be found in the set.
258 The bitmap:ip type supports adding or deleting multiple entries in one
260 command.
261 Examples:
263 ipset create foo bitmap:ip range 192.168.0.0/16
265 ipset add foo 192.168.1/24
267 ipset test foo 192.168.1.1
269 bitmap:ip,mac
271 The bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC
272 address pairs. A bitmap:ip,mac type of set can store up to 65536
273 entries.
274 CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]
276 ADD-ENTRY := ip[,macaddr]
278 ADD-OPTIONS := [ timeout value ]
280 DEL-ENTRY := ip[,macaddr]
282 TEST-ENTRY := ip[,macaddr]
284 Mandatory options to use when creating a bitmap:ip,mac type of set:
286 range fromip-toip|ip/cidr
288 Create the set from the specified inclusive address range
289 expressed in an IPv4 address range or network. The size of the
290 range cannot exceed the limit of maximum 65536 entries.
291 The bitmap:ip,mac type is exceptional in the sense that the MAC part
293 can be left out when adding/deleting/testing entries in the set. If we
294 add an entry without the MAC address specified, then when the first
295 time the entry is matched by the kernel, it will automatically fill out
296 the missing MAC address with the source MAC address from the packet. If
297 the entry was specified with a timeout value, the timer starts off when
298 the IP and MAC address pair is complete.
299 The bitmap:ip,mac type of sets require two src/dst parameters of the
301 set match and SET target netfilter kernel modules and the second one
302 must be src to match, add or delete entries because the set match and
303 SET target have access to the source MAC address only.
304 Examples:
306 ipset create foo bitmap:ip,mac range 192.168.0.0/16
308 ipset add foo 192.168.1.1,12:34:56:78:9A:BC
310 ipset test foo 192.168.1.1
312 bitmap:port
314 The bitmap:port set type uses a memory range to store port numbers and
315 such a set can store up to 65536 ports.
316 CREATE-OPTIONS := range fromport-toport [ timeout value ]
318 ADD-ENTRY := { port | fromport-toport }
320 ADD-OPTIONS := [ timeout value ]
322 DEL-ENTRY := { port | fromport-toport }
324 TEST-ENTRY := port
326 Mandatory options to use when creating a bitmap:port type of set:
328 range fromport-toport
330 Create the set from the specified inclusive port range.
331 The set match and SET target netfilter kernel modules interpret the
333 stored numbers as TCP or UDP port numbers.
334 Examples:
336 ipset create foo bitmap:port range 0-1024
338 ipset add foo 80
340 ipset test foo 80
342 hash:ip
344 The hash:ip set type uses a hash to store IP host addresses (default)
345 or network addresses. Zero valued IP address cannot be stored in a
346 hash:ip type of set.
347 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
349 maxelem value ] [ netmask cidr ] [ timeout value ]
350 ADD-ENTRY := ipaddr
352 ADD-OPTIONS := [ timeout value ]
354 DEL-ENTRY := ipaddr
356 TEST-ENTRY := ipaddr
358 Optional create options:
360 family { inet | inet6 }
362 The protocol family of the IP addresses to be stored in the set.
363 The default is inet, i.e IPv4.
364 hashsize value
366 The initial hash size for the set, default is 1024. The hash
367 size must be a power of two, the kernel automatically rounds up
368 non power of two hash sizes to the first correct value.
369 maxelem value
371 The maximal number of elements which can be stored in the set,
372 default 65536.
373 netmask cidr
375 When the optional netmask parameter specified, network addresses
376 will be stored in the set instead of IP host addresses. The cidr
377 prefix value must be between 1-32 for IPv4 and between 1-128 for
378 IPv6. An IP address will be in the set if the network address,
379 which is resulted by masking the address with the netmask calcu‐
380 lated from the prefix, can be found in the set.
381 For the inet family one can add or delete multiple entries by specify‐
383 ing a range or a network:
384 ipaddr := { ip | fromaddr-toaddr | ip/cidr }
386 Examples:
388 ipset create foo hash:ip netmask 30
390 ipset add foo 192.168.1.0/24
392 ipset test foo 192.168.1.2
394 hash:net
396 The hash:net set type uses a hash to store different sized IP network
397 addresses. Network address with zero prefix size cannot be stored in
398 this type of sets.
399 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
401 maxelem value ] [ timeout value ]
402 ADD-ENTRY := netaddr
404 ADD-OPTIONS := [ timeout value ] [ nomatch ]
406 DEL-ENTRY := netaddr
408 TEST-ENTRY := netaddr
410 where netaddr := ip[/cidr]
412 Optional create options:
414 family { inet | inet6 }
416 The protocol family of the IP addresses to be stored in the set.
417 The default is inet, i.e IPv4.
418 hashsize value
420 The initial hash size for the set, default is 1024. The hash
421 size must be a power of two, the kernel automatically rounds up
422 non power of two hash sizes to the first correct value.
423 maxelem value
425 The maximal number of elements which can be stored in the set,
426 default 65536.
427 For the inet family one can add or delete multiple entries by specify‐
429 ing a range, which is converted internally to network(s) equal to the
430 range:
431 netaddr := { ip[/cidr] | fromaddr-toaddr }
433 When adding/deleting/testing entries, if the cidr prefix parameter is
435 not specified, then the host prefix value is assumed. When
436 adding/deleting entries, the exact element is added/deleted and over‐
437 lapping elements are not checked by the kernel. When testing entries,
438 if a host address is tested, then the kernel tries to match the host
439 address in the networks added to the set and reports the result accord‐
440 ingly.
441 From the set netfilter match point of view the searching for a match
443 always starts from the smallest size of netblock (most specific
444 prefix) to the largest one (least specific prefix) added to the set.
445 When adding/deleting IP addresses to the set by the SET netfilter
446 target, it will be added/deleted by the most specific prefix which
447 can be found in the set, or by the host prefix value if the set is
448 empty.
449 The lookup time grows linearly with the number of the different prefix
451 values added to the set.
452 Example:
454 ipset create foo hash:net
456 ipset add foo 192.168.0.0/24
458 ipset add foo 10.1.0.0/16
460 ipset add foo 192.168.0/24
462 ipset add foo 192.168.0/30 nomatch
464 When matching the elements in the set above, all IP addresses will
466 match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24
467 except 192.168.0/30.
468 hash:ip,port
470 The hash:ip,port set type uses a hash to store IP address and port num‐
471 ber pairs. The port number is interpreted together with a protocol
472 (default TCP) and zero protocol number cannot be used.
473 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
475 maxelem value ] [ timeout value ]
476 ADD-ENTRY := ipaddr,[proto:]port
478 ADD-OPTIONS := [ timeout value ]
480 DEL-ENTRY := ipaddr,[proto:]port
482 TEST-ENTRY := ipaddr,[proto:]port
484 Optional create options:
486 family { inet | inet6 }
488 The protocol family of the IP addresses to be stored in the set.
489 The default is inet, i.e IPv4.
490 hashsize value
492 The initial hash size for the set, default is 1024. The hash
493 size must be a power of two, the kernel automatically rounds up
494 non power of two hash sizes to the first correct value
495 maxelem value
497 The maximal number of elements which can be stored in the set,
498 default 65536.
499 For the inet family one can add or delete multiple entries by specify‐
501 ing a range or a network of IPv4 addresses in the IP address part of
502 the entry:
503 ipaddr := { ip | fromaddr-toaddr | ip/cidr }
505 The [proto:]port part of the elements may be expressed in the following
507 forms, where the range variations are valid when adding or deleting
508 entries:
509 portname[-portname]
511 TCP port or range of ports expressed in TCP portname identifiers
512 from /etc/services
513 portnumber[-portnumber]
515 TCP port or range of ports expressed in TCP port numbers
516 tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
518 TCP, SCTP, UDP or UDPLITE port or port range expressed in port
519 name(s) or port number(s)
520 icmp:codename|type/code
522 ICMP codename or type/code. The supported ICMP codename identi‐
523 fiers can always be listed by the help command.
524 icmpv6:codename|type/code
526 ICMPv6 codename or type/code. The supported ICMPv6 codename
527 identifiers can always be listed by the help command.
528 proto:0
530 All other protocols, as an identifier from /etc/protocols or
531 number. The pseudo port number must be zero.
532 The hash:ip,port type of sets require two src/dst parameters of the set
534 match and SET target kernel modules.
535 Examples:
537 ipset create foo hash:ip,port
539 ipset add foo 192.168.1.0/24,80-82
541 ipset add foo 192.168.1.1,udp:53
543 ipset add foo 192.168.1.1,vrrp:0
545 ipset test foo 192.168.1.1,80
547 hash:net,port
549 The hash:net,port set type uses a hash to store different sized IP net‐
550 work address and port pairs. The port number is interpreted together
551 with a protocol (default TCP) and zero protocol number cannot be used.
552 Network address with zero prefix size is not accepted either.
553 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
555 maxelem value ] [ timeout value ]
556 ADD-ENTRY := netaddr,[proto:]port
558 ADD-OPTIONS := [ timeout value ] [ nomatch ]
560 DEL-ENTRY := netaddr,[proto:]port
562 TEST-ENTRY := netaddr,[proto:]port
564 where netaddr := ip[/cidr]
566 Optional create options:
568 family { inet | inet6 }
570 The protocol family of the IP addresses to be stored in the set.
571 The default is inet, i.e IPv4.
572 hashsize value
574 The initial hash size for the set, default is 1024. The hash
575 size must be a power of two, the kernel automatically rounds up
576 non power of two hash sizes to the first correct value.
577 maxelem value
579 The maximal number of elements which can be stored in the set,
580 default 65536.
581 For the netaddr part of the elements see the description at the
583 hash:net set type. For the [proto:]port part of the elements see the
584 description at the hash:ip,port set type.
585 When adding/deleting/testing entries, if the cidr prefix parameter is
587 not specified, then the host prefix value is assumed. When
588 adding/deleting entries, the exact element is added/deleted and over‐
589 lapping elements are not checked by the kernel. When testing entries,
590 if a host address is tested, then the kernel tries to match the host
591 address in the networks added to the set and reports the result accord‐
592 ingly.
593 From the set netfilter match point of view the searching for a match
595 always starts from the smallest size of netblock (most specific
596 prefix) to the largest one (least specific prefix) added to the set.
597 When adding/deleting IP addresses to the set by the SET netfilter
598 target, it will be added/deleted by the most specific prefix which
599 can be found in the set, or by the host prefix value if the set is
600 empty.
601 The lookup time grows linearly with the number of the different prefix
603 values added to the set.
604 Examples:
606 ipset create foo hash:net,port
608 ipset add foo 192.168.0/24,25
610 ipset add foo 10.1.0.0/16,80
612 ipset test foo 192.168.0/24,25
614 hash:ip,port,ip
616 The hash:ip,port,ip set type uses a hash to store IP address, port num‐
617 ber and a second IP address triples. The port number is interpreted
618 together with a protocol (default TCP) and zero protocol number cannot
619 be used.
620 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
622 maxelem value ] [ timeout value ]
623 ADD-ENTRY := ipaddr,[proto:]port,ip
625 ADD-OPTIONS := [ timeout value ]
627 DEL-ENTRY := ipaddr,[proto:]port,ip
629 TEST-ENTRY := ipaddr,[proto:]port,ip
631 For the first ipaddr and [proto:]port parts of the elements see the
633 descriptions at the hash:ip,port set type.
634 Optional create options:
636 family { inet | inet6 }
638 The protocol family of the IP addresses to be stored in the set.
639 The default is inet, i.e IPv4.
640 hashsize value
642 The initial hash size for the set, default is 1024. The hash
643 size must be a power of two, the kernel automatically rounds up
644 non power of two hash sizes to the first correct value.
645 maxelem value
647 The maximal number of elements which can be stored in the set,
648 default 65536.
649 The hash:ip,port,ip type of sets require three src/dst parameters of
651 the set match and SET target kernel modules.
652 Examples:
654 ipset create foo hash:ip,port,ip
656 ipset add foo 192.168.1.1,80,10.0.0.1
658 ipset test foo 192.168.1.1,udp:53,10.0.0.1
660 hash:ip,port,net
662 The hash:ip,port,net set type uses a hash to store IP address, port
663 number and IP network address triples. The port number is interpreted
664 together with a protocol (default TCP) and zero protocol number cannot
665 be used. Network address with zero prefix size cannot be stored either.
666 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
668 maxelem value ] [ timeout value ]
669 ADD-ENTRY := ipaddr,[proto:]port,netaddr
671 ADD-OPTIONS := [ timeout value ] [ nomatch ]
673 DEL-ENTRY := ipaddr,[proto:]port,netaddr
675 TEST-ENTRY := ipaddr,[proto:]port,netaddr
677 where netaddr := ip[/cidr]
679 For the ipaddr and [proto:]port parts of the elements see the descrip‐
681 tions at the hash:ip,port set type. For the netaddr part of the ele‐
682 ments see the description at the hash:net set type.
683 Optional create options:
685 family { inet | inet6 }
687 The protocol family of the IP addresses to be stored in the set.
688 The default is inet, i.e IPv4.
689 hashsize value
691 The initial hash size for the set, default is 1024. The hash
692 size must be a power of two, the kernel automatically rounds up
693 non power of two hash sizes to the first correct value.
694 maxelem value
696 The maximal number of elements which can be stored in the set,
697 default 65536.
698 From the set netfilter match point of view the searching for a match
700 always starts from the smallest size of netblock (most specific
701 cidr) to the largest one (least specific cidr) added to the set. When
702 adding/deleting triples to the set by the SET netfilter target, it
703 will be added/deleted by the most specific cidr which can be found in
704 the set, or by the host cidr value if the set is empty.
705 The lookup time grows linearly with the number of the different cidr
707 values added to the set.
708 The hash:ip,port,net type of sets require three src/dst parameters of
710 the set match and SET target kernel modules.
711 Examples:
713 ipset create foo hash:ip,port,net
715 ipset add foo 192.168.1,80,10.0.0/24
717 ipset add foo 192.168.2,25,10.1.0.0/16
719 ipset test foo 192.168.1,80.10.0.0/24
721 hash:net,iface
723 The hash:net,iface set type uses a hash to store different sized IP
724 network address and interface name pairs. Network address with zero
725 prefix size is not accepted.
726 CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [
728 maxelem value ] [ timeout value ]
729 ADD-ENTRY := netaddr,[physdev:]iface
731 ADD-OPTIONS := [ timeout value ] [ nomatch ]
733 DEL-ENTRY := netaddr,[physdev:]iface
735 TEST-ENTRY := netaddr,[physdev:]iface
737 where netaddr := ip[/cidr]
739 Optional create options:
741 family { inet | inet6 }
743 The protocol family of the IP addresses to be stored in the set.
744 The default is inet, i.e IPv4.
745 hashsize value
747 The initial hash size for the set, default is 1024. The hash
748 size must be a power of two, the kernel automatically rounds up
749 non power of two hash sizes to the first correct value.
750 maxelem value
752 The maximal number of elements which can be stored in the set,
753 default 65536.
754 For the netaddr part of the elements see the description at the
756 hash:net set type.
757 When adding/deleting/testing entries, if the cidr prefix parameter is
759 not specified, then the host prefix value is assumed. When
760 adding/deleting entries, the exact element is added/deleted and over‐
761 lapping elements are not checked by the kernel. When testing entries,
762 if a host address is tested, then the kernel tries to match the host
763 address in the networks added to the set and reports the result accord‐
764 ingly.
765 From the set netfilter match point of view the searching for a match
767 always starts from the smallest size of netblock (most specific
768 prefix) to the largest one (least specific prefix) added to the set.
769 When adding/deleting IP addresses to the set by the SET netfilter
770 target, it will be added/deleted by the most specific prefix which
771 can be found in the set, or by the host prefix value if the set is
772 empty.
773 The second direction parameter of the set match and SET target modules
775 corresponds to the incoming/outgoing interface : src to the incoming,
776 while dst to the outgoing. When the interface is flagged with physdev:,
777 the interface is interpreted as the incoming/outgoing bridge port.
778 The lookup time grows linearly with the number of the different prefix
780 values added to the set.
781 The internal restriction of the hash:net,iface set type is that the
783 same network prefix cannot be stored with more than 64 different inter‐
784 faces in a single set.
785 Examples:
787 ipset create foo hash:net,iface
789 ipset add foo 192.168.0/24,eth0
791 ipset add foo 10.1.0.0/16,eth1
793 ipset test foo 192.168.0/24,eth0
795 list:set
797 The list:set type uses a simple list in which you can store set names.
798 CREATE-OPTIONS := [ size value ] [ timeout value ]
800 ADD-ENTRY := setname [ { before | after } setname ]
802 ADD-OPTIONS := [ timeout value ]
804 DEL-ENTRY := setname [ { before | after } setname ]
806 TEST-ENTRY := setname [ { before | after } setname ]
808 Optional create options:
810 size value
812 The size of the list, the default is 8.
813 By the ipset commad you can add, delete and test set names in a
815 list:set type of set.
816 By the set match or SET target of netfilter you can test, add or delete
818 entries in the sets added to the list:set type of set. The match will
819 try to find a matching entry in the sets and the target will try to add
820 an entry to the first set to which it can be added. The number of
821 direction options of the match and target are important: sets which
822 require more parameters than specified are skipped, while sets with
823 equal or less parameters are checked, elements added/deleted. For exam‐
824 ple if a and b are list:set type of sets then in the command
825 iptables -m set --match-set a src,dst -j SET --add-set b src,dst
827 the match and target will skip any set in a and b which stores data
829 triples, but will match all sets with single or double data storage in
830 a set and stop matching at the first successful set, and add src to the
831 first single or src,dst to the first double data storage set in b to
832 which the entry can be added. You can imagine a list:set type of set as
833 an ordered union of the set elements.
834 Please note: by the ipset commad you can add, delete and test the set‐
836 names in a list:set type of set, and not the presence of a set's member
837 (such as an IP address).
838
840 Zero valued set entries cannot be used with hash methods. Zero protocol
841 value with ports cannot be used.
842
844 If you want to store same size subnets from a given network (say /24
845 blocks from a /8 network), use the bitmap:ip set type. If you want to
846 store random same size networks (say random /24 blocks), use the
847 hash:ip set type. If you have got random size of netblocks, use
848 hash:net.
849 Backward compatibility is maintained and old ipset syntax is still sup‐
851 ported.
852 The iptree and iptreemap set types are removed: if you refer to them,
854 they are automatically replaced by hash:ip type of sets.
855
857 Various error messages are printed to standard error. The exit code is
858 0 for correct functioning.
859
861 Bugs? No, just funny features. :-) OK, just kidding...
862
864 iptables(8), ip6tables(8)
865
867 Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axels‐
868 son, Patrick Schaaf and Martin Josefsson.
869 Sven Wegener wrote the iptreemap type.
870
872 I stand on the shoulders of giants.
873Jozsef Kadlecsik Oct 15, 2010 IPSET(8)