1SHOREWALL-IPSETS(5)           Configuration Files          SHOREWALL-IPSETS(5)
2
3
4

NAME

6       ipsets - Specifying the name if an ipset in Shorewall configuration
7       files
8

SYNOPSIS

10       +ipsetname
11
12       +ipsetname[flag,...]
13
14       +[ipsetname,...]
15

DESCRIPTION

17       Note: In the above syntax descriptions, the square brackets ("[]") are
18       to be taken literally rather than as meta-characters.
19
20       In most places where a network address may be entered, an ipset may be
21       substituted. Set names must be prefixed by the character "+", must
22       start with a letter and may be composed of alphanumeric characters, "-"
23       and "_".
24
25       Whether the set is matched against the packet source or destination is
26       determined by which column the set name appears (SOURCE or DEST). For
27       those set types that specify a tuple, two alternative syntaxes are
28       available:
29           [number] - Indicates that 'src' or
30                 'dst' should be repeated number times.
31                 Example: myset[2].
32           [flag,...] where
33                 flag is src or
34                 dst. Example: myset[src,dst].
35
36       In a SOURCE or SPORT column, the following pairs are equivalent:
37
38       •   +myset[2] and +myset[src,src]
39
40       In a DEST or DPORT column, the following pairs are equivalent:
41
42       •   +myset[2] and +myset[dst,dst]
43
44       Beginning with Shorewall 4.4.14, multiple source or destination matches
45       may be specified by enclosing the set names within +[...]. The set
46       names need not be prefixed with '+'. When such a list of sets is
47       specified, matching packets must match all of the listed sets.
48
49       For information about set lists and exclusion, see
50       shorewall-exclusion[1] (5).
51
52       Beginning with Shorewall 4.5.16, you can increment one or more nfacct
53       objects each time a packet matches an ipset. You do that by listing the
54       objects separated by commas within parentheses.
55
56       Example:
57           +myset[src](myobject)
58
59       In that example, when the source address of a packet matches the myset
60       ipset, the myobject nfacct counter will be incremented.
61
62       Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
63       any) can be immediately be followed by a list of match options.
64
65           Important
66           These additional match options are not available in
67           shorewall-tcfilters(5)[2].
68
69       Available options are:
70
71       nomatch
72           If the set type supports the nomatch flag, then the matching is
73           reversed: a match with an element flagged with nomatch returns
74           true, while a match with a plain element returns false. This option
75           requires the 'Ipset Match nomatch' capability in your kernel and
76           ip[6]tables.
77
78       no-update-counters
79           The packet and byte counters of the matching element in the set
80           won't be updated. By default, the packet and byte counters are
81           updated. This option and those that follow require the 'Ipset Match
82           counters' capability in your kernel and ip[6]tables.
83
84       no-update-subcounters
85           The packet and byte counters of the matching element in the member
86           set of a list type of set won't be updated. Default the packet and
87           byte counters are updated.
88
89       packets=value
90           If the packet is matched an element in the set, match only if the
91           packet counter of the element matches the given value also.
92
93       packets<value
94           If the packet is matched an element in the set, match only if the
95           packet counter of the element is less than the given value as well.
96
97       packets>value
98           If the packet is matched an element in the set, match only if the
99           packet counter of the element is greater than the given value as
100           well.
101
102       packets!=value
103           If the packet is matched an element in the set, match only if the
104           packet counter of the element does not match the given value also.
105
106       bytes=value
107           If the packet is matched an element in the set, match only if the
108           byte counter of the element matches the given value also.
109
110       bytes<value
111           If the packet is matched an element in the set, match only if the
112           byte counter of the element is less than the given value as well.
113
114       bytes>value
115           If the packet is matched an element in the set, match only if the
116           byte counter of the element is greater than the given value as
117           well.
118
119       bytes<>value
120           If the packet is matched an element in the set, match only if the
121           byte counter of the element does not match the given value also.
122

EXAMPLES

124       In the examples that follow, myset, myset1 and myset2 are ipsets and
125       myObject is an NFacct object name.
126
127       +myset
128
129       +myset[src]
130
131       +myset[2]
132
133       +[myset1,myset2[dst]]
134
135       +myset[src](myObject)
136
137       +myset[src,nomatch,packets>100]
138
139       +myset[nomatch,no-update-counters](myObject)
140

FILES

142       /etc/shorewall/accounting
143
144       /etc/shorewall6/accounting
145
146       /etc/shorewall/blrules
147
148       /etc/shorewall6/blrules
149
150       /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may
151       not be used in this file.
152
153       /etc/shorewall6/hosts -- Note: Multiple matches enclosed in +[...] may
154       not be used in this file.
155
156       /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may
157       not be used in this file.
158
159       /etc/shorewall6/maclist -- Note: Multiple matches enclosed in +[...]
160       may not be used in this file.
161
162       /etc/shorewall/rules
163
164       /etc/shorewall6/rules
165
166       /etc/shorewall/secmarks
167
168       /etc/shorewall6/secmarks
169
170       /etc/shorewall/mangle
171
172       /etc/shorewall6/mangle
173
174       /etc/shorewall/snat
175
176       /etc/shorewall6/snat
177

SEE ALSO

179       shorewall(8)
180

NOTES

182        1. shorewall-exclusion
183           https://shorewall.org/manpages/shorewall-exclusion.html
184
185        2. shorewall-tcfilters(5)
186           https://shorewall.org/manpages/shorewall-tcfilters.html
187
188
189
190Configuration Files               09/24/2020               SHOREWALL-IPSETS(5)
Impressum