diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2010-12-17 21:33:07 +0100 |
---|---|---|
committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2010-12-17 21:33:07 +0100 |
commit | 8c55ba2eb0b4ad5b4dc0ad7a685c4d17d8d3f7bf (patch) | |
tree | c14beabcf327cf3d7339dfc13a7e6570d25a5740 /src | |
parent | 593d2082912a9fdef12f2e69e40b5505d358690a (diff) |
Updated manpage to reflect wider input possibilities in the ipset tool.
Diffstat (limited to 'src')
-rw-r--r-- | src/ipset.8 | 86 |
1 files changed, 45 insertions, 41 deletions
diff --git a/src/ipset.8 b/src/ipset.8 index bbb09de..b9ca8a5 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -238,13 +238,13 @@ to 65536 entries. .PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := { \fIipaddr\fR | \fIfromip\fR\-\fItoip\fR | \fIipaddr\fR/\fIcidr\fR } +\fIADD\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := { \fIipaddr\fR | \fIfromip\fR\-\fItoip\fR | \fIipaddr\fR/\fIcidr\fR } +\fIDEL\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } .PP -\fITEST\-ENTRY\fR := \fIipaddr\fR +\fITEST\-ENTRY\fR := \fIip\fR .PP Mandatory \fBcreate\fR options: .TP @@ -278,13 +278,13 @@ The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC add .PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := \fIipaddr\fR[,\fImacaddr\fR] +\fIADD\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := \fIipaddr\fR[,\fImacaddr\fR] +\fIDEL\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP -\fITEST\-ENTRY\fR := \fIipaddr\fR[,\fImacaddr\fR] +\fITEST\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set: .TP @@ -352,13 +352,6 @@ type of set. .PP \fITEST\-ENTRY\fR := \fIipaddr\fR .PP -For the \fBinet\fR family one can add or delete multiple entries by specifying -a range or a network: -.PP -\fIADD\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR } -.PP -\fIDEL\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR } -.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -380,11 +373,16 @@ between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the if the network address, which is resulted by masking the address with the netmask calculated from the prefix, can be found in the set. .PP +For the \fBinet\fR family one can add or delete multiple entries by specifying +a range or a network: +.PP +\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } +.PP Examples: .IP ipset create foo hash:ip netmask 24 .IP -ipset add foo 192.168.1.1 +ipset add foo 192.168.1.1\-192.168.1.2 .IP ipset test foo 192.168.1.2 .SS hash:net @@ -393,13 +391,13 @@ Network address with zero prefix size cannot be stored in this type of sets. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := \fIipaddr\fR[/\fIcidr\fR] +\fIADD\-ENTRY\fR := \fIip\fR[/\fIcidr\fR] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := \fIipaddr\fR[/\fIcidr\fR] +\fIDEL\-ENTRY\fR := \fIip\fR[/\fIcidr\fR] .PP -\fITEST\-ENTRY\fR := \fIipaddr\fR[/\fIcidr\fR] +\fITEST\-ENTRY\fR := \fIip\fR[/\fIcidr\fR] .PP Optional \fBcreate\fR options: .TP @@ -467,18 +465,24 @@ correct value \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. .PP +For the \fBinet\fR family one can add or delete multiple entries by specifying +a range or a network of IPv4 addresses in the IP address part of the entry: +.PP +\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } +.PP The [\fIproto\fR:]\fIport\fR -part of the elements may be expressed in the following forms: +part of the elements may be expressed in the following forms, where the range +variations are valid when adding or deleting entries: .TP -\fIportname\fR -TCP port name identifier from /etc/services +\fIportname[\-portname]\fR +TCP port or range of ports expressed in TCP portname identifiers from /etc/services .TP -\fIportnumber\fR -TCP port number +\fIportnumber[\-portnumber]\fR +TCP port or range of ports expressed in TCP port numbers .TP -\fBtcp\fR|\fBudp\fR:\fIportname\fR|\fIportnumber\fR -TCP or UDP port name or port number +\fBtcp\fR|\fBudp\fR:\fIportname\fR|\fIportnumber\fR[\-\fIportname\fR|\fIportnumber\fR] +TCP or UDP port or port range expressed in port name(s) or port number(s) .TP \fBicmp\fR:\fIcodename\fR|\fItype\fR/\fIcode\fR ICMP codename or type/code. The supported ICMP codename identifiers can always @@ -500,7 +504,7 @@ Examples: .IP ipset create foo hash:ip,port .IP -ipset add foo 192.168.1.1,80 +ipset add foo 192.168.1.0/24,80\-82 .IP ipset add foo 192.168.1.1,udp:53 .IP @@ -573,13 +577,18 @@ protocol (default TCP) and zero protocol number cannot be used. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR +\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR +\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR .PP -\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR +\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR +.PP +For the first \fIipaddr\fR and +[\fIproto\fR:]\fIport\fR +parts of the elements see the descriptions at the +\fBhash:ip,port\fR set type. .PP Optional \fBcreate\fR options: .TP @@ -595,11 +604,6 @@ correct value. \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. .PP -For the -[\fIproto\fR:]\fIport\fR -part of the elements see the description at the -\fBhash:ip,port\fR set type. -.PP The \fBhash:ip,port,ip\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. @@ -619,13 +623,18 @@ address with zero prefix size cannot be stored either. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] +\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR[/\fIcidr\fR] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] +\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR[/\fIcidr\fR] +.PP +\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR[/\fIcidr\fR] .PP -\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] +For the first \fIipaddr\fR and +[\fIproto\fR:]\fIport\fR +parts of the elements see the descriptions at the +\fBhash:ip,port\fR set type. .PP Optional \fBcreate\fR options: .TP @@ -641,11 +650,6 @@ correct value. \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. .PP -For the -[\fIproto\fR:]\fIport\fR -part of the elements see the description at the -\fBhash:ip,port\fR set type. -.PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. |