1SHOREWALL-IPSETS(5) Configuration Files SHOREWALL-IPSETS(5)
2
3
4
6 ipsets - Specifying the name if an ipset in Shorewall configuration
7 files
8
10 +ipsetname
11
12 +ipsetname[flag,...]
13
14 +[ipsetname,...]
15
17 Note: In the above syntax descriptions, the square brackets ("[]") are
18 to be taken literally rather than as meta-characters.
19
20 In most places where a network address may be entered, an ipset may be
21 substituted. Set names must be prefixed by the character "+", must
22 start with a letter and may be composed of alphanumeric characters, "-"
23 and "_".
24
25 Whether the set is matched against the packet source or destination is
26 determined by which column the set name appears (SOURCE or DEST). For
27 those set types that specify a tuple, two alternative syntaxes are
28 available:
29 [number] - Indicates that 'src' or
30 'dst' should be repeated number times.
31 Example: myset[2].
32 [flag,...] where
33 flag is src or
34 dst. Example: myset[src,dst].
35
36 In a SOURCE or SPORT column, the following pairs are equivalent:
37
38 • +myset[2] and +myset[src,src]
39
40 In a DEST or DPORT column, the following pairs are equivalent:
41
42 • +myset[2] and +myset[dst,dst]
43
44 Beginning with Shorewall 4.4.14, multiple source or destination matches
45 may be specified by enclosing the set names within +[...]. The set
46 names need not be prefixed with '+'. When such a list of sets is
47 specified, matching packets must match all of the listed sets.
48
49 For information about set lists and exclusion, see
50 shorewall-exclusion[1] (5).
51
52 Beginning with Shorewall 4.5.16, you can increment one or more nfacct
53 objects each time a packet matches an ipset. You do that by listing the
54 objects separated by commas within parentheses.
55
56 Example:
57 +myset[src](myobject)
58
59 In that example, when the source address of a packet matches the myset
60 ipset, the myobject nfacct counter will be incremented.
61
62 Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
63 any) can be immediately be followed by a list of match options.
64
65 Important
66 These additional match options are not available in
67 shorewall-tcfilters(5)[2].
68
69 Available options are:
70
71 nomatch
72 If the set type supports the nomatch flag, then the matching is
73 reversed: a match with an element flagged with nomatch returns
74 true, while a match with a plain element returns false. This option
75 requires the 'Ipset Match nomatch' capability in your kernel and
76 ip[6]tables.
77
78 no-update-counters
79 The packet and byte counters of the matching element in the set
80 won't be updated. By default, the packet and byte counters are
81 updated. This option and those that follow require the 'Ipset Match
82 counters' capability in your kernel and ip[6]tables.
83
84 no-update-subcounters
85 The packet and byte counters of the matching element in the member
86 set of a list type of set won't be updated. Default the packet and
87 byte counters are updated.
88
89 packets=value
90 If the packet is matched an element in the set, match only if the
91 packet counter of the element matches the given value also.
92
93 packets<value
94 If the packet is matched an element in the set, match only if the
95 packet counter of the element is less than the given value as well.
96
97 packets>value
98 If the packet is matched an element in the set, match only if the
99 packet counter of the element is greater than the given value as
100 well.
101
102 packets!=value
103 If the packet is matched an element in the set, match only if the
104 packet counter of the element does not match the given value also.
105
106 bytes=value
107 If the packet is matched an element in the set, match only if the
108 byte counter of the element matches the given value also.
109
110 bytes<value
111 If the packet is matched an element in the set, match only if the
112 byte counter of the element is less than the given value as well.
113
114 bytes>value
115 If the packet is matched an element in the set, match only if the
116 byte counter of the element is greater than the given value as
117 well.
118
119 bytes<>value
120 If the packet is matched an element in the set, match only if the
121 byte counter of the element does not match the given value also.
122
124 In the examples that follow, myset, myset1 and myset2 are ipsets and
125 myObject is an NFacct object name.
126
127 +myset
128
129 +myset[src]
130
131 +myset[2]
132
133 +[myset1,myset2[dst]]
134
135 +myset[src](myObject)
136
137 +myset[src,nomatch,packets>100]
138
139 +myset[nomatch,no-update-counters](myObject)
140
142 /etc/shorewall/accounting
143
144 /etc/shorewall6/accounting
145
146 /etc/shorewall/blrules
147
148 /etc/shorewall6/blrules
149
150 /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may
151 not be used in this file.
152
153 /etc/shorewall6/hosts -- Note: Multiple matches enclosed in +[...] may
154 not be used in this file.
155
156 /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may
157 not be used in this file.
158
159 /etc/shorewall6/maclist -- Note: Multiple matches enclosed in +[...]
160 may not be used in this file.
161
162 /etc/shorewall/rules
163
164 /etc/shorewall6/rules
165
166 /etc/shorewall/secmarks
167
168 /etc/shorewall6/secmarks
169
170 /etc/shorewall/mangle
171
172 /etc/shorewall6/mangle
173
174 /etc/shorewall/snat
175
176 /etc/shorewall6/snat
177
179 shorewall(8)
180
182 1. shorewall-exclusion
183 https://shorewall.org/manpages/shorewall-exclusion.html
184
185 2. shorewall-tcfilters(5)
186 https://shorewall.org/manpages/shorewall-tcfilters.html
187
188
189
190Configuration Files 09/24/2020 SHOREWALL-IPSETS(5)