diff options
Diffstat (limited to 'ipset.8')
-rw-r--r-- | ipset.8 | 144 |
1 files changed, 48 insertions, 96 deletions
@@ -26,13 +26,11 @@ ipset \- administration tool for IP sets .br .BR "ipset -[EW] " "from-set to-set" .br -.BR "ipset -[ADU] " "set entry" -.br -.BR "ipset -B " "set entry -b binding" -.br -.BR "ipset -T " "set entry [-b binding]" +.BR "ipset -[ADT] " "set entry" .br .BR "ipset -R " +.br +.BR "ipset -[Vv] " .SH DESCRIPTION .B ipset is used to set up, maintain and inspect so called IP sets in the Linux @@ -40,19 +38,9 @@ kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP) port numbers or additional informations besides IP addresses: the word IP means a general term here. See the set type definitions below. .P -Any entry in a set can be bound to another set, which forms a relationship -between a set element and the set it is bound to. In order to define a -binding it is not required that the entry be already added to the set. -The sets may have a default binding, which is valid for every set element -for which there is no binding defined at all. -.P -IP set bindings pointing to sets and iptables matches and targets -referring to sets creates references, which protects the given sets in -the kernel. A set cannot be removed (destroyed) while there is a single -reference pointing to it. -.P -.B -Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings. +Iptables matches and targets referring to sets creates references, which +protects the given sets in the kernel. A set cannot be removed (destroyed) +while there is a single reference pointing to it. .SH OPTIONS The options that are recognized by .B ipset @@ -70,21 +58,13 @@ Create a set identified with setname and specified type. Type-specific options must be supplied. .TP .BI "-X, --destroy " "[\fIsetname\fP]" -Destroy the specified set, or all sets if none or the keyword -.B -:all: -is specified. -Before destroying the set, all bindings belonging to the -set elements and the default binding of the set are removed. +Destroy the specified set or all the sets if none is given. If the set has got references, nothing is done. .TP .BI "-F, --flush " "[\fIsetname\fP]" -Delete all entries from the specified set, or flush -all sets if none or the keyword -.B -:all: -is given. Bindings are not affected by the flush operation. +Delete all entries from the specified set or flush +all sets if none is given. .TP .BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP" Rename a set. Set identified by to-setname must not exist. @@ -95,102 +75,63 @@ exchange the name of two sets. The referred sets must exist and identical type of sets can be swapped only. .TP .BI "-L, --list " "[\fIsetname\fP]" -List the entries and bindings for the specified set, or for -all sets if none or the keyword -.B -:all: -is given. The -.B "-n, --numeric" -option can be used to suppress name lookups and generate numeric -output. When the +List the entries for the specified set, or for +all sets if none is given. The +.B "-r, --resolve" +option can be used to force name lookups (which may be slow). When the .B "-s, --sorted" option is given, the entries are listed sorted (if the given set type supports the operation). .TP .BI "-S, --save " "[\fIsetname\fP]" -Save the given set, or all sets if none or the keyword -.B -:all: -is specified to stdout in a format that --restore can read. +Save the given set, or all sets if none is given +to stdout in a format that --restore can read. .TP .BI "-R, --restore " Restore a saved session generated by --save. The saved session can be fed from stdin. When generating a session file please note that the supported commands -(create set, add element, bind) must appear in a strict order: first create +(create set and add element) must appear in a strict order: first create the set, then add all elements. Then create the next set, add all its elements -and so on. Finally you can list all binding commands. Also, it is a restore -operation, so the sets being restored must not exist. +and so on. Also, it is a restore operation, so the sets being restored must +not exist. .TP .BI "-A, --add " "\fIsetname\fP \fIIP\fP" -Add an IP to a set. +Add an IP entry to a set. .TP .BI "-D, --del " "\fIsetname\fP \fIIP\fP" -Delete an IP from a set. +Delete an IP entry from a set. .TP .BI "-T, --test " "\fIsetname\fP \fIIP -Test wether an IP is in a set or not. Exit status number is zero +Test wether an IP entry is in a set or not. Exit status number is zero if the tested IP is in the set and nonzero if it is missing from the set. .TP -.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP" -Test wether the IP belonging to the set points to the specified binding. -Exit status number is zero if the binding points to the specified set, -otherwise it is nonzero. The keyword -.B -:default: -can be used to test the default binding of the set. -.TP -.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP" -Bind the IP in setname to to-setname. -.TP -.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP" -Delete the binding belonging to IP in set setname. -.TP .BI "-H, --help " "[settype]" Print help and settype specific help if settype specified. +.TP +.BI "-V, -v, --version " +Print program version and protocol version. .P -At the -.B --B, -U -and -.B --T -commands you can use the token -.B -:default: -to bind, unbind or test the default binding of a set instead -of an IP. At the -.B --U -command you can use the token -.B -:all: -to destroy the bindings of all elements of a set. .SS "OTHER OPTIONS" The following additional options can be specified: .TP -.B "-b, --binding setname" -The option specifies the value of the binding for the -.B "-B" -binding command, for which it is a mandatory option. -You can use it in the -.B "-T" -test command as well to test bindings. +.B "-r, --resolve" +When listing sets, enforce name lookup. The +program will try to display the IP entries resolved to +host names or services (whenever applicable), which can trigger +.B +slow +DNS +lookups. .TP .B "-s, --sorted" Sorted output. When listing sets, entries are listed sorted. .TP .B "-n, --numeric" -Numeric output. When listing sets, bindings, IP addresses and -port numbers will be printed in numeric format. By default the -program will try to display them as host names, network names -or services (whenever applicable), which can trigger -.B -slow -DNS -lookups. +Numeric output. When listing sets, IP addresses and +port numbers will be printed in numeric format. This is the default. .TP .B "-q, --quiet" Suppress any output to stdout and stderr. ipset will still return @@ -224,6 +165,10 @@ When the optional parameter specified, network addresses will be stored in the set instead of IP addresses, and the from-IP parameter must be a network address. The CIDR-netmask value must be between 1-31. +.PP +Example: +.IP +ipset \-N test ipmap \-\-network 192.168.0.0/16 .SS macipmap The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store @@ -319,6 +264,10 @@ parameter. In general higher probe value results better utilized hash while smaller value produces larger, sparser hash. +.PP +Example: +.IP +ipset \-N test iphash \-\-probes 2 .SS nethash The nethash set type uses a hash to store different size of network addresses. The @@ -538,7 +487,7 @@ Options to use when creating a setlist type of set: .TP .BR "--size " size Create a setlist type of set with the given size (default 8). -.P +.PP By the .I set @@ -562,8 +511,9 @@ and .I b are setlist type of sets then in the command -.TP -iptables -m set --match-set a src,dst -j SET --add-set b src,dst +.IP +iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst +.PP the match and target will skip any set in .I a and @@ -589,6 +539,8 @@ use the iphash set type. If you have got random size of netblocks, use nethash. .P Old separator tokens (':' and '%") are still accepted. +.P +Binding support is removed. .SH DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by |