diff options
| author | Vytas Dauksa <vytas.dauksa@smoothwall.net> | 2013-12-17 14:01:43 +0000 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2014-01-08 21:02:54 +0100 |
| commit | 14ea38fca9e40df4f172a573c222591b5f3cc241 (patch) | |
| tree | 5f0e1cd46a19bbb6b54de73494971c35f4c329ae /src | |
| parent | 8a88bdf50b448e221a8b0b6a5c8446ebafcefa19 (diff) | |
| download | ipset-14ea38fca9e40df4f172a573c222591b5f3cc241.tar.gz | |
add hash:ip,mark data type to ipset
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'src')
| -rw-r--r-- | src/ipset.8 | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/src/ipset.8 b/src/ipset.8 index b5c145c..e2b39fd 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -878,6 +878,55 @@ ipset add foo 192.168.1,80,10.0.0/24 ipset add foo 192.168.2,25,10.1.0.0/16 .IP ipset test foo 192.168.1,80.10.0.0/24 +.SS hash:ip,mark +The \fBhash:ip,mark\fR set type uses a hash to store IP address and packet mark pairs. +.PP +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] +.PP +\fIADD\-ENTRY\fR := \fIipaddr\fR,\fImark\fR +.PP +\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] +.PP +\fIDEL\-ENTRY\fR := \fIipaddr\fR,\fImark\fR +.PP +\fITEST\-ENTRY\fR := \fIipaddr\fR,\fImark\fR +.PP +Optional \fBcreate\fR options: +.TP +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } +The protocol family of the IP addresses to be stored in the set. The default is +\fBinet\fR, i.e IPv4. +.TP +\fBhashsize\fR \fIvalue\fR +The initial hash size for the set, default is 1024. The hash size must be a power +of two, the kernel automatically rounds up non power of two hash sizes to the first +correct value +.TP +\fBmaxelem\fR \fIvalue\fR +The maximal number of elements which can be stored in the set, default 65536. +.PP +For the \fBinet\fR family one can add or delete multiple entries by specifying +a range or a network of IPv4 addresses in the IP address part of the entry: +.PP +\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } +.PP +The +\fImark\fR +can be any value between 0 and 4294967295. +.PP +The \fBhash:ip,mark\fR type of sets require +two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR +target kernel modules. +.PP +Examples: +.IP +ipset create foo hash:ip,mark +.IP +ipset add foo 192.168.1.0/24,555 +.IP +ipset add foo 192.168.1.1,0x63 +.IP +ipset add foo 192.168.1.1,111236 .SS hash:net,port,net The \fBhash:net,port,net\fR set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 |