Diffstat (limited to 'ipset.8')
1 files changed, 48 insertions, 96 deletions
@@ -26,13 +26,11 @@ ipset \- administration tool for IP sets
.BR "ipset -[EW] " "from-set to-set"
-.BR "ipset -[ADU] " "set entry"
-.BR "ipset -B " "set entry -b binding"
-.BR "ipset -T " "set entry [-b binding]"
+.BR "ipset -[ADT] " "set entry"
.BR "ipset -R "
+.BR "ipset -[Vv] "
is used to set up, maintain and inspect so called IP sets in the Linux
@@ -40,19 +38,9 @@ kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
port numbers or additional informations besides IP addresses: the word IP
means a general term here. See the set type definitions below.
-Any entry in a set can be bound to another set, which forms a relationship
-between a set element and the set it is bound to. In order to define a
-binding it is not required that the entry be already added to the set.
-The sets may have a default binding, which is valid for every set element
-for which there is no binding defined at all.
-IP set bindings pointing to sets and iptables matches and targets
-referring to sets creates references, which protects the given sets in
-the kernel. A set cannot be removed (destroyed) while there is a single
-reference pointing to it.
-Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
+Iptables matches and targets referring to sets creates references, which
+protects the given sets in the kernel. A set cannot be removed (destroyed)
+while there is a single reference pointing to it.
The options that are recognized by
@@ -70,21 +58,13 @@ Create a set identified with setname and specified type.
Type-specific options must be supplied.
.BI "-X, --destroy " "[\fIsetname\fP]"
-Destroy the specified set, or all sets if none or the keyword
-Before destroying the set, all bindings belonging to the
-set elements and the default binding of the set are removed.
+Destroy the specified set or all the sets if none is given.
If the set has got references, nothing is done.
.BI "-F, --flush " "[\fIsetname\fP]"
-Delete all entries from the specified set, or flush
-all sets if none or the keyword
-is given. Bindings are not affected by the flush operation.
+Delete all entries from the specified set or flush
+all sets if none is given.
.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
Rename a set. Set identified by to-setname must not exist.
@@ -95,102 +75,63 @@ exchange the name of two sets. The referred sets must exist and
identical type of sets can be swapped only.
.BI "-L, --list " "[\fIsetname\fP]"
-List the entries and bindings for the specified set, or for
-all sets if none or the keyword
-is given. The
-.B "-n, --numeric"
-option can be used to suppress name lookups and generate numeric
-output. When the
+List the entries for the specified set, or for
+all sets if none is given. The
+.B "-r, --resolve"
+option can be used to force name lookups (which may be slow). When the
.B "-s, --sorted"
option is given, the entries are listed sorted (if the given set
type supports the operation).
.BI "-S, --save " "[\fIsetname\fP]"
-Save the given set, or all sets if none or the keyword
-is specified to stdout in a format that --restore can read.
+Save the given set, or all sets if none is given
+to stdout in a format that --restore can read.
.BI "-R, --restore "
Restore a saved session generated by --save. The saved session
can be fed from stdin.
When generating a session file please note that the supported commands
-(create set, add element, bind) must appear in a strict order: first create
+(create set and add element) must appear in a strict order: first create
the set, then add all elements. Then create the next set, add all its elements
-and so on. Finally you can list all binding commands. Also, it is a restore
-operation, so the sets being restored must not exist.
+and so on. Also, it is a restore operation, so the sets being restored must
.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
-Add an IP to a set.
+Add an IP entry to a set.
.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
-Delete an IP from a set.
+Delete an IP entry from a set.
.BI "-T, --test " "\fIsetname\fP \fIIP
-Test wether an IP is in a set or not. Exit status number is zero
+Test wether an IP entry is in a set or not. Exit status number is zero
if the tested IP is in the set and nonzero if it is missing from
-.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Test wether the IP belonging to the set points to the specified binding.
-Exit status number is zero if the binding points to the specified set,
-otherwise it is nonzero. The keyword
-can be used to test the default binding of the set.
-.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
-Bind the IP in setname to to-setname.
-.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
-Delete the binding belonging to IP in set setname.
.BI "-H, --help " "[settype]"
Print help and settype specific help if settype specified.
+.BI "-V, -v, --version "
+Print program version and protocol version.
-commands you can use the token
-to bind, unbind or test the default binding of a set instead
-of an IP. At the
-command you can use the token
-to destroy the bindings of all elements of a set.
.SS "OTHER OPTIONS"
The following additional options can be specified:
-.B "-b, --binding setname"
-The option specifies the value of the binding for the
-binding command, for which it is a mandatory option.
-You can use it in the
-test command as well to test bindings.
+.B "-r, --resolve"
+When listing sets, enforce name lookup. The
+program will try to display the IP entries resolved to
+host names or services (whenever applicable), which can trigger
.B "-s, --sorted"
Sorted output. When listing sets, entries are listed sorted.
.B "-n, --numeric"
-Numeric output. When listing sets, bindings, IP addresses and
-port numbers will be printed in numeric format. By default the
-program will try to display them as host names, network names
-or services (whenever applicable), which can trigger
+Numeric output. When listing sets, IP addresses and
+port numbers will be printed in numeric format. This is the default.
.B "-q, --quiet"
Suppress any output to stdout and stderr. ipset will still return
@@ -224,6 +165,10 @@ When the optional
parameter specified, network addresses will be
stored in the set instead of IP addresses, and the from-IP parameter
must be a network address. The CIDR-netmask value must be between 1-31.
+ipset \-N test ipmap \-\-network 192.168.0.0/16
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
@@ -319,6 +264,10 @@ parameter. In general higher
value results better utilized hash while smaller value
produces larger, sparser hash.
+ipset \-N test iphash \-\-probes 2
The nethash set type uses a hash to store different size of
network addresses. The
@@ -538,7 +487,7 @@ Options to use when creating a setlist type of set:
.BR "--size " size
Create a setlist type of set with the given size (default 8).
@@ -562,8 +511,9 @@ and
are setlist type of sets then in the command
-iptables -m set --match-set a src,dst -j SET --add-set b src,dst
+iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst
the match and target will skip any set in
@@ -589,6 +539,8 @@ use the iphash set type. If you have got random size of netblocks,
Old separator tokens (':' and '%") are still accepted.
+Binding support is removed.
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by