diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | ipset.8 | 65 |
3 files changed, 71 insertions, 3 deletions
@@ -6,6 +6,7 @@ - More careful resizing by avoiding locking completely - stdin stored internally in a temporary file, so we can feed 'ipset -R' from a pipe + - iptree maptype added 2.1 - Lock debugging used with debugless lock definiton (Piotr Chytla and @@ -13,12 +14,14 @@ - Bindings were not properly filled out at listing (kernel) - When listing sets from kernel, id was not added to the set structure (ipset) - - nethash hash type added + - nethash maptype added - ipset manpage corrections (macipmap) 2.0.1 - Missing -fPIC in Makefile (Robert Iakobashvili) - Cut'n'paste bug at saving macipmap types (Vincent Bernat). + - Bug in printing/saving SET targets reported and fixed by Michal + Pokrywka 2.0 - Chaining of sets are changed: child sets replaced by bindings @@ -8,7 +8,7 @@ ifndef KERNEL_DIR KERNEL_DIR=/usr/src/linux endif -IPSET_VERSION:=2.1.1 +IPSET_VERSION:=2.2.0 PREFIX:=/usr/local LIBDIR:=$(PREFIX)/lib @@ -23,7 +23,7 @@ RELEASE_DIR:=/tmp COPT_FLAGS:=-O2 CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. #-g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG SH_CFLAGS:=$(CFLAGS) -fPIC -SETTYPES:=ipmap portmap macipmap iphash nethash +SETTYPES:=ipmap portmap macipmap iphash nethash iptree PROGRAMS=ipset SHARED_LIBS=$(foreach T, $(SETTYPES),libipset_$(T).so) @@ -245,6 +245,18 @@ When the optional .B "--matchunset" parameter specified, IP addresses which could be stored in the set but not set yet, will always match. +.P +Please note, the +.I +set +and +.I +SET +netfilter kernel modules +.B +always +use the source MAC address from the packet to match, add or delete +entries from a macipmap type of set. .SS portmap The portmap set type uses a memory range, where each bit represents one port. A portmap set type can store up to 65535 ports. @@ -288,9 +300,62 @@ When the optional .B "--netmask" parameter specified, network addresses will be stored in the set instead of IP addresses. +.P +.SS nethash +The nethash set type uses a hash to store different size of +network addresses. The +.I +IP +"address" used in the ipset command must be in the form +.I +IP-address/cidr-size +where the CIDR block size must be in the inclusive range of 1-31. +In order to avoid clashes in the hash, +double-hashing and, as a last resort, dynamic growing of the hash performed. +.P +Options to use when creating an iphash set: +.TP +.BR "--hashsize " hashsize +The initial hash size (default 1024) +.TP +.BR "--probes " probes +How many times try to resolve clashing at adding an IP to the hash +by double-hashing (default 2). +.TP +.BR "--resize " percent +Increase the hash size by this many percent (default 50) when adding +an IP to the hash could not be performed after +.P +An IP address will be in a nethash type of set if it is in any of the +netblocks added to the set, where the matching start from the smallest +size of netblock to the biggest ones. When adding/deleting IP addresses +to a nethash set by the +.I +SET +netfilter kernel module, it will be added/deleted by the smallest +netblock size which can be found in the set. +.P +.SS iptree +The iptree set type uses a tree to store IP addresses, optionally +with timeout values. +.P +Options to use when creating an iptree set: +.TP +.BR "--timeout " value +The timeout value for the entries in seconds (default 0) +.P +When adding an IP address to a set, one may add it with a specific timeout +value using the syntax +.I IP%timeout-value. .SH GENERAL RESTRICTIONS Setnames starting with colon (:) cannot be defined. Zero valued set entries cannot be used. +.SH COMMENTS +If you want to store same size subnets from a given network +(say /24 blocks from a /8 network), use the ipmap set type. +If you want to store random same size networks (say random /24 blocks), +use the iphash set type. If you have got random size of netblocks, +use nethash. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by |