diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2009-06-11 12:27:09 +0200 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2009-06-11 12:27:09 +0200 |
| commit | 2d280014e281b520280b1a11662aea0da2ffc59c (patch) | |
| tree | 327ecdfa09c25638e94e73f6e81689b44befb600 /extensions/libipt_set.man | |
| parent | ecd48dd6ba534deea7fd4d0ce20c7b5c00f4128f (diff) | |
Updated set/SET match and target to support multiple ipset protocols.
By checking the protocol version of the kernel part, the sockopt type
of ipset protocols are all supported. Forward compatibility with the
netlink based protocol is missing.
The --set option of the set match is replaced by --match-set to avoid
clashing with the recent match, but the old option is also kept.
Manpages are updated, references to bindings removed.
Diffstat (limited to 'extensions/libipt_set.man')
| -rw-r--r-- | extensions/libipt_set.man | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man index 0df73c12..6df6b29d 100644 --- a/extensions/libipt_set.man +++ b/extensions/libipt_set.man @@ -1,17 +1,19 @@ This modules macthes IP sets which can be defined by ipset(8). .TP -[\fB!\fP] \fB\-\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... -where flags are +[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... +where flags are the comma separated list of .BR "src" and/or .BR "dst" -and there can be no more than six of them. Hence the command -.nf - iptables \-A FORWARD \-m set \-\-set test src,dst -.fi -will match packets, for which (depending on the type of the set) the source -address or port number of the packet can be found in the specified set. If -there is a binding belonging to the mached set element or there is a default -binding for the given set, then the rule will match the packet only if -additionally (depending on the type of the set) the destination address or -port number of the packet can be found in the set according to the binding. +specifications and there can be no more than six of them. Hence the command +.IP + iptables \-A FORWARD \-m set \-\-match\-set test src,dst +.IP +will match packets, for which (if the set type is ipportmap) the source +address and destination port pair can be found in the specified set. If +the set type of the specified set is single dimension (for example ipmap), +then the command will match packets for which the source address can be +found in the specified set. +.PP +The option \fB\-\-match\-set\fR can be replaced by \fB\-\-set\fR if that does +not clash with an option of other extensions. |