diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ipset-translate.8 | 2 | ||||
| -rw-r--r-- | src/ipset.8 | 94 | ||||
| -rw-r--r-- | src/ipset.c | 4 | ||||
| -rw-r--r-- | src/ui.c | 2 |
4 files changed, 71 insertions, 31 deletions
diff --git a/src/ipset-translate.8 b/src/ipset-translate.8 index bb4e737..55ce2a9 100644 --- a/src/ipset-translate.8 +++ b/src/ipset-translate.8 @@ -33,7 +33,7 @@ to \fBnftables(8)\fP. The only available command is: .IP \[bu] 2 -ipset-translate restores < file.ipt +ipset-translate restore < file.ipt .SH USAGE The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by diff --git a/src/ipset.8 b/src/ipset.8 index 269b9b5..39912ee 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -21,7 +21,7 @@ ipset \(em administration tool for IP sets .PP COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR } .PP -\fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR } +\fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fBjson\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR } .PP \fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ] .PP @@ -118,7 +118,7 @@ option is given, the entries are listed/saved sorted (which may be slow). The option \fB\-output\fR can be used to control the format of the listing: -\fBplain\fR, \fBsave\fR or \fBxml\fR. +\fBplain\fR, \fBsave\fR, \fBxml\fR or \fBjson\fR. (The default is \fBplain\fR.) If the option @@ -187,7 +187,7 @@ cannot be abbreviated. Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted. .TP -\fB\-o\fP, \fB\-output\fP { \fBplain\fR | \fBsave\fR | \fBxml\fR } +\fB\-o\fP, \fB\-output\fP { \fBplain\fR | \fBsave\fR | \fBxml\fR | \fBjson\fR } Select the output format to the \fBlist\fR command. @@ -251,17 +251,13 @@ In the case of host names the DNS resolver is called internally by \fBipset\fR but if it returns multiple IP addresses, only the first one is used. -The \fBbitmap\fR and \fBlist\fR types use a fixed sized storage. The \fBhash\fR -types use a hash to store the elements. In order to avoid clashes in the hash, +The \fBbitmap\fR and \fBlist\fR types use a fixed sized storage. + +The \fBhash\fR types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size -is performed when adding entries by the -\fBipset\fR -command. When entries added by the -\fBSET\fR -target of -\fBiptables/ip6tables\fR, -then the hash size is fixed and the set won't be duplicated, even if the new -entry cannot be added to the set. +is performed when adding entries by the \fBipset\fR command. When entries added by the +\fBSET\fR target of \fBiptables/ip6tables\fR, then the hash size is fixed and the +hash won't be duplicated, even if the new entry cannot be added to the set. .SH "GENERIC CREATE AND ADD OPTIONS" .SS timeout All set types supports the optional \fBtimeout\fR @@ -335,28 +331,43 @@ ipset create foo hash:ip skbinfo .IP ipset add foo 192.168.0.1 skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10 .PP +.SS maxelem +This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. +It defines the maximal number of elements which can be stored in the set, default 65536. +It is the hard limit for the possible elements in a hash type of set. If +the set is full (i.e. it contains \fBmaxelem\fR number of elements), new +elements cannot be added neither by the \fBipset\fR command nor by the +\fBSET\fR target. +Example: +.IP +ipset create test hash:ip maxelem 2048 +.PP .SS hashsize This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. It defines the initial hash size for the set, default is 1024. The hash size must be a power of two, the kernel automatically rounds up non power of two hash sizes to the first -correct value. -Example: +correct value. If you intend to use a set so that new elements are added by the \fBipset\fR +command only, then you can start with a default/small \fBhashsize\fR value and the hash +will grow automatically as you add new entries until \fBmaxelem\fR values +are added. If you want to use a set so that new +elements are added by the \fBSET\fR target, then choose the maximal \fBhashsize\fR +value with respect of the \fBbucketsize\fR parameter so that number of planned elements +will fit into the hash. .IP -ipset create test hash:ip hashsize 1536 +hashsize == maxelem / bucketsize .PP -.SS maxelem -This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. -It defines the maximal number of elements which can be stored in the set, default 65536. -Example: +is the smallest possible approximation but a larger hash size is better to +make sure all elements can really be stored in the set. Example: .IP -ipset create test hash:ip maxelem 2048 +ipset create test hash:ip hashsize 1536 .PP .SS bucketsize This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. It specifies the maximal number of elements which can be stored in a hash -bucket. Possible values are any even number between 2-14 and the default is -14. Setting the value lower forces ipset to create larger hashes which -consumes more memory but gives more speed at matching in the set. +bucket. Possible values are any even number between 2-12 and the default is +12. Setting the value lower forces ipset to create larger hashes when adding +new elements to a set by the \fBipset\fR command which consumes more memory +but gives more speed at matching in the set. Example: .IP ipset create test hash:ip bucketsize 2 @@ -524,7 +535,7 @@ The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR type of set. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBbitmask\fP \fImask\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR .PP @@ -549,6 +560,9 @@ ipset create foo hash:ip netmask 30 ipset add foo 192.168.1.0/24 .IP ipset test foo 192.168.1.2 +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. .SS hash:mac The \fBhash:mac\fR set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a \fBhash:mac\fR type of set. For matches on destination MAC addresses, see COMMENTS below. @@ -648,7 +662,7 @@ over the second, so a nomatch entry could be potentially be ineffective if a mor first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBbitmask\fP \fImask\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP @@ -680,6 +694,18 @@ values added to the first parameter of the set. The number of secondary prefixes further increases this as the list of secondary prefixes is traversed per primary prefix. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Example: .IP ipset create foo hash:net,net @@ -701,7 +727,7 @@ The \fBhash:ip,port\fR set type uses a hash to store IP address and port number The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBbitmask\fP \fImask\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR .PP @@ -741,6 +767,18 @@ The \fBhash:ip,port\fR type of sets require two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Examples: .IP ipset create foo hash:ip,port @@ -898,7 +936,7 @@ The \fBhash:ip,mark\fR set type uses a hash to store IP address and packet mark Optional \fBcreate\fR options: .TP \fBmarkmask\fR \fIvalue\fR -Allows you to set bits you are interested in the packet mark. This values is then used to perform bitwise AND operation for every mark added. +Allows you to set bits you are interested in the packet mark. This value is then used to perform bitwise AND operation for every mark added. markmask can be any value between 1 and 4294967295, by default all 32 bits are set. .PP The diff --git a/src/ipset.c b/src/ipset.c index 6d42b60..d7733bf 100644 --- a/src/ipset.c +++ b/src/ipset.c @@ -6,6 +6,7 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#define _GNU_SOURCE #include <assert.h> /* assert */ #include <stdio.h> /* fprintf */ #include <stdlib.h> /* exit */ @@ -14,6 +15,7 @@ #include <config.h> #include <libipset/ipset.h> /* ipset library */ #include <libipset/xlate.h> /* translate to nftables */ +#include <libgen.h> int main(int argc, char *argv[]) @@ -31,7 +33,7 @@ main(int argc, char *argv[]) exit(1); } - if (!strcmp(argv[0], "ipset-translate")) { + if (!strcmp(basename(argv[0]), "ipset-translate")) { ret = ipset_xlate_argv(ipset, argc, argv); } else { ret = ipset_parse_argv(ipset, argc, argv); @@ -180,7 +180,7 @@ const struct ipset_envopts ipset_envopts[] = { { .name = { "-o", "-output" }, .has_arg = IPSET_MANDATORY_ARG, .flag = IPSET_OPT_MAX, .parse = ipset_parse_output, - .help = "plain|save|xml\n" + .help = "plain|save|xml|json\n" " Specify output mode for listing sets.\n" " Default value for \"list\" command is mode \"plain\"\n" " and for \"save\" command is mode \"save\".", |