summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_set.man
blob: ac60f14817f8304e1532e7832782a57ab3e6e48d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
This module matches IP sets which can be defined by ipset(8).
.TP
[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
where flags are the comma separated list of
.BR "src"
and/or
.BR "dst" 
specifications and there can be no more than six of them. Hence the command
.IP
 iptables \-A FORWARD \-m set \-\-match\-set test src,dst
.IP
will match packets, for which (if the set type is ipportmap) the source
address and destination port pair can be found in the specified set. If
the set type of the specified set is single dimension (for example ipmap),
then the command will match packets for which the source address can be
found in the specified set. 
.TP
\fB\-\-return\-\-nomatch\fP
If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
supports the \fBnomatch\fP flag, then the matching is reversed: a match
with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
match with a plain element returns \fBfalse\fP.
.PP
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 
not clash with an option of other extensions.
.PP
Use of -m set requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.