ipset: Add userspace code to support hash:net,port,net kernel module.

This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
author: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> 2013-09-28 20:20:01 +0200
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-09-30 20:18:13 +0200
commit: 4e92e6ba2c4411f0ea3ae503c42fe7029bcc4618 (patch)
tree: 8141c5e8c5f34e464e3ed998fed28692adf8321d /src
parent: 990de541b957fb1750dc8df849e71106ce9daf4d (diff)
1 files changed, 202 insertions, 140 deletions
diff --git a/src/ipset.8 b/src/ipset.8
index 20fb4d4..8a21eaf 100644
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -18,37 +18,37 @@
 ipset \(em administration tool for IP sets
 .SH "SYNOPSIS"
 \fBipset\fR [ \fIOPTIONS\fR ] \fICOMMAND\fR [ \fICOMMAND\-OPTIONS\fR ]
-.PP 
+.PP
 COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR }
-.PP 
+.PP
 \fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR }
-.PP 
+.PP
 \fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ]
-.PP 
+.PP
 \fBipset\fR \fBadd\fR \fISETNAME\fR \fIADD\-ENTRY\fR [ \fIADD\-OPTIONS\fR ]
-.PP 
+.PP
 \fBipset\fR \fBdel\fR \fISETNAME\fR \fIDEL\-ENTRY\fR [ \fIDEL\-OPTIONS\fR ]
-.PP 
+.PP
 \fBipset\fR \fBtest\fR \fISETNAME\fR \fITEST\-ENTRY\fR [ \fITEST\-OPTIONS\fR ]
-.PP 
+.PP
 \fBipset\fR \fBdestroy\fR [ \fISETNAME\fR ]
-.PP 
+.PP
 \fBipset\fR \fBlist\fR [ \fISETNAME\fR ]
-.PP 
+.PP
 \fBipset\fR \fBsave\fR [ \fISETNAME\fR ]
-.PP 
+.PP
 \fBipset\fR \fBrestore\fR
-.PP 
+.PP
 \fBipset\fR \fBflush\fR [ \fISETNAME\fR ]
-.PP 
+.PP
 \fBipset\fR \fBrename\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
-.PP 
+.PP
 \fBipset\fR \fBswap\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
-.PP 
+.PP
 \fBipset\fR \fBhelp\fR [ \fITYPENAME\fR ]
-.PP 
+.PP
 \fBipset\fR \fBversion\fR
-.PP 
+.PP
 \fBipset\fR \fB\-\fR
 .SH "DESCRIPTION"
 \fBipset\fR
@@ -56,7 +56,7 @@ is used to set up, maintain and inspect so called IP sets in the Linux
 kernel. Depending on the type of the set, an IP set may store IP(v4/v6)
 addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address
 and port number pairs, etc. See the set type definitions below.
-.PP 
+.PP
 \fBIptables\fR
 matches and targets referring to sets create references, which
 protect the given sets in the kernel. A set cannot be destroyed
@@ -241,13 +241,13 @@ When adding, deleting or testing entries in a set, the same comma separated
 data syntax must be used for the entry parameter of the commands, i.e
 .IP 
 ipset add foo ipaddr,portnum,ipaddr
-.PP 
+.PP
 If host names or service names with dash in the name are used instead of IP
 addresses or service numbers, then the host name or service name must be enclosed
 in square brackets. Example:
 .IP 
 ipset add foo [test\-hostname],[ftp\-data]
-.PP 
+.PP
 In the case of host names the DNS resolver is called internally
 by \fBipset\fR but if it returns multiple IP addresses, only the
 first one is used.
@@ -279,7 +279,7 @@ ipset create test hash:ip timeout 300
 ipset add test 192.168.0.1 timeout 60
 .IP 
 ipset \-exist add test 192.168.0.1 timeout 600
-.PP 
+.PP
 .SS nomatch
 The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*)
 support the optional \fBnomatch\fR
@@ -303,7 +303,7 @@ to a set with non\-zero counter values:
 ipset create foo hash:ip counters
 .IP 
 ipset add foo 192.168.1.1 packets 42 bytes 1024
-.PP 
+.PP
 .SS comment
 All set types support the optional \fBcomment\fR extension.
 Enabling this extension on an ipset enables you to annotate an ipset entry with
@@ -332,24 +332,24 @@ the above would appear as: "allow access to SMB share on \\\\fileserv\\"
 The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host
 (default) or IPv4 network addresses. A \fBbitmap:ip\fR type of set can store up
 to 65536 entries.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR }
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR }
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIip\fR
-.PP 
+.PP
 Mandatory \fBcreate\fR options:
 .TP 
 \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR
 Create the set from the specified inclusive address range expressed in an
 IPv4 address range or network. The size of the range (in entries) cannot exceed
 the limit of maximum 65536 elements.
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBnetmask\fP \fIcidr\fP
@@ -358,10 +358,10 @@ stored in the set instead of IP host addresses. The \fIcidr\fR prefix value must
 between 1\-32.
 An IP address will be in the set if the network address, which is resulted by
 masking the address with the specified netmask, can be found in the set.
-.PP 
+.PP
 The \fBbitmap:ip\fR type supports adding or deleting multiple entries in one
 command.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo bitmap:ip range 192.168.0.0/16
@@ -371,36 +371,36 @@ ipset add foo 192.168.1/24
 ipset test foo 192.168.1.1
 .SS bitmap:ip,mac
 The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC address pairs. A \fBbitmap:ip,mac\fR type of set can store up to 65536 entries.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP 
+.PP
 Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set:
 .TP 
 \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR
 Create the set from the specified inclusive address range expressed in an
 IPv4 address range or network. The size of the range cannot exceed the limit
 of maximum 65536 entries.
-.PP 
+.PP
 The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can
 be left out when adding/deleting/testing entries in the set. If we add an entry
 without the MAC address specified, then when the first time the entry is
 matched by the kernel, it will automatically fill out the missing MAC address with the
 source MAC address from the packet. If the entry was specified with a timeout value,
 the timer starts off when the IP and MAC address pair is complete.
-.PP 
+.PP
 The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of
 the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second
 one must be \fBsrc\fR to match, add or delete entries, because the \fBset\fR
 match and \fBSET\fR target have access to the source MAC address only.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo bitmap:ip,mac range 192.168.0.0/16
@@ -411,25 +411,25 @@ ipset test foo 192.168.1.1
 .SS bitmap:port
 The \fBbitmap:port\fR set type uses a memory range to store port numbers
 and such a set can store up to 65536 ports.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromport\fP\-\fItoport [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fI[proto:]port\fR
-.PP 
+.PP
 Mandatory options to use when creating a \fBbitmap:port\fR type of set:
 .TP 
 \fBrange\fP \fI[proto:]fromport\fP\-\fItoport\fR
 Create the set from the specified inclusive port range.
-.PP 
+.PP
 The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret
 the stored numbers as TCP or UDP port numbers.
-.PP 
+.PP
 \fBproto\fR only needs to be specified if a service name is used,
 and that name does not exist as a TCP service.
 .PP
@@ -446,17 +446,17 @@ ipset del foo udp:[macon-udp]-[tn-tl-w2]
 The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or
 network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR
 type of set.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIipaddr\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIipaddr\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIipaddr\fR
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -477,12 +477,12 @@ stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must
 between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set
 if the network address, which is resulted by masking the address with the netmask,
 can be found in the set.
-.PP 
+.PP
 For the \fBinet\fR family one can add or delete multiple entries by specifying
 a range or a network:
-.PP 
+.PP
 \fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:ip netmask 30
@@ -493,20 +493,20 @@ ipset test foo 192.168.1.2
 .SS hash:net
 The \fBhash:net\fR set type uses a hash to store different sized IP network addresses.
 Network address with zero prefix size cannot be stored in this type of sets.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fInetaddr\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fInetaddr\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fInetaddr\fR
-.PP 
+.PP
 where
 \fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -520,28 +520,28 @@ correct value.
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 For the \fBinet\fR family one can add or delete multiple entries by specifying
 a range, which is converted internally to network(s) equal to the range:
-.PP 
+.PP
 \fInetaddr\fR := { \fIip\fR[/\fIcidr\fR] | \fIfromaddr\fR\-\fItoaddr\fR }
-.PP 
+.PP
 When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
 then the host prefix value is assumed. When adding/deleting entries, the exact
 element is added/deleted and overlapping elements are not checked by the kernel.
 When testing entries, if a host address is tested, then the kernel tries to match
 the host address in the networks added to the set and reports the result accordingly.
-.PP 
+.PP
 From the \fBset\fR netfilter match point of view the searching for a match
 always  starts  from  the smallest  size  of netblock (most specific
 prefix) to the largest one (least specific prefix) added to the set.
 When  adding/deleting IP addresses  to the set by the \fBSET\fR netfilter target,
 it  will  be added/deleted by the most specific prefix which can be found in  the
 set, or by the host prefix value if the set is empty.
-.PP 
+.PP
 The lookup time grows linearly with the number of the different prefix
 values added to the set. 
-.PP 
+.PP
 Example:
 .IP 
 ipset create foo hash:net
@@ -553,7 +553,7 @@ ipset add foo 10.1.0.0/16
 ipset add foo 192.168.0/24
 .IP 
 ipset add foo 192.168.0/30 nomatch
-.PP 
+.PP
 When matching the elements in the set above, all IP addresses will match
 from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except
 the ones from 192.168.0/30.
@@ -635,17 +635,17 @@ and 192.168.0/24<->192.168.54.0/24 except the ones from
 The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs.
 The port number is interpreted together with a protocol (default TCP) and zero
 protocol number cannot be used.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -659,12 +659,12 @@ correct value
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 For the \fBinet\fR family one can add or delete multiple entries by specifying
 a range or a network of IPv4 addresses in the IP address part of the entry:
-.PP 
+.PP
 \fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP 
+.PP
 The
 [\fIproto\fR:]\fIport\fR
 part of the elements may be expressed in the following forms, where the range
@@ -690,11 +690,11 @@ be listed by the help command.
 \fIproto\fR:0
 All other protocols, as an identifier from /etc/protocols or number. The pseudo
 port number must be zero.
-.PP 
+.PP
 The \fBhash:ip,port\fR type of sets require
 two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR
 target kernel modules.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:ip,port
@@ -711,20 +711,20 @@ The \fBhash:net,port\fR set type uses a hash to store different sized IP network
 address and port pairs. The port number is interpreted together with a protocol
 (default TCP) and zero protocol number cannot be used. Network
 address with zero prefix size is not accepted either.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]  [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP 
+.PP
 where
 \fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -738,19 +738,19 @@ correct value.
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 For the \fInetaddr\fR part of the elements
 see the description at the \fBhash:net\fR set type. For the
 [\fIproto\fR:]\fIport\fR
 part of the elements see the description at the
 \fBhash:ip,port\fR set type.
-.PP 
+.PP
 When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
 then the host prefix value is assumed. When adding/deleting entries, the exact
 element is added/deleted and overlapping elements are not checked by the kernel.
 When testing entries, if a host address is tested, then the kernel tries to match
 the host address in the networks added to the set and reports the result accordingly.
-.PP 
+.PP
 From the \fBset\fR netfilter match point of view the searching for a  match
 always  starts  from  the smallest  size  of netblock (most specific
 prefix) to the largest one (least specific prefix) added to the set.
@@ -758,10 +758,10 @@ When  adding/deleting IP
 addresses  to the set by the \fBSET\fR netfilter target, it  will  be
 added/deleted by the most specific prefix which can be found in  the
 set, or by the host prefix value if the set is empty.
-.PP 
+.PP
 The lookup time grows linearly with the number of the different prefix
 values added to the set. 
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:net,port
@@ -775,22 +775,22 @@ ipset test foo 192.168.0/24,25
 The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number
 and a second IP address triples. The port number is interpreted together with a
 protocol (default TCP) and zero protocol number cannot be used.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP 
+.PP
 For the first \fIipaddr\fR and
 [\fIproto\fR:]\fIport\fR
 parts of the elements see the descriptions at the
 \fBhash:ip,port\fR set type.
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -804,11 +804,11 @@ correct value.
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 The \fBhash:ip,port,ip\fR type of sets require
 three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR
 target kernel modules.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:ip,port,ip
@@ -821,26 +821,26 @@ The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number
 and IP network address triples. The port number is interpreted together with a
 protocol (default TCP) and zero protocol number cannot be used. Network
 address with zero prefix size cannot be stored either.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]  [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP 
+.PP
 where
 \fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP 
+.PP
 For the \fIipaddr\fR and
 [\fIproto\fR:]\fIport\fR
 parts of the elements see the descriptions at the
 \fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements
 see the description at the \fBhash:net\fR set type.
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -854,7 +854,7 @@ correct value.
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 From the \fBset\fR netfilter match point of view the searching for a match
 always  starts  from  the smallest  size  of netblock (most specific
 cidr) to the largest one (least specific cidr) added to the set.
@@ -862,13 +862,13 @@ When  adding/deleting triples
 to the set by the \fBSET\fR netfilter target, it  will  be
 added/deleted by the most specific cidr which can be found in  the
 set, or by the host cidr value if the set is empty.
-.PP 
+.PP
 The lookup time grows linearly with the number of the different \fIcidr\fR
 values added to the set. 
-.PP 
+.PP
 The \fBhash:ip,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
 the \fBset\fR match and \fBSET\fR target kernel modules.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:ip,port,net
@@ -878,23 +878,85 @@ ipset add foo 192.168.1,80,10.0.0/24
 ipset add foo 192.168.2,25,10.1.0.0/16
 .IP 
 ipset test foo 192.168.1,80.10.0.0/24
+.SS hash:net,port,net
+The \fBhash:net,port,net\fR set type behaves similarly to hash:ip,port,net but accepts a
+cidr value for both the first and last parameter. Either subnet is permitted to be a /0
+should you wish to match port between all destinations.
+.PP
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
+.PP
+\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]  [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
+.PP
+\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+where
+\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
+.PP
+For the [\fIproto\fR:]\fIport\fR
+part of the elements see the description at the
+\fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements
+see the description at the \fBhash:net\fR set type.
+.PP
+Optional \fBcreate\fR options:
+.TP 
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
+The protocol family of the IP addresses to be stored in the set. The default is
+\fBinet\fR, i.e IPv4.
+.TP 
+\fBhashsize\fR \fIvalue\fR
+The initial hash size for the set, default is 1024. The hash size must be a power
+of two, the kernel automatically rounds up non power of two hash sizes to the first
+correct value.
+.TP 
+\fBmaxelem\fR \fIvalue\fR
+The maximal number of elements which can be stored in the set, default 65536.
+.PP
+From the \fBset\fR netfilter match point of view the searching for a match
+always  starts  from  the smallest  size  of netblock (most specific
+cidr) to the largest one (least specific cidr) added to the set.
+When  adding/deleting triples
+to the set by the \fBSET\fR netfilter target, it  will  be
+added/deleted by the most specific cidr which can be found in  the
+set, or by the host cidr value if the set is empty. The first subnet has
+precedence when performing the most-specific lookup, just as for hash:net,net
+.PP
+The lookup time grows linearly with the number of the different \fIcidr\fR
+values added to the set and by the number of secondary \fIcidr\fR values per
+primary.
+.PP
+The \fBhash:net,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
+the \fBset\fR match and \fBSET\fR target kernel modules.
+.PP
+Examples:
+.IP 
+ipset create foo hash:net,port,net
+.IP 
+ipset add foo 192.168.1.0/24,0,10.0.0/24
+.IP 
+ipset add foo 192.168.2.0/24,25,10.1.0.0/16
+.IP 
+ipset test foo 192.168.1.1,80,10.0.0.1
 .SS hash:net,iface
 The \fBhash:net,iface\fR set type uses a hash to store different sized IP network
 address and interface name pairs.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]  [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP 
+.PP
 where
 \fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBfamily\fR { \fBinet\fR | \fBinet6\fR }
@@ -908,16 +970,16 @@ correct value.
 .TP 
 \fBmaxelem\fR \fIvalue\fR
 The maximal number of elements which can be stored in the set, default 65536.
-.PP 
+.PP
 For the \fInetaddr\fR part of the elements
 see the description at the \fBhash:net\fR set type.
-.PP 
+.PP
 When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
 then the host prefix value is assumed. When adding/deleting entries, the exact
 element is added/deleted and overlapping elements are not checked by the kernel.
 When testing entries, if a host address is tested, then the kernel tries to match
 the host address in the networks added to the set and reports the result accordingly.
-.PP 
+.PP
 From the \fBset\fR netfilter match point of view the searching for a  match
 always  starts  from  the smallest  size  of netblock (most specific
 prefix) to the largest one (least specific prefix) added to the set.
@@ -925,21 +987,21 @@ When  adding/deleting IP
 addresses  to the set by the \fBSET\fR netfilter target, it  will  be
 added/deleted by the most specific prefix which can be found in  the
 set, or by the host prefix value if the set is empty.
-.PP 
+.PP
 The second direction parameter of the \fBset\fR match and
 \fBSET\fR target modules corresponds to the incoming/outgoing interface:
 \fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while
 \fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When
 the interface is flagged with \fBphysdev:\fR, the interface is interpreted
 as the incoming/outgoing bridge port.
-.PP 
+.PP
 The lookup time grows linearly with the number of the different prefix
 values added to the set.
-.PP 
+.PP
 The internal restriction of the \fBhash:net,iface\fR set type is that
 the same network prefix cannot be stored with more than 64 different interfaces
 in a single set.
-.PP 
+.PP
 Examples:
 .IP 
 ipset create foo hash:net,iface
@@ -952,25 +1014,25 @@ ipset test foo 192.168.0/24,eth0
 .SS list:set
 The \fBlist:set\fR type uses a simple list in which you can store
 set names.
-.PP 
+.PP
 \fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP 
+.PP
 \fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP 
+.PP
 \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP 
+.PP
 \fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP 
+.PP
 \fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP 
+.PP
 Optional \fBcreate\fR options:
 .TP 
 \fBsize\fR \fIvalue\fR
 The size of the list, the default is 8.
-.PP 
+.PP
 By the \fBipset\fR command you  can add, delete and test set names in a
 \fBlist:set\fR type of set.
-.PP 
+.PP
 By the \fBset\fR match or \fBSET\fR target of netfilter
 you can test, add or delete entries in the sets added to the \fBlist:set\fR
 type of set. The match will try to find a matching entry in the sets and 
@@ -981,14 +1043,14 @@ or less parameters are checked, elements added/deleted. For example if \fIa\fR a
 \fIb\fR are \fBlist:set\fR type of sets then in the command
 .IP 
 iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst
-.PP 
+.PP
 the match and target will skip any set in \fIa\fR and \fIb\fR
 which stores data triples, but will match all sets with single or double
 data storage in \fIa\fR set and stop matching at the first successful set,
 and add src to the first single or src,dst to the first double data storage set
 in \fIb\fR to which the entry can be added. You can imagine a \fBlist:set\fR
 type of set as an ordered union of the set elements. 
-.PP 
+.PP
 Please note: by the \fBipset\fR command you can add, delete and \fBtest\fR
 the setnames in a \fBlist:set\fR type of set, and \fBnot\fR the presence of
 a set's member (such as an IP address).
@@ -1001,9 +1063,9 @@ If you want to store same size subnets from a given network
 If you want to store random same size networks (say random /24 blocks), 
 use the \fBhash:ip\fR set type. If you have got random size of netblocks, 
 use \fBhash:net\fR.
-.PP 
+.PP
 Backward compatibility is maintained and old \fBipset\fR syntax is still supported.
-.PP 
+.PP
 The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them,
 they are automatically replaced by \fBhash:ip\fR type of sets.
 .SH "DIAGNOSTICS"
author	Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>	2013-09-28 20:20:01 +0200
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2013-09-30 20:18:13 +0200
commit	4e92e6ba2c4411f0ea3ae503c42fe7029bcc4618 (patch)
tree	8141c5e8c5f34e464e3ed998fed28692adf8321d /src
parent	990de541b957fb1750dc8df849e71106ce9daf4d (diff)