1SHOREWALL-IPSETS(5) Configuration Files SHOREWALL-IPSETS(5)
2
6 ipsets - Specifying the name if an ipset in Shorewall configuration
7 files
8
10 +ipsetname
11 +ipsetname[flag,...]
13 +[ipsetname,...]
15
17 Note: In the above syntax descriptions, the square brackets ("[]") are
18 to be taken literally rather than as meta-characters.
19 In most places where a network address may be entered, an ipset may be
21 substituted. Set names must be prefixed by the character "+", must
22 start with a letter and may be composed of alphanumeric characters, "-"
23 and "_".
24 Whether the set is matched against the packet source or destination is
26 determined by which column the set name appears (SOURCE or DEST). For
27 those set types that specify a tuple, two alternative syntaxes are
28 available:
29 [number] - Indicates that 'src' or
30 'dst' should be repeated number times.
31 Example: myset[2].
32 [flag,...] where
33 flag is src or
34 dst. Example: myset[src,dst].
35 In a SOURCE or SPORT column, the following pairs are equivalent:
37 • +myset[2] and +myset[src,src]
39 In a DEST or DPORT column, the following pairs are equivalent:
41 • +myset[2] and +myset[dst,dst]
43 Beginning with Shorewall 4.4.14, multiple source or destination matches
45 may be specified by enclosing the set names within +[...]. The set
46 names need not be prefixed with '+'. When such a list of sets is
47 specified, matching packets must match all of the listed sets.
48 For information about set lists and exclusion, see
50 shorewall-exclusion[1] (5).
51 Beginning with Shorewall 4.5.16, you can increment one or more nfacct
53 objects each time a packet matches an ipset. You do that by listing the
54 objects separated by commas within parentheses.
55 Example:
57 +myset[src](myobject)
58 In that example, when the source address of a packet matches the myset
60 ipset, the myobject nfacct counter will be incremented.
61 Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
63 any) can be immediately be followed by a list of match options.
64 Important
66 These additional match options are not available in
67 shorewall-tcfilters(5)[2].
68 Available options are:
70 nomatch
72 If the set type supports the nomatch flag, then the matching is
73 reversed: a match with an element flagged with nomatch returns
74 true, while a match with a plain element returns false. This option
75 requires the 'Ipset Match nomatch' capability in your kernel and
76 ip[6]tables.
77 no-update-counters
79 The packet and byte counters of the matching element in the set
80 won't be updated. By default, the packet and byte counters are
81 updated. This option and those that follow require the 'Ipset Match
82 counters' capability in your kernel and ip[6]tables.
83 no-update-subcounters
85 The packet and byte counters of the matching element in the member
86 set of a list type of set won't be updated. Default the packet and
87 byte counters are updated.
88 packets=value
90 If the packet is matched an element in the set, match only if the
91 packet counter of the element matches the given value also.
92 packets<value
94 If the packet is matched an element in the set, match only if the
95 packet counter of the element is less than the given value as well.
96 packets>value
98 If the packet is matched an element in the set, match only if the
99 packet counter of the element is greater than the given value as
100 well.
101 packets!=value
103 If the packet is matched an element in the set, match only if the
104 packet counter of the element does not match the given value also.
105 bytes=value
107 If the packet is matched an element in the set, match only if the
108 byte counter of the element matches the given value also.
109 bytes<value
111 If the packet is matched an element in the set, match only if the
112 byte counter of the element is less than the given value as well.
113 bytes>value
115 If the packet is matched an element in the set, match only if the
116 byte counter of the element is greater than the given value as
117 well.
118 bytes<>value
120 If the packet is matched an element in the set, match only if the
121 byte counter of the element does not match the given value also.
122
124 In the examples that follow, myset, myset1 and myset2 are ipsets and
125 myObject is an NFacct object name.
126 +myset
128 +myset[src]
130 +myset[2]
132 +[myset1,myset2[dst]]
134 +myset[src](myObject)
136 +myset[src,nomatch,packets>100]
138 +myset[nomatch,no-update-counters](myObject)
140
142 /etc/shorewall/accounting
143 /etc/shorewall6/accounting
145 /etc/shorewall/blrules
147 /etc/shorewall6/blrules
149 /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may
151 not be used in this file.
152 /etc/shorewall6/hosts -- Note: Multiple matches enclosed in +[...] may
154 not be used in this file.
155 /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may
157 not be used in this file.
158 /etc/shorewall6/maclist -- Note: Multiple matches enclosed in +[...]
160 may not be used in this file.
161 /etc/shorewall/rules
163 /etc/shorewall6/rules
165 /etc/shorewall/secmarks
167 /etc/shorewall6/secmarks
169 /etc/shorewall/mangle
171 /etc/shorewall6/mangle
173 /etc/shorewall/snat
175 /etc/shorewall6/snat
177
179 shorewall(8)
180
182 1. shorewall-exclusion
183 https://shorewall.org/manpages/shorewall-exclusion.html
184 2. shorewall-tcfilters(5)
186 https://shorewall.org/manpages/shorewall-tcfilters.html
187Configuration Files 09/24/2020 SHOREWALL-IPSETS(5)