1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
|
.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.TH "IPSET" "8" "Jun 11, 2010" "Jozsef Kadlecsik" ""
.SH "NAME"
ipset \(em administration tool for IP sets
.SH "SYNOPSIS"
\fBipset\fR [ \fIOPTIONS\fR ] \fICOMMAND\fR [ \fICOMMAND\-OPTIONS\fR ]
.PP
COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR }
.PP
\fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR }
.PP
\fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ]
.PP
\fBipset\fR \fBadd\fR \fISETNAME\fR \fIADD\-ENTRY\fR [ \fIADD\-OPTIONS\fR ]
.PP
\fBipset\fR \fBdel\fR \fISETNAME\fR \fIDEL\-ENTRY\fR [ \fIDEL\-OPTIONS\fR ]
.PP
\fBipset\fR \fBtest\fR \fISETNAME\fR \fITEST\-ENTRY\fR [ \fITEST\-OPTIONS\fR ]
.PP
\fBipset\fR \fBdestroy\fR [ \fISETNAME\fR ]
.PP
\fBipset\fR \fBlist\fR [ \fISETNAME\fR ]
.PP
\fBipset\fR \fBsave\fR [ \fISETNAME\fR ]
.PP
\fBipset\fR \fBrestore\fR
.PP
\fBipset\fR \fBflush\fR [ \fISETNAME\fR ]
.PP
\fBipset\fR \fBrename\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
.PP
\fBipset\fR \fBswap\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
.PP
\fBipset\fR \fBhelp\fR [ \fITYPENAME\fR ]
.PP
\fBipset\fR \fBversion\fR
.PP
\fBipset\fR \fB\-\fR
.SH "DESCRIPTION"
\fBipset\fR
is used to set up, maintain and inspect so called IP sets in the Linux
kernel. Depending on the type of the set, an IP set may store IP(v4/v6)
addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address
and port number pairs, etc. See the set type definitions below.
.PP
\fBIptables\fR
matches and targets referring to sets creates references, which
protect the given sets in the kernel. A set cannot be destroyed
while there is a single reference pointing to it.
.SH "OPTIONS"
The options that are recognized by
\fBipset\fR
can be divided into several different groups.
.SS COMMANDS
These options specify the desired action to perform. Only one of them
can be specified on the command line unless otherwise specified below.
For all the long versions of the command names, you need to use only enough
letters to ensure that
\fBipset\fR
can differentiate it from all other options. The
\fBipset\fR
parser follows the order here when looking for the shortest match
in the long command names.
.TP
\fBn\fP, \fBcreate\fP \fISETNAME\fP \fITYPENAME\fP [ \fICREATE\-OPTIONS\fP ]
Create a set identified with setname and specified type. The type may require
type specific options. If the
\fB\-exist\fR
option is specified,
\fBipset\fR
ignores the error otherwise raised when the the same set (setname and create parameters
are identical) already exists.
.TP
\fBadd\fP \fISETNAME\fP \fIADD\-ENTRY\fP [ \fIADD\-OPTIONS\fP ]
Add a given entry to the set. If the
\fB\-exist\fR
option is specified,
\fBipset\fR
ignores if the entry already added to the set.
.TP
\fBdel\fP \fISETNAME\fP \fIDEL\-ENTRY\fP [ \fIDEL\-OPTIONS\fP ]
Delete an entry from a set. If the
\fB\-exist\fR
option is specified,
\fBipset\fR
ignores if the entry does not added (expired) to the set.
.TP
\fBtest\fP \fISETNAME\fP \fITEST\-ENTRY\fP [ \fITEST\-OPTIONS\fP ]
Test wether an entry is in a set or not. Exit status number is zero
if the tested entry is in the set and nonzero if it is missing from
the set.
.TP
\fBx\fP, \fBdestroy\fP [ \fISETNAME\fP ]
Destroy the specified set or all the sets if none is given.
If the set has got reference(s), nothing is done and no set destroyed.
.TP
\fBlist\fP [ \fISETNAME\fP ]
List the header data and the entries for the specified set, or for
all sets if none is given. The
\fB\-\-resolve\fP
option can be used to force name lookups (which may be slow). When the
\fB\-\-sorted\fP
option is given, the entries are listed sorted (if the given set
type supports the operation). The option
\fB\-\-output\fR
can be used to control the format of the listing:
\fBplain\fR, \fBsave\fR or \fBxml\fR.
The default is
\fBplain\fR.
.TP
\fBsave\fP [ \fISETNAME\fP ]
Save the given set, or all sets if none is given
to stdout in a format that
\fBrestore\fP
can read.
.TP
\fBrestore\fP
Restore a saved session generated by
\fBsave\fP.
The saved session can be fed from stdin.
.TP
\fBflush\fP [ \fISETNAME\fP ]
Flush all entries from the specified set or flush
all sets if none is given.
.TP
\fBe\fP, \fBrename\fP \fISETNAME\-FROM\fP \fISETNAME\-TO\fP
Rename a set. Set identified by
\fISETNAME\-TO\fR
must not exist.
.TP
\fBw\fP, \fBswap\fP \fISETNAME\-FROM\fP \fISETNAME\-TO\fP
Swap the content of two sets, or in another words,
exchange the name of two sets. The referred sets must exist and
identical type of sets can be swapped only.
.TP
\fBhelp\fP [ \fITYPENAME\fP ]
Print help and set type specific help if
\fITYPENAME\fR
is specified.
.TP
\fBversion\fP
Print program version.
.TP
\fB\-\fP
If a dash is specified as command, then
\fBipset\fR
enters a simple interactive mode and the commands are read from the standard input.
The interactive mode can be finished by entering the pseudo\-command
\fBquit\fR.
.P
.SS "OTHER OPTIONS"
The following additional options can be specified. The long option names
cannot be abbreviated.
.TP
\fB\-!\fP, \fB\-exist\fP
Ignore errors when the exactly the same set is to be created or already
added entry is added or missing entry is deleted.
.TP
\fB\-o\fP, \fB\-output\fP { \fBplain\fR | \fBsave\fR | \fBxml\fR }
Select the output format to the
\fBlist\fR
command.
.TP
\fB\-q\fP, \fB\-quiet\fP
Suppress any output to stdout and stderr.
\fBipset\fR
will still exit with error if it cannot continue.
.TP
\fB\-r\fP, \fB\-resolve\fP
When listing sets, enforce name lookup. The
program will try to display the IP entries resolved to
host names which requires
\fBslow\fR
DNS lookups.
.TP
\fB\-s\fP, \fB\-sorted\fP
Sorted output. When listing sets, entries are listed sorted.
.SH "SET TYPES"
A set type comprises of the storage method by which the data is stored and
the data type(s) which are stored in the set. Therefore the
\fITYPENAME\fR
parameter of the
\fBcreate\fR
command follows the syntax
\fITYPENAME\fR := \fImethod\fR\fB:\fR\fItype\fR[\fB,\fR\fItype\fR[\fB,\fR\fItype\fR]]
where the current list of the methods are
\fBbitmap\fR, \fBhash\fR, \fBlist\fR and the possible data types are \fBip\fR,
\fBmac\fR and \fBport\fR.
When adding, deleting or testing entries in a set, the same comma separated
data syntax must be used for the entry parameter of the commands, i.e
ipset add foo ipaddr,portnum,ipaddr
All set types support the optional
\fBtimeout\fR \fIvalue\fR
parameter when creating a set and adding entries. The value of the \fBtimeout\fR
parameter for the \fBcreate\fR command means the default timeout value (in seconds)
for new entries. If a set is created with timeout support, then the same
\fBtimeout\fR option can be used to specify non\-default timeout values
when adding entries. Zero timeout value means the entry is added permanent to the set.
.SS bitmap:ip
The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host
(default) or IPv4 network addresses. A \fBbitmap:ip\fR type of set can store up
to 65536 entries.
.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfrom\-ip\fP\-\fIto\-ip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR }
.PP
Mandatory \fBcreate\fR options:
.TP
\fBrange\fP \fIfrom\-ip\fP\-\fIto\-ip\fR|\fIip\fR/\fIcidr\fR
Create the set from the specified inclusive address range expressed in an
IPv4 address range or network. The size of the range (in entries) cannot exceed
the limit of maximum 65536 elements.
.PP
Optional \fBcreate\fR options:
.TP
\fBnetmask\fP \fIcidr\fP
When the optional \fBnetmask\fP parameter specified, network addresses will be
stored in the set instead of IP host addresses. The \fIcidr\fR value must be
between 1\-32.
An IP address will be in the set if the network address, which is resulted by
masking the address with the specified netmask calculated from the cidr value,
can be found in the set.
.PP
Examples:
.IP
ipset create foo bitmap:ip range 192.168.0.0/16
.IP
ipset add foo 192.168.1/24
.IP
ipset test foo 192.168.1.1
.SS bitmap:ip,mac
The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC address pairs. A \fBbitmap:ip,mac\fR type of set can store up to 65536 entries.
.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfrom\-ip\fP\-\fIto\-ip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR[,\fImac\-addr\fR] }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR[,\fImac\-addr\fR] }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR[,\fImac\-addr\fR] }
.PP
Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set:
.TP
\fBrange\fP \fIfrom\-ip\fP\-\fIto\-ip\fR|\fIip\fR/\fIcidr\fR
Create the set from the specified inclusive address range expressed in an
IPv4 address range or network. The size of the range cannot exceed the limit
of maximum 65536 entries.
.PP
The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can
be left out when adding/deleting/testing entries in the set. If
we add an entry without the MAC address specified, when the first time the entry is
matched by the kernel, it will automatically fill out the missing part with the
source MAC address from the packet. If the entry was specified with a timeout value,
the timer starts off when the IP and MAC address pair is complete.
.PP
Please note, the \fBset\fR match and \fBSET\fR target netfilter kernel modules
\fBalways\fR use the source MAC address from the packet to match, add or delete
entries from a \fBbitmap:ip,mac\fR type of set.
.PP
Examples:
.IP
ipset create foo bitmap:ip,mac range 192.168.0.0/16
.IP
ipset add foo 192.168.1,12:34:56:78:9A:BC
.IP
ipset test foo 192.168.1.1
.SS bitmap:port
The \fBbitmap:port\fR set type uses a memory range to store port numbers
and such a set can store up to 65536 ports.
.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfrom\-port\fP\-\fIto\-port [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := {\fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR }
.PP
\fITEST\-ENTRY\fR := { \fIport\fR }
.PP
Mandatory options to use when creating a \fBbitmap:port\fR type of set:
.TP
\fBrange\fP \fIfrom\-port\fP\-\fIto\-port\fR
Create the set from the specified inclusive port range.
.PP
Examples:
.IP
ipset create foo bitmap:port range 0\-1024
.IP
ipset add foo 80
.IP
ipset test foo 80
.SS hash:ip
The \fBhash:ip\fR set type uses a hash to store IP addresses.
In order to avoid clashes in the hash a limited number of chaining, and then
if that is exhausted, the doubling of the hash is performed.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR }
.PP
For the \fBinet\fR family one can add or delete multiple entries by specifying
a range or a network:
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR }
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIipaddr\fR/\fIcidr\fR }
.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
\fBhashsize\fR \fIvalue\fR
The initial hash size for the set, default is 1024. The hash size must be a power
of two, the kernel automatically rounds up non power of two hash sizes to the first
correct value.
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
.TP
\fBnetmask\fP \fIcidr\fP
When the optional \fBnetmask\fP parameter specified, network addresses will be
stored in the set instead of IP host addresses. The \fIcidr\fP value must be
between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set
if the network address, which is resulted by masking the address with the netmask
calculated from the cidr, can be found in the set.
.PP
Examples:
.IP
ipset create foo hash:ip netmask 24
.IP
ipset add foo 192.168.1.1
.IP
ipset test foo 192.168.1.2
.SS hash:net
The \fBhash:net\fR set type uses a hash to store different sized of IP networks.
In order to avoid clashes in the hash a limited number of chaining, and then
if that is exhausted, the doubling of the hash is performed.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR[/\fIcidr\fR] }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR[/\fIcidr\fR] }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR[/\fIcidr\fR] }
.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
\fBhashsize\fR \fIvalue\fR
The initial hash size for the set, default is 1024. The hash size must be a power
of two, the kernel automatically rounds up non power of two hash sizes to the first
correct value.
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
.PP
When adding/deleting/testing entries, if the cidr parameter is not specified,
then the host cidr value is assumed.
.PP
From the \fBset\fR netfilter match point of view an IP address will be in a \fBhash:net\fR type of set if it belongs to any of the netblocks added to the set.
The matching always start from the smallest size of netblock (most specific
cidr) to the largest ones (least specific cidr). When adding/deleting IP
addresses to the set by the \fBSET\fR netfilter target, it will be
added/deleted by the most specific cidr which can be found in the
set, or by the host cidr value if the set is empty.
.PP
The lookup time grows linearly with the number of the different \fIcidr\fR
values added to the set.
.PP
Examples:
.IP
ipset create foo hash:net
.IP
ipset add foo 192.168.0/24
.IP
ipset add foo 10.1.0.0/16
.IP
ipset test foo 192.168.0/24
.SS hash:ip,port
The \fBhash:ip,port\fR set type uses a hash to store IP address and port pairs.
In order to avoid clashes in the hash a limited number of chaining, and then
if that is exhausted, the doubling of the hash is performed.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR }
.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
\fBhashsize\fR \fIvalue\fR
The initial hash size for the set, default is 1024. The hash size must be a power
of two, the kernel automatically rounds up non power of two hash sizes to the first
correct value.
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
.PP
The \fBhash:ip,port\fR type of sets require two \fBsrc\fR/\fBdst\fR parameters of
the \fBset\fR match and \fBSET\fR target kernel modules.
.PP
Examples:
.IP
ipset create foo hash:ip,port
.IP
ipset add foo 192.168.1.1,80
.IP
ipset test foo 192.168.1.1,80
.SS hash:ip,port,ip
The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port and
IP address triples. In order to avoid clashes in the hash a limited number of
chaining, and then if that is exhausted, the doubling of the hash is performed.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR }
.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
\fBhashsize\fR \fIvalue\fR
The initial hash size for the set, default is 1024. The hash size must be a power
of two, the kernel automatically rounds up non power of two hash sizes to the first
correct value.
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
.PP
The \fBhash:ip,port,ip\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
the \fBset\fR match and \fBSET\fR target kernel modules.
.PP
Examples:
.IP
ipset create foo hash:ip,port,ip
.IP
ipset add foo 192.168.1.1,80,10.0.0.1
.IP
ipset test foo 192.168.1.1,80,10.0.0.1
.SS hash:ip,port,net
The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port and
IP network triples.
In order to avoid clashes in the hash a limited number of chaining, and then
if that is exhausted, the doubling of the hash is performed.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] }
.PP
\fITEST\-ENTRY\fR := { \fIipaddr\fR,\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] }
.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
\fBhashsize\fR \fIvalue\fR
The initial hash size for the set, default is 1024. The hash size must be a power
of two, the kernel automatically rounds up non power of two hash sizes to the first
correct value.
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
.PP
When adding/deleting/testing entries, if the cidr parameter is not specified,
then the host cidr value is assumed.
.PP
From the \fBset\fR netfilter match point of view a triple will be in a \fBhash:ip,port,net\fR type of set (when the first IP and the port match)
if the second IP belongs to any of the netblocks added to the set.
The matching always start from the smallest size of netblock (most specific
cidr) to the largest ones (least specific cidr). When adding/deleting triples
to the set by the \fBSET\fR netfilter target, it will be
added/deleted by the most specific cidr which can be found in the
set, or by the host cidr value if the set is empty.
.PP
The lookup time grows linearly with the number of the different \fIcidr\fR
values added to the set.
.PP
The \fBhash:ip,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
the \fBset\fR match and \fBSET\fR target kernel modules.
.PP
Examples:
.IP
ipset create foo hash:ip,port,net
.IP
ipset add foo 192.168.1,80,10.0.0/24
.IP
ipset add foo 192.168.2,25,10.1.0.0/16
.IP
ipset test foo 192.168.1,80.10.0.0/24
.SS list:set
The \fBlist:set\fR type uses a simple list in which you can store
sets.
.PP
\fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIDEL\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
.PP
\fITEST\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
.PP
Optional \fBcreate\fR options:
.TP
\fBsize\fR \fIvalue\fR
The size of the list, the default is 8.
.PP
By the \fBipset\fR commad you can add, delete and test sets in a
\fBlist:set\fR type of set.
.PP
By the \fBset\fR match or \fBSET\fR target of netfiler
you can test, add or delete entries in the sets added to the \fBlist:set\fR
type of set. The match will try to find a matching entry in the sets and
the target will try to add an entry to the first set to which it can be added.
The number of src,dst options of the match and target are important: sets which
eats more src,dst parameters than specified are skipped, while sets with equal
or less parameters are checked, elements added. For example if \fIa\fR and
\fIb\fR are \fBlist:set\fR type of sets then in the command
.IP
iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst
.PP
the match and target will skip any set in \fIa\fR and \fIb\fR
which stores data triples, but will check all sets with single or double
data storage in \fIa\fR
set and add src to the first single or src,dst to the first double
data storage set in \fIb\fR.
.PP
You can imagine a setlist type of set as an ordered union of
the set elements.
.SH "GENERAL RESTRICTIONS"
Zero valued set entries cannot be used with hash methods.
.SH "COMMENTS"
If you want to store same size subnets from a given network
(say /24 blocks from a /8 network), use the \fBbitmap:ip\fR set type.
If you want to store random same size networks (say random /24 blocks),
use the \fBhash:ip\fR set type. If you have got random size of netblocks,
use \fBhash:net\fR.
.PP
Backward compatibility is maintained and old \fBipset\fR syntax is still supported.
.PP
The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them,
they are automatically replaced by \fBhash:ip\fR type of sets.
.SH "DIAGNOSTICS"
Various error messages are printed to standard error. The exit code
is 0 for correct functioning.
.SH "BUGS"
Bugs? No, just funny features. :\-)
OK, just kidding...
.SH "SEE ALSO"
\fBiptables\fR(8),
\fBip6tables\fR(8)
.SH "AUTHORS"
Jozsef Kadlecsik wrote ipset, which is based on ippool by
Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
.br
Sven Wegener wrote the iptreemap type.
.SH "LAST REMARK"
\fBI stand on the shoulders of giants.\fR
|