path: root/src/ipset.8
diff options
authorJozsef Kadlecsik <>2011-05-30 17:48:01 +0200
committerJozsef Kadlecsik <>2011-05-30 21:30:10 +0200
commit418a3a4f4d4e38abd1d691f81f2445590f02ecaf (patch)
treea41ed16b366c854786eea8f3da5c80fa50636dc6 /src/ipset.8
parent4e21d6b5ce623f7601a872b94f3b88105356e2d3 (diff)
hash:net,iface type introduced
The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test,eth0 # ipset add test,eth1
Diffstat (limited to 'src/ipset.8')
1 files changed, 69 insertions, 2 deletions
diff --git a/src/ipset.8 b/src/ipset.8
index 90914f4..648e935 100644
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -214,8 +214,8 @@ command follows the syntax
where the current list of the methods are
\fBbitmap\fR, \fBhash\fR, and \fBlist\fR and the possible data types
-are \fBip\fR, \fBnet\fR, \fBmac\fR and \fBport\fR. The dimension of a set
-is equal to the number of data types in its type name.
+are \fBip\fR, \fBnet\fR, \fBmac\fR, \fBport\fR and \fBiface\fR.
+The dimension of a set is equal to the number of data types in its type name.
When adding, deleting or testing entries in a set, the same comma separated
data syntax must be used for the entry parameter of the commands, i.e
@@ -711,6 +711,73 @@ ipset add foo 192.168.1,80,10.0.0/24
ipset add foo 192.168.2,25,
ipset test foo 192.168.1,
+.SS hash:net,iface
+The \fBhash:net,iface\fR set type uses a hash to store different sized IP network
+address and interface name pairs. Network address with zero prefix size is not
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
+\fIADD\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
+\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
+\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
+\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
+\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
+Optional \fBcreate\fR options:
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
+The protocol family of the IP addresses to be stored in the set. The default is
+\fBinet\fR, i.e IPv4.
+\fBhashsize\fR \fIvalue\fR
+The initial hash size for the set, default is 1024. The hash size must be a power
+of two, the kernel automatically rounds up non power of two hash sizes to the first
+correct value.
+\fBmaxelem\fR \fIvalue\fR
+The maximal number of elements which can be stored in the set, default 65536.
+For the \fInetaddr\fR part of the elements
+see the description at the \fBhash:net\fR set type.
+When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
+then the host prefix value is assumed. When adding/deleting entries, the exact
+element is added/deleted and overlapping elements are not checked by the kernel.
+When testing entries, if a host address is tested, then the kernel tries to match
+the host address in the networks added to the set and reports the result accordingly.
+From the \fBset\fR netfilter match point of view the searching for a match
+always starts from the smallest size of netblock (most specific
+prefix) to the largest one (least specific prefix) added to the set.
+When adding/deleting IP
+addresses to the set by the \fBSET\fR netfilter target, it will be
+added/deleted by the most specific prefix which can be found in the
+set, or by the host prefix value if the set is empty.
+The second direction parameter of the \fBset\fR match and
+\fBSET\fR target modules corresponds to the incoming/outgoing interface
+: \fBsrc\fR to the incoming, while \fBdst\fR to the outgoing. When
+the interface is flagged with \fBphysdev:\fR, the interface is interpreted
+as the incoming/outgoing bridge port.
+The lookup time grows linearly with the number of the different prefix
+values added to the set.
+ipset create foo hash:net,iface
+ipset add foo 192.168.0/24,eth0
+ipset add foo,eth1
+ipset test foo 192.168.0/24,eth0
.SS list:set
The \fBlist:set\fR type uses a simple list in which you can store
set names.