path: root/extensions/
diff options
author/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/ </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/>2004-12-01 09:11:33 +0000
committer/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/ </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/>2004-12-01 09:11:33 +0000
commitdda749a352a17d88b1ce8480e31ebab62cc81d1c (patch)
tree5417a23ae366ae2c2c0a2d77f625d0ab2772b66f /extensions/
parent09fd1f204794bd9411557011098f15cb9c7cdc54 (diff)
ipset 2 related updates (JK)
Diffstat (limited to 'extensions/')
1 files changed, 17 insertions, 0 deletions
diff --git a/extensions/ b/extensions/
new file mode 100644
index 0000000..d280577
--- /dev/null
+++ b/extensions/
@@ -0,0 +1,17 @@
+This modules macthes IP sets which can be defined by ipset(8).
+.BR "--set " "setname flag[,flag...]"
+where flags are
+.BR "src"
+.BR "dst"
+and there can be no more than six of them. Hence the command
+ iptables -A FORWARD -m set --set test src,dst
+will match packets, for which (depending on the type of the set) the source
+address or port number of the packet can be found in the specified set. If
+there is a binding belonging to the mached set element or there is a default
+binding for the given set, then the rule will match the packet only if
+additionally (depending on the type of the set) the destination address or
+port number of the packet can be found in the set according to the binding.