1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
.TH IPSET 8 "Feb 05, 2004" "" ""
.\"
.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"
.SH NAME
ipset \- IP set administration
.SH SYNOPSIS
.BR "ipset -N " "set type-specification [options]"
.br
.BR "ipset -[XFLSHh] " "[set] [options]"
.br
.BR "ipset -[EW] " "from-set to-set"
.br
.BR "ipset -[ADT] " "set entry"
.br
.BR "ipset -R "
.SH DESCRIPTION
.B Ipset
is used to set up, maintain, and inspect so called IP sets in the Linux
kernel. Each set can contain a fixed number of entries and at every entry
there might be child sets, up to a given level. Child sets at the same
level must have the same type.
.P
In spite it is called IP sets, depending on the type the sets may
store not only IP addresses but (TCP/UDP) port numbers as well, or
additional informations besides IP addresses: the word IP means a general
term here. See the set type definitions below.
.P
Child sets are identified
by `IP', without the possible additional informations stored in the set.
There is no other relationship between the set entry and the child set
at that entry: the set entry can be added, deleted without disturbing
the child set and vice versa. Therefore below we denote pure IPs
identifying a child set by `IP', while entries in a set by `entry'.
.SH OPTIONS
The options that are recognized by
.B ipset
can be divided into several different groups.
.SS COMMANDS
These options specify the specific action to perform. Only one of them
can be specified on the command line unless otherwise specified
below. For all the long versions of the command and option names, you
need to use only enough letters to ensure that
.B ipset
can differentiate it from all other options.
.TP
.BI "-N, --create " "\fIsetname\fP type0[,type1...] type0-options"
Create a set identified with setname, with listed types.
Type0-specific options must be supplied. When more than one set
type is given on the command line, room for the first level child
sets are automatically reserved.
.TP
.BI "-N, --create " "\fIsetname:IP[,...]\fP type type-options"
Create a child set at setname:IP[,...] identified with type,
which must correspond to the set type used when the set was created.
The parent set and parent child sets must exist. When the
.B "-c, --childsets"
option is used, space for child sets will be reserved.
.TP
.BI "-X, --destroy " "[\fIsetname[:IP,...]\fP]"
Destroy the specified set or child set, or all sets if none is
given.
.TP
.BI "-F, --flush " "[\fIsetname[:IP,...]\fP]"
Delete all entries from the specified set or child set, or from
all sets if none is given. When the
.B "-c, --childsets"
option is specified, child sets are recursively flushed too.
.TP
.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
Rename a set. Set identified by to-setname must not exist.
.TP
.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
Swap the content of two sets. Both sets must exist.
.TP
.BI "-L, --list " "[\fIsetname[:IP,...]\fP]"
List the entries from the specified set or child set, or from
all sets if none is given. When the
.B "-c, --childsets"
option is specified, child sets are recursively listed too.
The
.B "-n, --numeric"
option can be used to suppress name lookups and generate numeric
output. When the
.B "-s, --sorted"
option is given, the entries are listed sorted.
.TP
.BI "-S, --save " "[\fIsetname[:IP,...]\fP]"
Save the set or child set, or all sets if none specified to stdout
in a format, that --restore can read.
.TP
.BI "-R, --restore "
Restore from stdin a saved session generated by --save.
.TP
.BI "-A, --add " "\fIsetname[:IP,...]\fP \fIentry[:entry,...]\fP"
Add an entry to a (child) set or multiple entries to the child sets
defined by the entries. In another words, the command
.nf
ipset -A set entry1,entry2
.fi
is equivalent to
.nf
ipset -A set entry1
ipset -A set:entry1-IP entry2
.fi
.TP
.BI "-D, --del " "\fIsetname[:IP,...]\fP \fIentry[:entry,...]\fP"
Delete an entry from a (child) set or multiple entries from the child sets
defined by the entries.
.P
When multiple entries are added or deleted and the command fails at
a deeper level, the successfully added/deleted entries are not restored
to their previous value.
.TP
.BI "-T, --test " "\fIsetname[:IP,...]\fP \fIentry[:entry,...]\fP"
Test if an entry or multiple entries exist in a (child) set. Exit status
number is nonzero if any tested entry is missing from the set and
zero if they are all exists.
.TP
.BI "-H, --help " "[settype] [options]"
Print help and settype specific help. Some set types has additional
help options, see below.
.SS "OTHER OPTIONS"
The following additional options can be specified:
.TP
.B "-s, --sorted"
Sorted output. When listing sets, entries are listed sorted.
.TP
.B "-n, --numeric"
Numeric output. When listing sets, IP addresses and port numbers
will be printed in numeric format. By default the program will
try to display them as host names, network names, or services
(whenever applicable).
.TP
.B "-q, --quiet"
Suppress any output to stdout and stderr. Ipset will still return
possible errors.
.TP
.B "-c, --childsets"
Space will be reserved for child sets when creating a set, or list/flush
operation valid for child sets too.
.TP
.B "-i, --hint"
Hint best settype initialization parameters (for hash type sets).
.SH SET TYPES
ipset supports the following set types:
.SS ipmap
The ipmap set type uses a memory range, where each bit represents
one IP address. An ipmap set can store up to 65535 (B-class network)
IP addresses. The ipmap set type is very fast and memory cheap, great
for use when one want to match certain IPs in a range. Using the
.B "--netmask"
option with a CIDR netmask value between 0-32 when creating an ipmap
set, you will be able to store and match network addresses: i.e an
IP address will be in the set if the value resulted by masking the address
with the specified netmask can be found in the set.
.P
Options to use when creating an ipmap set:
.TP
.BR "--from " from-IP
.TP
.BR "--to " to-IP
Create an ipmap set from the specified range.
.TP
.BR "--network " IP/mask
Create an ipmap set from the specified network.
.TP
.BR "--netmask " CIDR-netmask
When the optional
.B "--netmask"
parameter specified, network addresses will be
stored in the set instead of IP addresses, and the from-IP parameter
must be a network address.
.SS macipmap
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
up to 65535 (B-class network) IP addresses with MAC.
When adding an entry to a macipmap set, you must specify the entry as
.I IP%MAC
When deleting or testing macipmap entries, the
.I %MAC
part is not mandatory.
.P
Options to use when creating an macipmap set:
.TP
.BR "--from " from-IP
.TP
.BR "--to " to-IP
Create a macipmap set from the specified range.
.TP
.BR "--network " IP/mask
Create a macipmap set from the specified network.
.TP
.BR "--matchunset"
When the optional
.B "--matchunset"
parameter specified, IP addresses which could be stored
in the set but not set yet, will always match.
.SS portmap
The portmap set type uses a memory range, where each bit represents
one port. A portmap set type can store up to 65535 ports.
The portmap set type is very fast and memory cheap.
.P
Options to use when creating an portmap set:
.TP
.BR "--from " from-port
.TP
.BR "--to " to-port
Create a portmap set from the specified range.
.SS iphash
The iphash set type uses a fixed size hash to store the IP addresses
and can store up to 65535 (size of a B-class network) addresses. The
iphash set type is fast and great for use to store
random addresses. By supplyig the
.B "--netmask"
option with a CIDR netmask value between 0-32 at creating the set,
you will be able to store and match network addresses instead: i.e
an IP address will be in the set if the value of the address
masked with the specified netmask can be found in the set.
When adding and IP address to the hash, the IP address can be preceded
by `+', by which you can force to overwrite already existing entries
in the hash.
.P
In help mode you can use the
.B "--hint"
option to find the the smallest hashsize with the corresponding initval
for your hash entries.
.P
Options to use when creating an iphash set:
.TP
.BR "--hashsize " hashsize
.TP
.BR "--initval " hash-initval
Create an iphash set with the specified hashsize and initial
(random) hash parameter. (The
.B "--initval"
parameter is optional.)
.TP
.BR "--netmask " CIDR-netmask
When the optional
.B "--netmask"
parameter specified, network addresses will be
stored in the set instead of IP addresses.
.TP
The possible help mode options are:
.TP
.BI "-i, --hint"
Enable hinting mode to find the best (smallest) hash size. The entries
are fed via standard input.
.TP
.BI "--try " number
How many times should the program try the same hash size with
different random initvals (default 8).
.TP
.BI "--factor " number
The starting hash size is so many times the number of the entries
(default 4).
.SH DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
invalid or abused command line parameters cause an exit code of 2, and
other errors cause an exit code of 1.
.SH BUGS
Bugs? No, just funny features. :-)
OK, just kidding...
.SH SEE ALSO
.BR iptables (8),
.SH AUTHORS
Jozsef Kadlecsik wrote ipset, which is based on ippool by
Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
.\" .. and did I mention that we are incredibly cool people?
.\" .. sexy, too ..
.\" .. witty, charming, powerful ..
.\" .. and most of all, modest ..
|