.\" Man page written by Jozsef Kadlecsik .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by .\" the Free Software Foundation; either version 2 of the License, or .\" (at your option) any later version. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with this program; if not, write to the Free Software .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .TH "IPSET" "8" "Jun 25, 2015" "Jozsef Kadlecsik" "" .SH "NAME" ipset \(em administration tool for IP sets .SH "SYNOPSIS" \fBipset\fR [ \fIOPTIONS\fR ] \fICOMMAND\fR [ \fICOMMAND\-OPTIONS\fR ] .PP COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR } .PP \fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR } .PP \fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ] .PP \fBipset\fR \fBadd\fR \fISETNAME\fR \fIADD\-ENTRY\fR [ \fIADD\-OPTIONS\fR ] .PP \fBipset\fR \fBdel\fR \fISETNAME\fR \fIDEL\-ENTRY\fR [ \fIDEL\-OPTIONS\fR ] .PP \fBipset\fR \fBtest\fR \fISETNAME\fR \fITEST\-ENTRY\fR [ \fITEST\-OPTIONS\fR ] .PP \fBipset\fR \fBdestroy\fR [ \fISETNAME\fR ] .PP \fBipset\fR \fBlist\fR [ \fISETNAME\fR ] .PP \fBipset\fR \fBsave\fR [ \fISETNAME\fR ] .PP \fBipset\fR \fBrestore\fR .PP \fBipset\fR \fBflush\fR [ \fISETNAME\fR ] .PP \fBipset\fR \fBrename\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR .PP \fBipset\fR \fBswap\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR .PP \fBipset\fR \fBhelp\fR [ \fITYPENAME\fR ] .PP \fBipset\fR \fBversion\fR .PP \fBipset\fR \fB\-\fR .SH "DESCRIPTION" \fBipset\fR is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address and port number pairs, etc. See the set type definitions below. .PP \fBIptables\fR matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it. .SH "OPTIONS" The options that are recognized by \fBipset\fR can be divided into several different groups. .SS COMMANDS These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command names, you need to use only enough letters to ensure that \fBipset\fR can differentiate it from all other commands. The \fBipset\fR parser follows the order here when looking for the shortest match in the long command names. .TP \fBn\fP, \fBcreate\fP \fISETNAME\fP \fITYPENAME\fP [ \fICREATE\-OPTIONS\fP ] Create a set identified with setname and specified type. The type may require type specific options. If the \fB\-exist\fR option is specified, \fBipset\fR ignores the error otherwise raised when the same set (setname and create parameters are identical) already exists. .TP \fBadd\fP \fISETNAME\fP \fIADD\-ENTRY\fP [ \fIADD\-OPTIONS\fP ] Add a given entry to the set. If the \fB\-exist\fR option is specified, \fBipset\fR ignores if the entry already added to the set. .TP \fBdel\fP \fISETNAME\fP \fIDEL\-ENTRY\fP [ \fIDEL\-OPTIONS\fP ] Delete an entry from a set. If the \fB\-exist\fR option is specified and the entry is not in the set (maybe already expired), then the command is ignored. .TP \fBtest\fP \fISETNAME\fP \fITEST\-ENTRY\fP [ \fITEST\-OPTIONS\fP ] Test whether an entry is in a set or not. Exit status number is zero if the tested entry is in the set and nonzero if it is missing from the set. .TP \fBx\fP, \fBdestroy\fP [ \fISETNAME\fP ] Destroy the specified set or all the sets if none is given. If the set has got reference(s), nothing is done and no set destroyed. .TP \fBlist\fP [ \fISETNAME\fP ] [ \fIOPTIONS\fP ] List the header data and the entries for the specified set, or for all sets if none is given. The \fB\-resolve\fP option can be used to force name lookups (which may be slow). When the \fB\-sorted\fP option is given, the entries are listed/saved sorted (which may be slow). The option \fB\-output\fR can be used to control the format of the listing: \fBplain\fR, \fBsave\fR or \fBxml\fR. (The default is \fBplain\fR.) If the option \fB\-name\fR is specified, just the names of the existing sets are listed. If the option \fB\-terse\fR is specified, just the set names and headers are listed. The output is printed to stdout, the option \fB\-file\fR can be used to specify a filename instead of stdout. .TP \fBsave\fP [ \fISETNAME\fP ] Save the given set, or all sets if none is given to stdout in a format that \fBrestore\fP can read. The option \fB\-file\fR can be used to specify a filename instead of stdout. .TP \fBrestore\fP Restore a saved session generated by \fBsave\fP. The saved session can be fed from stdin or the option \fB\-file\fR can be used to specify a filename instead of stdin. Please note, existing sets and elements are not erased by \fBrestore\fP unless specified so in the restore file. All commands are allowed in restore mode except \fBlist\fP, \fBhelp\fP, \fBversion\fP, interactive mode and \fBrestore\fP itself. .TP \fBflush\fP [ \fISETNAME\fP ] Flush all entries from the specified set or flush all sets if none is given. .TP \fBe\fP, \fBrename\fP \fISETNAME\-FROM\fP \fISETNAME\-TO\fP Rename a set. Set identified by \fISETNAME\-TO\fR must not exist. .TP \fBw\fP, \fBswap\fP \fISETNAME\-FROM\fP \fISETNAME\-TO\fP Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must exist and compatible type of sets can be swapped only. .TP \fBhelp\fP [ \fITYPENAME\fP ] Print help and set type specific help if \fITYPENAME\fR is specified. .TP \fBversion\fP Print program version. .TP \fB\-\fP If a dash is specified as command, then \fBipset\fR enters a simple interactive mode and the commands are read from the standard input. The interactive mode can be finished by entering the pseudo\-command \fBquit\fR. .P .SS "OTHER OPTIONS" The following additional options can be specified. The long option names cannot be abbreviated. .TP \fB\-!\fP, \fB\-exist\fP Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted. .TP \fB\-o\fP, \fB\-output\fP { \fBplain\fR | \fBsave\fR | \fBxml\fR } Select the output format to the \fBlist\fR command. .TP \fB\-q\fP, \fB\-quiet\fP Suppress any output to stdout and stderr. \fBipset\fR will still exit with error if it cannot continue. .TP \fB\-r\fP, \fB\-resolve\fP When listing sets, enforce name lookup. The program will try to display the IP entries resolved to host names which requires \fBslow\fR DNS lookups. .TP \fB\-s\fP, \fB\-sorted\fP Sorted output. When listing or saving sets, the entries are listed sorted. .TP \fB\-n\fP, \fB\-name\fP List just the names of the existing sets, i.e. suppress listing of set headers and members. .TP \fB\-t\fP, \fB\-terse\fP List the set names and headers, i.e. suppress listing of set members. .TP \fB\-f\fP, \fB\-file\fP \fIfilename\fR Specify a filename to print into instead of stdout (\fBlist\fR or \fBsave\fR commands) or read from instead of stdin (\fBrestore\fR command). .SH "INTRODUCTION" A set type comprises of the storage method by which the data is stored and the data type(s) which are stored in the set. Therefore the \fITYPENAME\fR parameter of the \fBcreate\fR command follows the syntax \fITYPENAME\fR := \fImethod\fR\fB:\fR\fIdatatype\fR[\fB,\fR\fIdatatype\fR[\fB,\fR\fIdatatype\fR]] where the current list of the methods are \fBbitmap\fR, \fBhash\fR, and \fBlist\fR and the possible data types are \fBip\fR, \fBnet\fR, \fBmac\fR, \fBport\fR and \fBiface\fR. The dimension of a set is equal to the number of data types in its type name. When adding, deleting or testing entries in a set, the same comma separated data syntax must be used for the entry parameter of the commands, i.e .IP ipset add foo ipaddr,portnum,ipaddr .PP If host names or service names with dash in the name are used instead of IP addresses or service numbers, then the host name or service name must be enclosed in square brackets. Example: .IP ipset add foo [test\-hostname],[ftp\-data] .PP In the case of host names the DNS resolver is called internally by \fBipset\fR but if it returns multiple IP addresses, only the first one is used. The \fBbitmap\fR and \fBlist\fR types use a fixed sized storage. The \fBhash\fR types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the \fBipset\fR command. When entries added by the \fBSET\fR target of \fBiptables/ip6tables\fR, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set. .SH "GENERIC CREATE AND ADD OPTIONS" .SS timeout All set types supports the optional \fBtimeout\fR parameter when creating a set and adding entries. The value of the \fBtimeout\fR parameter for the \fBcreate\fR command means the default timeout value (in seconds) for new entries. If a set is created with timeout support, then the same \fBtimeout\fR option can be used to specify non\-default timeout values when adding entries. Zero timeout value means the entry is added permanent to the set. The timeout value of already added elements can be changed by re-adding the element using the \fB\-exist\fR option. The largest possible timeout value is 2147483 (in seconds). Example: .IP ipset create test hash:ip timeout 300 .IP ipset add test 192.168.0.1 timeout 60 .IP ipset \-exist add test 192.168.0.1 timeout 600 .PP When listing the set, the number of entries printed in the header might be larger than the listed number of entries for sets with the timeout extensions: the number of entries in the set is updated when elements added/deleted to the set and periodically when the garbage collector evicts the timed out entries. .PP .SS "counters, packets, bytes" All set types support the optional \fBcounters\fR option when creating a set. If the option is specified then the set is created with packet and byte counters per element support. The packet and byte counters are initialized to zero when the elements are (re\-)added to the set, unless the packet and byte counter values are explicitly specified by the \fBpackets\fR and \fBbytes\fR options. An example when an element is added to a set with non\-zero counter values: .IP ipset create foo hash:ip counters .IP ipset add foo 192.168.1.1 packets 42 bytes 1024 .PP .SS comment All set types support the optional \fBcomment\fR extension. Enabling this extension on an ipset enables you to annotate an ipset entry with an arbitrary string. This string is completely ignored by both the kernel and ipset itself and is purely for providing a convenient means to document the reason for an entry's existence. Comments must not contain any quotation marks and the usual escape character (\\) has no meaning. For example, the following shell command is illegal: .IP ipset add foo 1.1.1.1 comment "this comment is \\"bad\\"" .PP In the above, your shell will of course escape the quotation marks and ipset will see the quote marks in the argument for the comment, which will result in a parse error. If you are writing your own system, you should avoid creating comments containing a quotation mark if you do not want to break "ipset save" and "ipset restore", nonetheless, the kernel will not stop you from doing so. The following is perfectly acceptable: .IP ipset create foo hash:ip comment .IP ipset add foo 192.168.1.1/24 comment "allow access to SMB share on \\\\\\\\fileserv\\\\" .IP the above would appear as: "allow access to SMB share on \\\\fileserv\\" .PP .SS "skbinfo, skbmark, skbprio, skbqueue" All set types support the optional \fBskbinfo\fR extension. This extension allows you to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with \-\-map\-set option. \fBskbmark\fR option format: \fBMARK\fR or \fBMARK/MASK\fR, where \fBMARK\fR and \fBMASK\fR are 32bit hex numbers with 0x prefix. If only \fBmark\fR is specified mask 0xffffffff are used. \fBskbprio\fR option has tc class format: \fBMAJOR:MINOR\fR, where \fBmajor\fR and \fBminor\fR numbers are hex without 0x prefix. \fBskbqueue\fR option is just decimal number. .IP ipset create foo hash:ip skbinfo .IP ipset add foo skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10 .PP .SS hashsize This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. It defines the initial hash size for the set, default is 1024. The hash size must be a power of two, the kernel automatically rounds up non power of two hash sizes to the first correct value. Example: .IP ipset create test hash:ip hashsize 1536 .PP .SS maxelem This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. It defines the maximal number of elements which can be stored in the set, default 65536. Example: .IP ipset create test hash:ip maxelem 2048 .PP .SS bucketsize This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets. It specifies the maximal number of elements which can be stored in a hash bucket. Possible values are any even number between 2-14 and the default is 14. Setting the value lower forces ipset to create larger hashes which consumes more memory but gives more speed at matching in the set. Example: .IP ipset create test hash:ip bucketsize 2 .PP .SS family { inet | inet6 } This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets except for hash:mac. It defines the protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. For the \fBinet\fR family one can add or delete multiple entries by specifying a range or a network of IPv4 addresses in the IP address part of the entry: .PP \fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } .PP \fInetaddr\fR := { \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } .PP Example: .IP ipset create test hash:ip family inet6 .PP .SS nomatch The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*) support the optional \fBnomatch\fR option when adding entries. When matching elements in the set, entries marked as \fBnomatch\fR are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type \fBhash:net\fR below. When elements are tested by \fBipset\fR, the \fBnomatch\fR flags are taken into account. If one wants to test the existence of an element marked with \fBnomatch\fR in a set, then the flag must be specified too. .SS forceadd All hash set types support the optional \fBforceadd\fR parameter when creating a set. When sets created with this option become full the next addition to the set may succeed and evict a random entry from the set. .IP ipset create foo hash:ip forceadd .PP .SS wildcard This flag is valid when adding elements to a \fBhash:net,iface\fR set. If the flag is set, then prefix matching is used when comparing with this element. For example, an element containing the interface name "eth" will match any name with that prefix. .PP .SH "SET TYPES" .SS bitmap:ip The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host (default) or IPv4 network addresses. A \fBbitmap:ip\fR type of set can store up to 65536 entries. .PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } .PP \fITEST\-ENTRY\fR := \fIip\fR .PP Mandatory \fBcreate\fR options: .TP \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range (in entries) cannot exceed the limit of maximum 65536 elements. .PP Optional \fBcreate\fR options: .TP \fBnetmask\fP \fIcidr\fP When the optional \fBnetmask\fP parameter specified, network addresses will be stored in the set instead of IP host addresses. The \fIcidr\fR prefix value must be between 1\-32. An IP address will be in the set if the network address, which is resulted by masking the address with the specified netmask, can be found in the set. .PP The \fBbitmap:ip\fR type supports adding or deleting multiple entries in one command. .PP Examples: .IP ipset create foo bitmap:ip range 192.168.0.0/16 .IP ipset add foo 192.168.1/24 .IP ipset test foo 192.168.1.1 .SS bitmap:ip,mac The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC address pairs. A \fBbitmap:ip,mac\fR type of set can store up to 65536 entries. .PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP \fITEST\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] .PP Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set: .TP \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range cannot exceed the limit of maximum 65536 entries. .PP The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can be left out when adding/deleting/testing entries in the set. If we add an entry without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the MAC address from the packet. The source MAC address is used if the entry matched due to a \fBsrc\fR parameter of the \fBset\fR match, and the destination MAC address is used if available and the entry matched due to a \fBdst\fR parameter. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete. .PP The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of the \fBset\fR match and \fBSET\fR target netfilter kernel modules. For matches on destination MAC addresses, see COMMENTS below. .PP Examples: .IP ipset create foo bitmap:ip,mac range 192.168.0.0/16 .IP ipset add foo 192.168.1.1,12:34:56:78:9A:BC .IP ipset test foo 192.168.1.1 .SS bitmap:port The \fBbitmap:port\fR set type uses a memory range to store port numbers and such a set can store up to 65536 ports. .PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromport\fP\-\fItoport [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR } .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR } .PP \fITEST\-ENTRY\fR := \fI[proto:]port\fR .PP Mandatory options to use when creating a \fBbitmap:port\fR type of set: .TP \fBrange\fP \fI[proto:]fromport\fP\-\fItoport\fR Create the set from the specified inclusive port range. .PP The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. .PP \fBproto\fR only needs to be specified if a service name is used and that name does not exist as a TCP service. The protocol is never stored in the set, just the port number of the service. .PP Examples: .IP ipset create foo bitmap:port range 0\-1024 .IP ipset add foo 80 .IP ipset test foo 80 .IP ipset del foo udp:[macon-udp]-[tn-tl-w2] .SS hash:ip The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR type of set. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR .PP Optional \fBcreate\fR options: .TP \fBnetmask\fP \fIcidr\fP When the optional \fBnetmask\fP parameter specified, network addresses will be stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. Examples: .IP ipset create foo hash:ip netmask 30 .IP ipset add foo 192.168.1.0/24 .IP ipset test foo 192.168.1.2 .SS hash:mac The \fBhash:mac\fR set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a \fBhash:mac\fR type of set. For matches on destination MAC addresses, see COMMENTS below. .PP \fICREATE\-OPTIONS\fR := [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fImacaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fImacaddr\fR .PP \fITEST\-ENTRY\fR := \fImacaddr\fR .PP Examples: .IP ipset create foo hash:mac .IP ipset add foo 01:02:03:04:05:06 .IP ipset test foo 01:02:03:04:05:06 .SS hash:ip,mac The \fBhash:ip,mac\fR set type uses a hash to store IP and a MAC address pairs. Zero valued MAC addresses cannot be stored in a \fBhash:ip,mac\fR type of set. For matches on destination MAC addresses, see COMMENTS below. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,\fImacaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,\fImacaddr\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR,\fImacaddr\fR .PP Examples: .IP ipset create foo hash:ip,mac .IP ipset add foo 1.1.1.1,01:02:03:04:05:06 .IP ipset test foo 1.1.1.1,01:02:03:04:05:06 .SS hash:net The \fBhash:net\fR set type uses a hash to store different sized IP network addresses. Network address with zero prefix size cannot be stored in this type of sets. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fInetaddr\fR .PP \fITEST\-ENTRY\fR := \fInetaddr\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. .PP The lookup time grows linearly with the number of the different prefix values added to the set. .PP Example: .IP ipset create foo hash:net .IP ipset add foo 192.168.0.0/24 .IP ipset add foo 10.1.0.0/16 .IP ipset add foo 192.168.0/24 .IP ipset add foo 192.168.0/30 nomatch .PP When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except the ones from 192.168.0/30. .SS hash:net,net The \fBhash:net,net\fR set type uses a hash to store pairs of different sized IP network addresses. Bear in mind that the first parameter has precedence over the second, so a nomatch entry could be potentially be ineffective if a more specific first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP \fITEST\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) with the first param having precedence. When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. .PP The lookup time grows linearly with the number of the different prefix values added to the first parameter of the set. The number of secondary prefixes further increases this as the list of secondary prefixes is traversed per primary prefix. .PP Example: .IP ipset create foo hash:net,net .IP ipset add foo 192.168.0.0/24,10.0.1.0/24 .IP ipset add foo 10.1.0.0/16,10.255.0.0/24 .IP ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255 .IP ipset add foo 192.168.0/30,192.168.64/30 nomatch .PP When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24<->10.0.1.0/24, 10.1.0.0/16<->10.255.0.0/24 and 192.168.0/24<->192.168.54.0/24 except the ones from 192.168.0/30<->192.168.64/30. .SS hash:ip,port The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR .PP The [\fIproto\fR:]\fIport\fR part of the elements may be expressed in the following forms, where the range variations are valid when adding or deleting entries: .TP \fIportname[\-portname]\fR TCP port or range of ports expressed in TCP portname identifiers from /etc/services .TP \fIportnumber[\-portnumber]\fR TCP port or range of ports expressed in TCP port numbers .TP \fBtcp\fR|\fBsctp\fR|\fBudp\fR|\fBudplite\fR:\fIportname\fR|\fIportnumber\fR[\-\fIportname\fR|\fIportnumber\fR] TCP, SCTP, UDP or UDPLITE port or port range expressed in port name(s) or port number(s) .TP \fBicmp\fR:\fIcodename\fR|\fItype\fR/\fIcode\fR ICMP codename or type/code. The supported ICMP codename identifiers can always be listed by the help command. .TP \fBicmpv6\fR:\fIcodename\fR|\fItype\fR/\fIcode\fR ICMPv6 codename or type/code. The supported ICMPv6 codename identifiers can always be listed by the help command. .TP \fIproto\fR:0 All other protocols, as an identifier from /etc/protocols or number. The pseudo port number must be zero. .PP The \fBhash:ip,port\fR type of sets require two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP Examples: .IP ipset create foo hash:ip,port .IP ipset add foo 192.168.1.0/24,80\-82 .IP ipset add foo 192.168.1.1,udp:53 .IP ipset add foo 192.168.1.1,vrrp:0 .IP ipset test foo 192.168.1.1,80 .SS hash:net,port The \fBhash:net,port\fR set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR .PP \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. For the [\fIproto\fR:]\fIport\fR part of the elements see the description at the \fBhash:ip,port\fR set type. .PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. .PP The lookup time grows linearly with the number of the different prefix values added to the set. .PP Examples: .IP ipset create foo hash:net,port .IP ipset add foo 192.168.0/24,25 .IP ipset add foo 10.1.0.0/16,80 .IP ipset test foo 192.168.0/24,25 .SS hash:ip,port,ip The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR .PP For the first \fIipaddr\fR and [\fIproto\fR:]\fIport\fR parts of the elements see the descriptions at the \fBhash:ip,port\fR set type. .PP The \fBhash:ip,port,ip\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP Examples: .IP ipset create foo hash:ip,port,ip .IP ipset add foo 192.168.1.1,80,10.0.0.1 .IP ipset test foo 192.168.1.1,udp:53,10.0.0.1 .SS hash:ip,port,net The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP For the \fIipaddr\fR and [\fIproto\fR:]\fIport\fR parts of the elements see the descriptions at the \fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. .PP The lookup time grows linearly with the number of the different \fIcidr\fR values added to the set. .PP The \fBhash:ip,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP Examples: .IP ipset create foo hash:ip,port,net .IP ipset add foo 192.168.1,80,10.0.0/24 .IP ipset add foo 192.168.2,25,10.1.0.0/16 .IP ipset test foo 192.168.1,80.10.0.0/24 .SS hash:ip,mark The \fBhash:ip,mark\fR set type uses a hash to store IP address and packet mark pairs. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBmarkmask\fR \fIvalue\fR ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,\fImark\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,\fImark\fR .PP \fITEST\-ENTRY\fR := \fIipaddr\fR,\fImark\fR .PP Optional \fBcreate\fR options: .TP \fBmarkmask\fR \fIvalue\fR Allows you to set bits you are interested in the packet mark. This values is then used to perform bitwise AND operation for every mark added. markmask can be any value between 1 and 4294967295, by default all 32 bits are set. .PP The \fImark\fR can be any value between 0 and 4294967295. .PP The \fBhash:ip,mark\fR type of sets require two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP Examples: .IP ipset create foo hash:ip,mark .IP ipset add foo 192.168.1.0/24,555 .IP ipset add foo 192.168.1.1,0x63 .IP ipset add foo 192.168.1.1,111236 .SS hash:net,port,net The \fBhash:net,port,net\fR set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP For the [\fIproto\fR:]\fIport\fR part of the elements see the description at the \fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. The first subnet has precedence when performing the most-specific lookup, just as for hash:net,net .PP The lookup time grows linearly with the number of the different \fIcidr\fR values added to the set and by the number of secondary \fIcidr\fR values per primary. .PP The \fBhash:net,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP Examples: .IP ipset create foo hash:net,port,net .IP ipset add foo 192.168.1.0/24,0,10.0.0/24 .IP ipset add foo 192.168.2.0/24,25,10.1.0.0/16 .IP ipset test foo 192.168.1.1,80,10.0.0.1 .SS hash:net,iface The \fBhash:net,iface\fR set type uses a hash to store different sized IP network address and interface name pairs. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBbucketsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] [ \fBwildcard\fR ] .PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR .PP \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR .PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] .PP For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. .PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. .PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. .PP The second direction parameter of the \fBset\fR match and \fBSET\fR target modules corresponds to the incoming/outgoing interface: \fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while \fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When the interface is flagged with \fBphysdev:\fR, the interface is interpreted as the incoming/outgoing bridge port. .PP The lookup time grows linearly with the number of the different prefix values added to the set. .PP The internal restriction of the \fBhash:net,iface\fR set type is that the same network prefix cannot be stored with more than 64 different interfaces in a single set. .PP Examples: .IP ipset create foo hash:net,iface .IP ipset add foo 192.168.0/24,eth0 .IP ipset add foo 10.1.0.0/16,eth1 .IP ipset test foo 192.168.0/24,eth0 .SS list:set The \fBlist:set\fR type uses a simple list in which you can store set names. .PP \fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP \fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] [ \fBskbmark\fR \fIvalue\fR ] [ \fBskbprio\fR \fIvalue\fR ] [ \fBskbqueue\fR \fIvalue\fR ] .PP \fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP \fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP Optional \fBcreate\fR options: .TP \fBsize\fR \fIvalue\fR The size of the list, the default is 8. The parameter is ignored since ipset version 6.24. .PP By the \fBipset\fR command you can add, delete and test set names in a \fBlist:set\fR type of set. .PP By the \fBset\fR match or \fBSET\fR target of netfilter you can test, add or delete entries in the sets added to the \fBlist:set\fR type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if \fIa\fR and \fIb\fR are \fBlist:set\fR type of sets then in the command .IP iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst .PP the match and target will skip any set in \fIa\fR and \fIb\fR which stores data triples, but will match all sets with single or double data storage in \fIa\fR set and stop matching at the first successful set, and add src to the first single or src,dst to the first double data storage set in \fIb\fR to which the entry can be added. You can imagine a \fBlist:set\fR type of set as an ordered union of the set elements. .PP Please note: by the \fBipset\fR command you can add, delete and \fBtest\fR the setnames in a \fBlist:set\fR type of set, and \fBnot\fR the presence of a set's member (such as an IP address). .SH "GENERAL RESTRICTIONS" Zero valued set entries cannot be used with hash methods. Zero protocol value with ports cannot be used. .SH "COMMENTS" If you want to store same size subnets from a given network (say /24 blocks from a /8 network), use the \fBbitmap:ip\fR set type. If you want to store random same size networks (say random /24 blocks), use the \fBhash:ip\fR set type. If you have got random size of netblocks, use \fBhash:net\fR. .PP Matching on destination MAC addresses using the \fBdst\fR parameter of the \fBset\fR match netfilter kernel modules will only work if the destination MAC address is available in the packet at the given processing stage, that is, it only applies for incoming packets in the \fBPREROUTING\fR, \fBINPUT\fR and \fBFORWARD\fR chains, against the MAC address as originally found in the received packet (typically, one of the MAC addresses of the local host). This is \fBnot\fR the destination MAC address a destination IP address resolves to, after routing. If the MAC address is not available (e.g. in the \fBOUTPUT\fR chain), the packet will simply not match. .PP Backward compatibility is maintained and old \fBipset\fR syntax is still supported. .PP The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them, they are automatically replaced by \fBhash:ip\fR type of sets. .SH "DIAGNOSTICS" Various error messages are printed to standard error. The exit code is 0 for correct functioning. .SH "BUGS" Bugs? No, just funny features. :\-) OK, just kidding... .SH "SEE ALSO" \fBiptables\fR(8), \fBip6tables\fR(8) \fBiptables-extensions\fR(8) .SH "AUTHORS" Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson. .br Sven Wegener wrote the iptreemap type. .SH "LAST REMARK" \fBI stand on the shoulders of giants.\fR