diff options
Diffstat (limited to 'extensions/libipt_set.man')
-rw-r--r-- | extensions/libipt_set.man | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/extensions/libipt_set.man b/extensions/libipt_set.man index 0df73c12..6df6b29d 100644 --- a/extensions/libipt_set.man +++ b/extensions/libipt_set.man @@ -1,17 +1,19 @@ This modules macthes IP sets which can be defined by ipset(8). .TP -[\fB!\fP] \fB\-\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... -where flags are +[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... +where flags are the comma separated list of .BR "src" and/or .BR "dst" -and there can be no more than six of them. Hence the command -.nf - iptables \-A FORWARD \-m set \-\-set test src,dst -.fi -will match packets, for which (depending on the type of the set) the source -address or port number of the packet can be found in the specified set. If -there is a binding belonging to the mached set element or there is a default -binding for the given set, then the rule will match the packet only if -additionally (depending on the type of the set) the destination address or -port number of the packet can be found in the set according to the binding. +specifications and there can be no more than six of them. Hence the command +.IP + iptables \-A FORWARD \-m set \-\-match\-set test src,dst +.IP +will match packets, for which (if the set type is ipportmap) the source +address and destination port pair can be found in the specified set. If +the set type of the specified set is single dimension (for example ipmap), +then the command will match packets for which the source address can be +found in the specified set. +.PP +The option \fB\-\-match\-set\fR can be replaced by \fB\-\-set\fR if that does +not clash with an option of other extensions. |