1IPSET(8) IPSET(8)
2
6 ipset — administration tool for IP sets
7
9 ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
10 COMMANDS := { create | add | del | test | destroy | list | save | re‐
12 store | flush | rename | swap | help | version | - }
13 OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -re‐
15 solve | -sorted | -name | -terse | -file filename }
16 ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
18 ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
20 ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
22 ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
24 ipset destroy [ SETNAME ]
26 ipset list [ SETNAME ]
28 ipset save [ SETNAME ]
30 ipset restore
32 ipset flush [ SETNAME ]
34 ipset rename SETNAME-FROM SETNAME-TO
36 ipset swap SETNAME-FROM SETNAME-TO
38 ipset help [ TYPENAME ]
40 ipset version
42 ipset -
44
46 ipset is used to set up, maintain and inspect so called IP sets in the
47 Linux kernel. Depending on the type of the set, an IP set may store
48 IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs,
49 IP address and port number pairs, etc. See the set type definitions be‐
50 low.
51 Iptables matches and targets referring to sets create references, which
53 protect the given sets in the kernel. A set cannot be destroyed while
54 there is a single reference pointing to it.
55
57 The options that are recognized by ipset can be divided into several
58 different groups.
59 COMMANDS
61 These options specify the desired action to perform. Only one of them
62 can be specified on the command line unless otherwise specified below.
63 For all the long versions of the command names, you need to use only
64 enough letters to ensure that ipset can differentiate it from all other
65 commands. The ipset parser follows the order here when looking for the
66 shortest match in the long command names.
67 n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
69 Create a set identified with setname and specified type. The
70 type may require type specific options. If the -exist option is
71 specified, ipset ignores the error otherwise raised when the
72 same set (setname and create parameters are identical) already
73 exists.
74 add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
76 Add a given entry to the set. If the -exist option is specified,
77 ipset ignores if the entry already added to the set.
78 del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
80 Delete an entry from a set. If the -exist option is specified
81 and the entry is not in the set (maybe already expired), then
82 the command is ignored.
83 test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
85 Test whether an entry is in a set or not. Exit status number is
86 zero if the tested entry is in the set and nonzero if it is
87 missing from the set.
88 x, destroy [ SETNAME ]
90 Destroy the specified set or all the sets if none is given.
91 If the set has got reference(s), nothing is done and no set de‐
93 stroyed.
94 list [ SETNAME ] [ OPTIONS ]
96 List the header data and the entries for the specified set, or
97 for all sets if none is given. The -resolve option can be used
98 to force name lookups (which may be slow). When the -sorted op‐
99 tion is given, the entries are listed/saved sorted (which may be
100 slow). The option -output can be used to control the format of
101 the listing: plain, save or xml. (The default is plain.) If
102 the option -name is specified, just the names of the existing
103 sets are listed. If the option -terse is specified, just the set
104 names and headers are listed. The output is printed to stdout,
105 the option -file can be used to specify a filename instead of
106 stdout.
107 save [ SETNAME ]
109 Save the given set, or all sets if none is given to stdout in a
110 format that restore can read. The option -file can be used to
111 specify a filename instead of stdout.
112 restore
114 Restore a saved session generated by save. The saved session
115 can be fed from stdin or the option -file can be used to specify
116 a filename instead of stdin.
117 Please note, existing sets and elements are not erased by re‐
119 store unless specified so in the restore file. All commands are
120 allowed in restore mode except list, help, version, interactive
121 mode and restore itself.
122 flush [ SETNAME ]
124 Flush all entries from the specified set or flush all sets if
125 none is given.
126 e, rename SETNAME-FROM SETNAME-TO
128 Rename a set. Set identified by SETNAME-TO must not exist.
129 w, swap SETNAME-FROM SETNAME-TO
131 Swap the content of two sets, or in another words, exchange the
132 name of two sets. The referred sets must exist and compatible
133 type of sets can be swapped only.
134 help [ TYPENAME ]
136 Print help and set type specific help if TYPENAME is specified.
137 version
139 Print program version.
140 - If a dash is specified as command, then ipset enters a simple
142 interactive mode and the commands are read from the standard in‐
143 put. The interactive mode can be finished by entering the
144 pseudo-command quit.
145 OTHER OPTIONS
147 The following additional options can be specified. The long option
148 names cannot be abbreviated.
149 -!, -exist
151 Ignore errors when exactly the same set is to be created or al‐
152 ready added entry is added or missing entry is deleted.
153 -o, -output { plain | save | xml }
155 Select the output format to the list command.
156 -q, -quiet
158 Suppress any output to stdout and stderr. ipset will still exit
159 with error if it cannot continue.
160 -r, -resolve
162 When listing sets, enforce name lookup. The program will try to
163 display the IP entries resolved to host names which requires
164 slow DNS lookups.
165 -s, -sorted
167 Sorted output. When listing or saving sets, the entries are
168 listed sorted.
169 -n, -name
171 List just the names of the existing sets, i.e. suppress listing
172 of set headers and members.
173 -t, -terse
175 List the set names and headers, i.e. suppress listing of set
176 members.
177 -f, -file filename
179 Specify a filename to print into instead of stdout (list or save
180 commands) or read from instead of stdin (restore command).
181
183 A set type comprises of the storage method by which the data is stored
184 and the data type(s) which are stored in the set. Therefore the TYPE‐
185 NAME parameter of the create command follows the syntax
186 TYPENAME := method:datatype[,datatype[,datatype]]
188 where the current list of the methods are bitmap, hash, and list and
190 the possible data types are ip, net, mac, port and iface. The dimen‐
191 sion of a set is equal to the number of data types in its type name.
192 When adding, deleting or testing entries in a set, the same comma sepa‐
194 rated data syntax must be used for the entry parameter of the commands,
195 i.e
196 ipset add foo ipaddr,portnum,ipaddr
198 If host names or service names with dash in the name are used instead
200 of IP addresses or service numbers, then the host name or service name
201 must be enclosed in square brackets. Example:
202 ipset add foo [test-hostname],[ftp-data]
204 In the case of host names the DNS resolver is called internally by
206 ipset but if it returns multiple IP addresses, only the first one is
207 used.
208 The bitmap and list types use a fixed sized storage. The hash types use
210 a hash to store the elements. In order to avoid clashes in the hash, a
211 limited number of chaining, and if that is exhausted, the doubling of
212 the hash size is performed when adding entries by the ipset command.
213 When entries added by the SET target of iptables/ip6tables, then the
214 hash size is fixed and the set won't be duplicated, even if the new en‐
215 try cannot be added to the set.
216
218 timeout
219 All set types supports the optional timeout parameter when creating a
220 set and adding entries. The value of the timeout parameter for the cre‐
221 ate command means the default timeout value (in seconds) for new en‐
222 tries. If a set is created with timeout support, then the same timeout
223 option can be used to specify non-default timeout values when adding
224 entries. Zero timeout value means the entry is added permanent to the
225 set. The timeout value of already added elements can be changed by re-
226 adding the element using the -exist option. The largest possible time‐
227 out value is 2147483 (in seconds). Example:
228 ipset create test hash:ip timeout 300
230 ipset add test 192.168.0.1 timeout 60
232 ipset -exist add test 192.168.0.1 timeout 600
234 When listing the set, the number of entries printed in the header might
236 be larger than the listed number of entries for sets with the timeout
237 extensions: the number of entries in the set is updated when elements
238 added/deleted to the set and periodically when the garbage collector
239 evicts the timed out entries.
240 counters, packets, bytes
242 All set types support the optional counters option when creating a set.
243 If the option is specified then the set is created with packet and byte
244 counters per element support. The packet and byte counters are initial‐
245 ized to zero when the elements are (re-)added to the set, unless the
246 packet and byte counter values are explicitly specified by the packets
247 and bytes options. An example when an element is added to a set with
248 non-zero counter values:
249 ipset create foo hash:ip counters
251 ipset add foo 192.168.1.1 packets 42 bytes 1024
253 comment
255 All set types support the optional comment extension. Enabling this
256 extension on an ipset enables you to annotate an ipset entry with an
257 arbitrary string. This string is completely ignored by both the kernel
258 and ipset itself and is purely for providing a convenient means to doc‐
259 ument the reason for an entry's existence. Comments must not contain
260 any quotation marks and the usual escape character (\) has no meaning.
261 For example, the following shell command is illegal:
262 ipset add foo 1.1.1.1 comment "this comment is \"bad\""
264 In the above, your shell will of course escape the quotation marks and
266 ipset will see the quote marks in the argument for the comment, which
267 will result in a parse error. If you are writing your own system, you
268 should avoid creating comments containing a quotation mark if you do
269 not want to break "ipset save" and "ipset restore", nonetheless, the
270 kernel will not stop you from doing so. The following is perfectly ac‐
271 ceptable:
272 ipset create foo hash:ip comment
274 ipset add foo 192.168.1.1/24 comment "allow access to SMB share
276 on \\\\fileserv\\"
277 the above would appear as: "allow access to SMB share on \\file‐
279 serv\"
280 skbinfo, skbmark, skbprio, skbqueue
282 All set types support the optional skbinfo extension. This extension
283 allows you to store the metainfo (firewall mark, tc class and hardware
284 queue) with every entry and map it to packets by usage of SET netfilter
285 target with --map-set option. skbmark option format: MARK or
286 MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If
287 only mark is specified mask 0xffffffff are used. skbprio option has tc
288 class format: MAJOR:MINOR, where major and minor numbers are hex with‐
289 out 0x prefix. skbqueue option is just decimal number.
290 ipset create foo hash:ip skbinfo
292 ipset add foo skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10
294 hashsize
296 This parameter is valid for the create command of all hash type sets.
297 It defines the initial hash size for the set, default is 1024. The hash
298 size must be a power of two, the kernel automatically rounds up non
299 power of two hash sizes to the first correct value. Example:
300 ipset create test hash:ip hashsize 1536
302 maxelem
304 This parameter is valid for the create command of all hash type sets.
305 It defines the maximal number of elements which can be stored in the
306 set, default 65536. Example:
307 ipset create test hash:ip maxelem 2048
309 bucketsize
311 This parameter is valid for the create command of all hash type sets.
312 It specifies the maximal number of elements which can be stored in a
313 hash bucket. Possible values are any even number between 2-14 and the
314 default is 14. Setting the value lower forces ipset to create larger
315 hashes which consumes more memory but gives more speed at matching in
316 the set. Example:
317 ipset create test hash:ip bucketsize 2
319 family { inet | inet6 }
321 This parameter is valid for the create command of all hash type sets
322 except for hash:mac. It defines the protocol family of the IP ad‐
323 dresses to be stored in the set. The default is inet, i.e IPv4. For
324 the inet family one can add or delete multiple entries by specifying a
325 range or a network of IPv4 addresses in the IP address part of the en‐
326 try:
327 ipaddr := { ip | fromaddr-toaddr | ip/cidr }
329 netaddr := { fromaddr-toaddr | ip/cidr }
331 Example:
333 ipset create test hash:ip family inet6
335 nomatch
337 The hash set types which can store net type of data (i.e. hash:*net*)
338 support the optional nomatch option when adding entries. When matching
339 elements in the set, entries marked as nomatch are skipped as if those
340 were not added to the set, which makes possible to build up sets with
341 exceptions. See the example at hash type hash:net below.
342 When elements are tested by ipset, the nomatch flags are taken into ac‐
344 count. If one wants to test the existence of an element marked with no‐
345 match in a set, then the flag must be specified too.
346 forceadd
348 All hash set types support the optional forceadd parameter when creat‐
349 ing a set. When sets created with this option become full the next ad‐
350 dition to the set may succeed and evict a random entry from the set.
351 ipset create foo hash:ip forceadd
353 wildcard
355 This flag is valid when adding elements to a hash:net,iface set. If the
356 flag is set, then prefix matching is used when comparing with this ele‐
357 ment. For example, an element containing the interface name "eth" will
358 match any name with that prefix.
359
361 bitmap:ip
362 The bitmap:ip set type uses a memory range to store either IPv4 host
363 (default) or IPv4 network addresses. A bitmap:ip type of set can store
364 up to 65536 entries.
365 CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout
367 value ] [ counters ] [ comment ] [ skbinfo ]
368 ADD-ENTRY := { ip | fromip-toip | ip/cidr }
370 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
372 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
373 DEL-ENTRY := { ip | fromip-toip | ip/cidr }
375 TEST-ENTRY := ip
377 Mandatory create options:
379 range fromip-toip|ip/cidr
381 Create the set from the specified inclusive address range ex‐
382 pressed in an IPv4 address range or network. The size of the
383 range (in entries) cannot exceed the limit of maximum 65536 ele‐
384 ments.
385 Optional create options:
387 netmask cidr
389 When the optional netmask parameter specified, network addresses
390 will be stored in the set instead of IP host addresses. The cidr
391 prefix value must be between 1-32. An IP address will be in the
392 set if the network address, which is resulted by masking the ad‐
393 dress with the specified netmask, can be found in the set.
394 The bitmap:ip type supports adding or deleting multiple entries in one
396 command.
397 Examples:
399 ipset create foo bitmap:ip range 192.168.0.0/16
401 ipset add foo 192.168.1/24
403 ipset test foo 192.168.1.1
405 bitmap:ip,mac
407 The bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC
408 address pairs. A bitmap:ip,mac type of set can store up to 65536 en‐
409 tries.
410 CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ] [ coun‐
412 ters ] [ comment ] [ skbinfo ]
413 ADD-ENTRY := ip[,macaddr]
415 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
417 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
418 DEL-ENTRY := ip[,macaddr]
420 TEST-ENTRY := ip[,macaddr]
422 Mandatory options to use when creating a bitmap:ip,mac type of set:
424 range fromip-toip|ip/cidr
426 Create the set from the specified inclusive address range ex‐
427 pressed in an IPv4 address range or network. The size of the
428 range cannot exceed the limit of maximum 65536 entries.
429 The bitmap:ip,mac type is exceptional in the sense that the MAC part
431 can be left out when adding/deleting/testing entries in the set. If we
432 add an entry without the MAC address specified, then when the first
433 time the entry is matched by the kernel, it will automatically fill out
434 the missing MAC address with the MAC address from the packet. The
435 source MAC address is used if the entry matched due to a src parameter
436 of the set match, and the destination MAC address is used if available
437 and the entry matched due to a dst parameter. If the entry was speci‐
438 fied with a timeout value, the timer starts off when the IP and MAC ad‐
439 dress pair is complete.
440 The bitmap:ip,mac type of sets require two src/dst parameters of the
442 set match and SET target netfilter kernel modules. For matches on des‐
443 tination MAC addresses, see COMMENTS below.
444 Examples:
446 ipset create foo bitmap:ip,mac range 192.168.0.0/16
448 ipset add foo 192.168.1.1,12:34:56:78:9A:BC
450 ipset test foo 192.168.1.1
452 bitmap:port
454 The bitmap:port set type uses a memory range to store port numbers and
455 such a set can store up to 65536 ports.
456 CREATE-OPTIONS := range fromport-toport [ timeout value ] [ counters ]
458 [ comment ] [ skbinfo ]
459 ADD-ENTRY := { [proto:]port | [proto:]fromport-toport }
461 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
463 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
464 DEL-ENTRY := { [proto:]port | [proto:]fromport-toport }
466 TEST-ENTRY := [proto:]port
468 Mandatory options to use when creating a bitmap:port type of set:
470 range [proto:]fromport-toport
472 Create the set from the specified inclusive port range.
473 The set match and SET target netfilter kernel modules interpret the
475 stored numbers as TCP or UDP port numbers.
476 proto only needs to be specified if a service name is used and that
478 name does not exist as a TCP service. The protocol is never stored in
479 the set, just the port number of the service.
480 Examples:
482 ipset create foo bitmap:port range 0-1024
484 ipset add foo 80
486 ipset test foo 80
488 ipset del foo udp:[macon-udp]-[tn-tl-w2]
490 hash:ip
492 The hash:ip set type uses a hash to store IP host addresses (default)
493 or network addresses. Zero valued IP address cannot be stored in a
494 hash:ip type of set.
495 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
497 elem value ] [ bucketsize value ] [ netmask cidr ] [ timeout value ] [
498 counters ] [ comment ] [ skbinfo ]
499 ADD-ENTRY := ipaddr
501 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
503 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
504 DEL-ENTRY := ipaddr
506 TEST-ENTRY := ipaddr
508 Optional create options:
510 netmask cidr
512 When the optional netmask parameter specified, network addresses
513 will be stored in the set instead of IP host addresses. The cidr
514 prefix value must be between 1-32 for IPv4 and between 1-128 for
515 IPv6. An IP address will be in the set if the network address,
516 which is resulted by masking the address with the netmask, can
517 be found in the set. Examples:
518 ipset create foo hash:ip netmask 30
520 ipset add foo 192.168.1.0/24
522 ipset test foo 192.168.1.2
524 hash:mac
526 The hash:mac set type uses a hash to store MAC addresses. Zero valued
527 MAC addresses cannot be stored in a hash:mac type of set. For matches
528 on destination MAC addresses, see COMMENTS below.
529 CREATE-OPTIONS := [ hashsize value ] [ maxelem value ] [ bucketsize
531 value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
532 ADD-ENTRY := macaddr
534 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
536 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
537 DEL-ENTRY := macaddr
539 TEST-ENTRY := macaddr
541 Examples:
543 ipset create foo hash:mac
545 ipset add foo 01:02:03:04:05:06
547 ipset test foo 01:02:03:04:05:06
549 hash:ip,mac
552 The hash:ip,mac set type uses a hash to store IP and a MAC address
553 pairs. Zero valued MAC addresses cannot be stored in a hash:ip,mac type
554 of set. For matches on destination MAC addresses, see COMMENTS below.
555 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
557 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
558 ment ] [ skbinfo ]
559 ADD-ENTRY := ipaddr,macaddr
561 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
563 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
564 DEL-ENTRY := ipaddr,macaddr
566 TEST-ENTRY := ipaddr,macaddr
568 Examples:
570 ipset create foo hash:ip,mac
572 ipset add foo 1.1.1.1,01:02:03:04:05:06
574 ipset test foo 1.1.1.1,01:02:03:04:05:06
576 hash:net
579 The hash:net set type uses a hash to store different sized IP network
580 addresses. Network address with zero prefix size cannot be stored in
581 this type of sets.
582 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
584 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
585 ment ] [ skbinfo ]
586 ADD-ENTRY := netaddr
588 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
590 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
591 skbqueue value ]
592 DEL-ENTRY := netaddr
594 TEST-ENTRY := netaddr
596 where netaddr := ip[/cidr]
598 When adding/deleting/testing entries, if the cidr prefix parameter is
600 not specified, then the host prefix value is assumed. When
601 adding/deleting entries, the exact element is added/deleted and over‐
602 lapping elements are not checked by the kernel. When testing entries,
603 if a host address is tested, then the kernel tries to match the host
604 address in the networks added to the set and reports the result accord‐
605 ingly.
606 From the set netfilter match point of view the searching for a match
608 always starts from the smallest size of netblock (most specific
609 prefix) to the largest one (least specific prefix) added to the set.
610 When adding/deleting IP addresses to the set by the SET netfilter
611 target, it will be added/deleted by the most specific prefix which
612 can be found in the set, or by the host prefix value if the set is
613 empty.
614 The lookup time grows linearly with the number of the different prefix
616 values added to the set.
617 Example:
619 ipset create foo hash:net
621 ipset add foo 192.168.0.0/24
623 ipset add foo 10.1.0.0/16
625 ipset add foo 192.168.0/24
627 ipset add foo 192.168.0/30 nomatch
629 When matching the elements in the set above, all IP addresses will
631 match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24
632 except the ones from 192.168.0/30.
633 hash:net,net
635 The hash:net,net set type uses a hash to store pairs of different sized
636 IP network addresses. Bear in mind that the first parameter has
637 precedence over the second, so a nomatch entry could be potentially be
638 ineffective if a more specific first parameter existed with a suitable
639 second parameter. Network address with zero prefix size cannot be
640 stored in this type of set.
641 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
643 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
644 ment ] [ skbinfo ]
645 ADD-ENTRY := netaddr,netaddr
647 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
649 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
650 skbqueue value ]
651 DEL-ENTRY := netaddr,netaddr
653 TEST-ENTRY := netaddr,netaddr
655 where netaddr := ip[/cidr]
657 When adding/deleting/testing entries, if the cidr prefix parameter is
659 not specified, then the host prefix value is assumed. When
660 adding/deleting entries, the exact element is added/deleted and over‐
661 lapping elements are not checked by the kernel. When testing entries,
662 if a host address is tested, then the kernel tries to match the host
663 address in the networks added to the set and reports the result accord‐
664 ingly.
665 From the set netfilter match point of view the searching for a match
667 always starts from the smallest size of netblock (most specific
668 prefix) to the largest one (least specific prefix) with the first param
669 having precedence. When adding/deleting IP addresses to the set by
670 the SET netfilter target, it will be added/deleted by the most
671 specific prefix which can be found in the set, or by the host prefix
672 value if the set is empty.
673 The lookup time grows linearly with the number of the different prefix
675 values added to the first parameter of the set. The number of secondary
676 prefixes further increases this as the list of secondary prefixes is
677 traversed per primary prefix.
678 Example:
680 ipset create foo hash:net,net
682 ipset add foo 192.168.0.0/24,10.0.1.0/24
684 ipset add foo 10.1.0.0/16,10.255.0.0/24
686 ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255
688 ipset add foo 192.168.0/30,192.168.64/30 nomatch
690 When matching the elements in the set above, all IP addresses will
692 match from the networks 192.168.0.0/24<->10.0.1.0/24,
693 10.1.0.0/16<->10.255.0.0/24 and 192.168.0/24<->192.168.54.0/24 except
694 the ones from 192.168.0/30<->192.168.64/30.
695 hash:ip,port
697 The hash:ip,port set type uses a hash to store IP address and port num‐
698 ber pairs. The port number is interpreted together with a protocol
699 (default TCP) and zero protocol number cannot be used.
700 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
702 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
703 ment ] [ skbinfo ]
704 ADD-ENTRY := ipaddr,[proto:]port
706 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
708 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
709 DEL-ENTRY := ipaddr,[proto:]port
711 TEST-ENTRY := ipaddr,[proto:]port
713 The [proto:]port part of the elements may be expressed in the following
715 forms, where the range variations are valid when adding or deleting en‐
716 tries:
717 portname[-portname]
719 TCP port or range of ports expressed in TCP portname identifiers
720 from /etc/services
721 portnumber[-portnumber]
723 TCP port or range of ports expressed in TCP port numbers
724 tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
726 TCP, SCTP, UDP or UDPLITE port or port range expressed in port
727 name(s) or port number(s)
728 icmp:codename|type/code
730 ICMP codename or type/code. The supported ICMP codename identi‐
731 fiers can always be listed by the help command.
732 icmpv6:codename|type/code
734 ICMPv6 codename or type/code. The supported ICMPv6 codename
735 identifiers can always be listed by the help command.
736 proto:0
738 All other protocols, as an identifier from /etc/protocols or
739 number. The pseudo port number must be zero.
740 The hash:ip,port type of sets require two src/dst parameters of the set
742 match and SET target kernel modules.
743 Examples:
745 ipset create foo hash:ip,port
747 ipset add foo 192.168.1.0/24,80-82
749 ipset add foo 192.168.1.1,udp:53
751 ipset add foo 192.168.1.1,vrrp:0
753 ipset test foo 192.168.1.1,80
755 hash:net,port
757 The hash:net,port set type uses a hash to store different sized IP net‐
758 work address and port pairs. The port number is interpreted together
759 with a protocol (default TCP) and zero protocol number cannot be used.
760 Network address with zero prefix size is not accepted either.
761 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
763 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
764 ment ] [ skbinfo ]
765 ADD-ENTRY := netaddr,[proto:]port
767 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
769 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
770 skbqueue value ]
771 DEL-ENTRY := netaddr,[proto:]port
773 TEST-ENTRY := netaddr,[proto:]port
775 where netaddr := ip[/cidr]
777 For the netaddr part of the elements see the description at the
779 hash:net set type. For the [proto:]port part of the elements see the
780 description at the hash:ip,port set type.
781 When adding/deleting/testing entries, if the cidr prefix parameter is
783 not specified, then the host prefix value is assumed. When
784 adding/deleting entries, the exact element is added/deleted and over‐
785 lapping elements are not checked by the kernel. When testing entries,
786 if a host address is tested, then the kernel tries to match the host
787 address in the networks added to the set and reports the result accord‐
788 ingly.
789 From the set netfilter match point of view the searching for a match
791 always starts from the smallest size of netblock (most specific
792 prefix) to the largest one (least specific prefix) added to the set.
793 When adding/deleting IP addresses to the set by the SET netfilter
794 target, it will be added/deleted by the most specific prefix which
795 can be found in the set, or by the host prefix value if the set is
796 empty.
797 The lookup time grows linearly with the number of the different prefix
799 values added to the set.
800 Examples:
802 ipset create foo hash:net,port
804 ipset add foo 192.168.0/24,25
806 ipset add foo 10.1.0.0/16,80
808 ipset test foo 192.168.0/24,25
810 hash:ip,port,ip
812 The hash:ip,port,ip set type uses a hash to store IP address, port num‐
813 ber and a second IP address triples. The port number is interpreted to‐
814 gether with a protocol (default TCP) and zero protocol number cannot be
815 used.
816 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
818 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
819 ment ] [ skbinfo ]
820 ADD-ENTRY := ipaddr,[proto:]port,ip
822 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
824 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
825 DEL-ENTRY := ipaddr,[proto:]port,ip
827 TEST-ENTRY := ipaddr,[proto:]port,ip
829 For the first ipaddr and [proto:]port parts of the elements see the de‐
831 scriptions at the hash:ip,port set type.
832 The hash:ip,port,ip type of sets require three src/dst parameters of
834 the set match and SET target kernel modules.
835 Examples:
837 ipset create foo hash:ip,port,ip
839 ipset add foo 192.168.1.1,80,10.0.0.1
841 ipset test foo 192.168.1.1,udp:53,10.0.0.1
843 hash:ip,port,net
845 The hash:ip,port,net set type uses a hash to store IP address, port
846 number and IP network address triples. The port number is interpreted
847 together with a protocol (default TCP) and zero protocol number cannot
848 be used. Network address with zero prefix size cannot be stored either.
849 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
851 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
852 ment ] [ skbinfo ]
853 ADD-ENTRY := ipaddr,[proto:]port,netaddr
855 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
857 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
858 skbqueue value ]
859 DEL-ENTRY := ipaddr,[proto:]port,netaddr
861 TEST-ENTRY := ipaddr,[proto:]port,netaddr
863 where netaddr := ip[/cidr]
865 For the ipaddr and [proto:]port parts of the elements see the descrip‐
867 tions at the hash:ip,port set type. For the netaddr part of the ele‐
868 ments see the description at the hash:net set type.
869 From the set netfilter match point of view the searching for a match
871 always starts from the smallest size of netblock (most specific
872 cidr) to the largest one (least specific cidr) added to the set. When
873 adding/deleting triples to the set by the SET netfilter target, it
874 will be added/deleted by the most specific cidr which can be found in
875 the set, or by the host cidr value if the set is empty.
876 The lookup time grows linearly with the number of the different cidr
878 values added to the set.
879 The hash:ip,port,net type of sets require three src/dst parameters of
881 the set match and SET target kernel modules.
882 Examples:
884 ipset create foo hash:ip,port,net
886 ipset add foo 192.168.1,80,10.0.0/24
888 ipset add foo 192.168.2,25,10.1.0.0/16
890 ipset test foo 192.168.1,80.10.0.0/24
892 hash:ip,mark
894 The hash:ip,mark set type uses a hash to store IP address and packet
895 mark pairs.
896 CREATE-OPTIONS := [ family { inet | inet6 } ] [ markmask value ] [
898 hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value
899 ] [ counters ] [ comment ] [ skbinfo ]
900 ADD-ENTRY := ipaddr,mark
902 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
904 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
905 DEL-ENTRY := ipaddr,mark
907 TEST-ENTRY := ipaddr,mark
909 Optional create options:
911 markmask value
913 Allows you to set bits you are interested in the packet mark.
914 This values is then used to perform bitwise AND operation for
915 every mark added. markmask can be any value between 1 and
916 4294967295, by default all 32 bits are set.
917 The mark can be any value between 0 and 4294967295.
919 The hash:ip,mark type of sets require two src/dst parameters of the set
921 match and SET target kernel modules.
922 Examples:
924 ipset create foo hash:ip,mark
926 ipset add foo 192.168.1.0/24,555
928 ipset add foo 192.168.1.1,0x63
930 ipset add foo 192.168.1.1,111236
932 hash:net,port,net
934 The hash:net,port,net set type behaves similarly to hash:ip,port,net
935 but accepts a cidr value for both the first and last parameter. Either
936 subnet is permitted to be a /0 should you wish to match port between
937 all destinations.
938 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
940 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
941 ment ] [ skbinfo ]
942 ADD-ENTRY := netaddr,[proto:]port,netaddr
944 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
946 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
947 skbqueue value ]
948 DEL-ENTRY := netaddr,[proto:]port,netaddr
950 TEST-ENTRY := netaddr,[proto:]port,netaddr
952 where netaddr := ip[/cidr]
954 For the [proto:]port part of the elements see the description at the
956 hash:ip,port set type. For the netaddr part of the elements see the de‐
957 scription at the hash:net set type.
958 From the set netfilter match point of view the searching for a match
960 always starts from the smallest size of netblock (most specific
961 cidr) to the largest one (least specific cidr) added to the set. When
962 adding/deleting triples to the set by the SET netfilter target, it
963 will be added/deleted by the most specific cidr which can be found in
964 the set, or by the host cidr value if the set is empty. The first sub‐
965 net has precedence when performing the most-specific lookup, just as
966 for hash:net,net
967 The lookup time grows linearly with the number of the different cidr
969 values added to the set and by the number of secondary cidr values per
970 primary.
971 The hash:net,port,net type of sets require three src/dst parameters of
973 the set match and SET target kernel modules.
974 Examples:
976 ipset create foo hash:net,port,net
978 ipset add foo 192.168.1.0/24,0,10.0.0/24
980 ipset add foo 192.168.2.0/24,25,10.1.0.0/16
982 ipset test foo 192.168.1.1,80,10.0.0.1
984 hash:net,iface
986 The hash:net,iface set type uses a hash to store different sized IP
987 network address and interface name pairs.
988 CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ max‐
990 elem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ com‐
991 ment ] [ skbinfo ]
992 ADD-ENTRY := netaddr,[physdev:]iface
994 ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes
996 value ] [ comment string ] [ skbmark value ] [ skbprio value ] [
997 skbqueue value ] [ wildcard ]
998 DEL-ENTRY := netaddr,[physdev:]iface
1000 TEST-ENTRY := netaddr,[physdev:]iface
1002 where netaddr := ip[/cidr]
1004 For the netaddr part of the elements see the description at the
1006 hash:net set type.
1007 When adding/deleting/testing entries, if the cidr prefix parameter is
1009 not specified, then the host prefix value is assumed. When
1010 adding/deleting entries, the exact element is added/deleted and over‐
1011 lapping elements are not checked by the kernel. When testing entries,
1012 if a host address is tested, then the kernel tries to match the host
1013 address in the networks added to the set and reports the result accord‐
1014 ingly.
1015 From the set netfilter match point of view the searching for a match
1017 always starts from the smallest size of netblock (most specific
1018 prefix) to the largest one (least specific prefix) added to the set.
1019 When adding/deleting IP addresses to the set by the SET netfilter
1020 target, it will be added/deleted by the most specific prefix which
1021 can be found in the set, or by the host prefix value if the set is
1022 empty.
1023 The second direction parameter of the set match and SET target modules
1025 corresponds to the incoming/outgoing interface: src to the incoming one
1026 (similar to the -i flag of iptables), while dst to the outgoing one
1027 (similar to the -o flag of iptables). When the interface is flagged
1028 with physdev:, the interface is interpreted as the incoming/outgoing
1029 bridge port.
1030 The lookup time grows linearly with the number of the different prefix
1032 values added to the set.
1033 The internal restriction of the hash:net,iface set type is that the
1035 same network prefix cannot be stored with more than 64 different inter‐
1036 faces in a single set.
1037 Examples:
1039 ipset create foo hash:net,iface
1041 ipset add foo 192.168.0/24,eth0
1043 ipset add foo 10.1.0.0/16,eth1
1045 ipset test foo 192.168.0/24,eth0
1047 list:set
1049 The list:set type uses a simple list in which you can store set names.
1050 CREATE-OPTIONS := [ size value ] [ timeout value ] [ counters ] [ com‐
1052 ment ] [ skbinfo ]
1053 ADD-ENTRY := setname [ { before | after } setname ]
1055 ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [
1057 comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
1058 DEL-ENTRY := setname [ { before | after } setname ]
1060 TEST-ENTRY := setname [ { before | after } setname ]
1062 Optional create options:
1064 size value
1066 The size of the list, the default is 8. The parameter is ignored
1067 since ipset version 6.24.
1068 By the ipset command you can add, delete and test set names in a
1070 list:set type of set.
1071 By the set match or SET target of netfilter you can test, add or delete
1073 entries in the sets added to the list:set type of set. The match will
1074 try to find a matching entry in the sets and the target will try to add
1075 an entry to the first set to which it can be added. The number of di‐
1076 rection options of the match and target are important: sets which re‐
1077 quire more parameters than specified are skipped, while sets with equal
1078 or less parameters are checked, elements added/deleted. For example if
1079 a and b are list:set type of sets then in the command
1080 iptables -m set --match-set a src,dst -j SET --add-set b src,dst
1082 the match and target will skip any set in a and b which stores data
1084 triples, but will match all sets with single or double data storage in
1085 a set and stop matching at the first successful set, and add src to the
1086 first single or src,dst to the first double data storage set in b to
1087 which the entry can be added. You can imagine a list:set type of set as
1088 an ordered union of the set elements.
1089 Please note: by the ipset command you can add, delete and test the set‐
1091 names in a list:set type of set, and not the presence of a set's member
1092 (such as an IP address).
1093
1095 Zero valued set entries cannot be used with hash methods. Zero protocol
1096 value with ports cannot be used.
1097
1099 If you want to store same size subnets from a given network (say /24
1100 blocks from a /8 network), use the bitmap:ip set type. If you want to
1101 store random same size networks (say random /24 blocks), use the
1102 hash:ip set type. If you have got random size of netblocks, use
1103 hash:net.
1104 Matching on destination MAC addresses using the dst parameter of the
1106 set match netfilter kernel modules will only work if the destination
1107 MAC address is available in the packet at the given processing stage,
1108 that is, it only applies for incoming packets in the PREROUTING, INPUT
1109 and FORWARD chains, against the MAC address as originally found in the
1110 received packet (typically, one of the MAC addresses of the local
1111 host). This is not the destination MAC address a destination IP address
1112 resolves to, after routing. If the MAC address is not available (e.g.
1113 in the OUTPUT chain), the packet will simply not match.
1114 Backward compatibility is maintained and old ipset syntax is still sup‐
1116 ported.
1117 The iptree and iptreemap set types are removed: if you refer to them,
1119 they are automatically replaced by hash:ip type of sets.
1120
1122 Various error messages are printed to standard error. The exit code is
1123 0 for correct functioning.
1124
1126 Bugs? No, just funny features. :-) OK, just kidding...
1127
1129 iptables(8), ip6tables(8) iptables-extensions(8)
1130
1132 Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axels‐
1133 son, Patrick Schaaf and Martin Josefsson.
1134 Sven Wegener wrote the iptreemap type.
1135
1137 I stand on the shoulders of giants.
1138Jozsef Kadlecsik Jun 25, 2015 IPSET(8)