LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    ipset

    
    
    

    SYNOPSIS

           ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
    
           COMMANDS  :=  {  create  |  add  | del | test | destroy | list | save |
           restore | flush | rename | swap | help | version | - }
    
           OPTIONS := { -exist | -output { plain  |  save  |  xml  }  |  -quiet  |
           -resolve | -sorted | -name | -terse }
    
           ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
    
           ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
    
           ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
    
           ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
    
           ipset destroy [ SETNAME ]
    
           ipset list [ SETNAME ]
    
           ipset save [ SETNAME ]
    
           ipset restore
    
           ipset flush [ SETNAME ]
    
           ipset rename SETNAME-FROM SETNAME-TO
    
           ipset swap SETNAME-FROM SETNAME-TO
    
           ipset help [ TYPENAME ]
    
           ipset version
    
           ipset -
    
    
    

    DESCRIPTION

           ipset  is used to set up, maintain and inspect so called IP sets in the
           Linux kernel. Depending on the type of the set, an  IP  set  may  store
           IP(v4/v6)  addresses, (TCP/UDP) port numbers, IP and MAC address pairs,
           IP address and port number pairs, etc. See  the  set  type  definitions
           below.
    
           Iptables matches and targets referring to sets create references, which
           protect the given sets in the kernel. A set cannot be  destroyed  while
           there is a single reference pointing to it.
    
    
    

    OPTIONS

           The  options  that  are recognized by ipset can be divided into several
           different groups.
    
    
           add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
                  Add a given entry to the set. If the -exist option is specified,
                  ipset ignores if the entry already added to the set.
    
           del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
                  Delete an entry from a set. If the -exist option  is  specified,
                  ipset  ignores  if  the entry does not added to (already expired
                  from) the set.
    
           test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
                  Test wether an entry is in a set or not. Exit status  number  is
                  zero  if  the  tested  entry  is in the set and nonzero if it is
                  missing from the set.
    
           x, destroy [ SETNAME ]
                  Destroy the specified set or all the sets if none is given.
    
                  If the set has got reference(s), nothing  is  done  and  no  set
                  destroyed.
    
           list [ SETNAME ] [ OPTIONS ]
                  List  the  header data and the entries for the specified set, or
                  for all sets if none is given. The -resolve option can  be  used
                  to  force  name  lookups  (which  may be slow). When the -sorted
                  option is given, the entries are listed sorted (if the given set
                  type  supports the operation). The option -output can be used to
                  control the format of the listing: plain,  save  or  xml.   (The
                  default  is  plain.)  If the option -name is specified, just the
                  names of the existing sets are listed. If the option  -terse  is
                  specified, just the set names and headers are listed.
    
           save [ SETNAME ]
                  Save  the given set, or all sets if none is given to stdout in a
                  format that restore can read.
    
           restore
                  Restore a saved session generated by save.   The  saved  session
                  can be fed from stdin.
    
           flush [ SETNAME ]
                  Flush  all  entries  from the specified set or flush all sets if
                  none is given.
    
           e, rename SETNAME-FROM SETNAME-TO
                  Rename a set. Set identified by SETNAME-TO must not exist.
    
           w, swap SETNAME-FROM SETNAME-TO
                  Swap the content of two sets, or in another words, exchange  the
                  name  of  two  sets.  The referred sets must exist and identical
                  type of sets can be swapped only.
    
           names cannot be abbreviated.
    
           -!, -exist
                  Ignore  errors when the exactly the same set is to be created or
                  already added entry is added or missing entry is deleted.
    
           -o, -output { plain | save | xml }
                  Select the output format to the list command.
    
           -q, -quiet
                  Suppress any output to stdout and stderr.  ipset will still exit
                  with error if it cannot continue.
    
           -r, -resolve
                  When  listing sets, enforce name lookup. The program will try to
                  display the IP entries resolved to  host  names  which  requires
                  slow DNS lookups.
    
           -s, -sorted
                  Sorted  output. When listing sets entries are listed sorted. Not
                  supported yet.
    
           -n, -name
                  List just the names of the existing sets, i.e. suppress  listing
                  of set headers and members.
    
           -t, -terse
                  List  the  set  names  and headers, i.e. suppress listing of set
                  members.
    
    
    

    SET TYPES

           A set type comprises of the storage method by which the data is  stored
           and  the  data type(s) which are stored in the set. Therefore the TYPE-
           NAME parameter of the create command follows the syntax
    
           TYPENAME := method:datatype[,datatype[,datatype]]
    
           where the current list of the methods are bitmap, hash,  and  list  and
           the  possible  data types are ip, net, mac, port and iface.  The dimen-
           sion of a set is equal to the number of data types in its type name.
    
           When adding, deleting or testing entries in a set, the same comma sepa-
           rated data syntax must be used for the entry parameter of the commands,
           i.e
    
           ipset add foo ipaddr,portnum,ipaddr
    
           The bitmap and list types use a fixed sized storage. The hash types use
           a  hash to store the elements. In order to avoid clashes in the hash, a
           limited number of chaining, and if that is exhausted, the  doubling  of
           the  hash  size  is performed when adding entries by the ipset command.
           already added elements can be changed by readding the element using the
           -exist option.
    
           The  hash  set types which can store net type of data (i.e. hash:*net*)
           support the optional
    
           nomatch
    
           option when adding entries. When matching elements in the set,  entries
           marked  as  nomatch  are  skipped as if those were no added to the set,
           which makes possible to build up sets with exceptions. See the  example
           at hash type hash:net below.
    
           If  host  names or service names with dash in the name are used instead
           of IP addresses or service numbers, then the host name or service  name
           must be enclosed in square brackets. Example:
    
                  ipset add foo [test-hostname],[ftp-data]
    
       bitmap:ip
           The  bitmap:ip  set  type uses a memory range to store either IPv4 host
           (default) or IPv4 network addresses. A bitmap:ip type of set can  store
           up to 65536 entries.
    
           CREATE-OPTIONS  := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout
           value ]
    
           ADD-ENTRY := { ip | fromip-toip | ip/cidr }
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := { ip | fromip-toip | ip/cidr }
    
           TEST-ENTRY := ip
    
           Mandatory create options:
    
           range fromip-toip|ip/cidr
                  Create the  set  from  the  specified  inclusive  address  range
                  expressed  in  an IPv4 address range or network. The size of the
                  range (in entries) cannot exceed the limit of maximum 65536 ele-
                  ments.
    
           Optional create options:
    
           netmask cidr
                  When the optional netmask parameter specified, network addresses
                  will be stored in the set instead of IP host addresses. The cidr
                  prefix value must be between 1-32.  An IP address will be in the
                  set if the network address, which is  resulted  by  masking  the
                  address  with  the specified netmask calculated from the prefix,
    
           The  bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC
           address pairs. A bitmap:ip,mac type  of  set  can  store  up  to  65536
           entries.
    
           CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]
    
           ADD-ENTRY := ip[,macaddr]
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := ip[,macaddr]
    
           TEST-ENTRY := ip[,macaddr]
    
           Mandatory options to use when creating a bitmap:ip,mac type of set:
    
           range fromip-toip|ip/cidr
                  Create  the  set  from  the  specified  inclusive  address range
                  expressed in an IPv4 address range or network. The size  of  the
                  range cannot exceed the limit of maximum 65536 entries.
    
           The  bitmap:ip,mac  type  is exceptional in the sense that the MAC part
           can be left out when adding/deleting/testing entries in the set. If  we
           add  an  entry  without  the MAC address specified, then when the first
           time the entry is matched by the kernel, it will automatically fill out
           the missing MAC address with the source MAC address from the packet. If
           the entry was specified with a timeout value, the timer starts off when
           the IP and MAC address pair is complete.
    
           The  bitmap:ip,mac  type  of sets require two src/dst parameters of the
           set match and SET target netfilter kernel modules and  the  second  one
           must  be  src to match, add or delete entries because the set match and
           SET target have access to the source MAC address only.
    
           Examples:
    
                  ipset create foo bitmap:ip,mac range 192.168.0.0/16
    
                  ipset add foo 192.168.1.1,12:34:56:78:9A:BC
    
                  ipset test foo 192.168.1.1
    
       bitmap:port
           The bitmap:port set type uses a memory range to store port numbers  and
           such a set can store up to 65536 ports.
    
           CREATE-OPTIONS := range fromport-toport [ timeout value ]
    
           ADD-ENTRY := { port | fromport-toport }
    
           ADD-OPTIONS := [ timeout value ]
    
                  ipset create foo bitmap:port range 0-1024
    
                  ipset add foo 80
    
                  ipset test foo 80
    
       hash:ip
           The hash:ip set type uses a hash to store IP host  addresses  (default)
           or  network  addresses.  Zero  valued  IP address cannot be stored in a
           hash:ip type of set.
    
           CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
           maxelem value ] [ netmask cidr ] [ timeout value ]
    
           ADD-ENTRY := ipaddr
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := ipaddr
    
           TEST-ENTRY := ipaddr
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The initial hash size for the set, default  is  1024.  The  hash
                  size  must be a power of two, the kernel automatically rounds up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The maximal number of elements which can be stored in  the  set,
                  default 65536.
    
           netmask cidr
                  When the optional netmask parameter specified, network addresses
                  will be stored in the set instead of IP host addresses. The cidr
                  prefix value must be between 1-32 for IPv4 and between 1-128 for
                  IPv6. An IP address will be in the set if the  network  address,
                  which is resulted by masking the address with the netmask calcu-
                  lated from the prefix, can be found in the set.
    
           For the inet family one can add or delete multiple entries by  specify-
           ing a range or a network:
    
           ipaddr := { ip | fromaddr-toaddr | ip/cidr }
    
           Examples:
    
           ADD-ENTRY := netaddr
    
           ADD-OPTIONS := [ timeout value ] [ nomatch ]
    
           DEL-ENTRY := netaddr
    
           TEST-ENTRY := netaddr
    
           where netaddr := ip[/cidr]
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           For the inet family one can add or delete multiple entries by  specify-
           ing  a  range, which is converted internally to network(s) equal to the
           range:
    
           netaddr := { ip[/cidr] | fromaddr-toaddr }
    
           When adding/deleting/testing entries, if the cidr prefix  parameter  is
           not   specified,   then   the   host  prefix  value  is  assumed.  When
           adding/deleting entries, the exact element is added/deleted  and  over-
           lapping  elements are not checked by the kernel.  When testing entries,
           if a host address is tested, then the kernel tries to  match  the  host
           address in the networks added to the set and reports the result accord-
           ingly.
    
           From the set netfilter match point of view the searching  for  a  match
           always   starts   from   the smallest  size  of netblock (most specific
           prefix) to the largest one (least specific prefix) added  to  the  set.
           When   adding/deleting  IP  addresses   to the set by the SET netfilter
           target, it  will  be added/deleted by the most  specific  prefix  which
           can  be  found  in   the set, or by the host prefix value if the set is
           empty.
    
           The lookup time grows linearly with the number of the different  prefix
           values added to the set.
    
           Example:
    
       hash:ip,port
           The hash:ip,port set type uses a hash to store IP address and port num-
           ber pairs.  The port number is interpreted  together  with  a  protocol
           (default TCP) and zero protocol number cannot be used.
    
           CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
           maxelem value ] [ timeout value ]
    
           ADD-ENTRY := ipaddr,[proto:]port
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := ipaddr,[proto:]port
    
           TEST-ENTRY := ipaddr,[proto:]port
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           For the inet family one can add or delete multiple entries by  specify-
           ing  a  range  or a network of IPv4 addresses in the IP address part of
           the entry:
    
           ipaddr := { ip | fromaddr-toaddr | ip/cidr }
    
           The [proto:]port part of the elements may be expressed in the following
           forms,  where  the  range  variations are valid when adding or deleting
           entries:
    
           portname[-portname]
                  TCP port or range of ports expressed in TCP portname identifiers
                  from /etc/services
    
           portnumber[-portnumber]
                  TCP port or range of ports expressed in TCP port numbers
    
           tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
                  TCP,  SCTP,  UDP or UDPLITE port or port range expressed in port
                  name(s) or port number(s)
    
    
           Examples:
    
                  ipset create foo hash:ip,port
    
                  ipset add foo 192.168.1.0/24,80-82
    
                  ipset add foo 192.168.1.1,udp:53
    
                  ipset add foo 192.168.1.1,vrrp:0
    
                  ipset test foo 192.168.1.1,80
    
       hash:net,port
           The hash:net,port set type uses a hash to store different sized IP net-
           work  address  and  port pairs. The port number is interpreted together
           with a protocol (default TCP) and zero protocol number cannot be  used.
           Network address with zero prefix size is not accepted either.
    
           CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
           maxelem value ] [ timeout value ]
    
           ADD-ENTRY := netaddr,[proto:]port
    
           ADD-OPTIONS := [ timeout value ]  [ nomatch ]
    
           DEL-ENTRY := netaddr,[proto:]port
    
           TEST-ENTRY := netaddr,[proto:]port
    
           where netaddr := ip[/cidr]
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           For the netaddr part  of  the  elements  see  the  description  at  the
           hash:net  set  type.  For the [proto:]port part of the elements see the
           description at the hash:ip,port set type.
    
           When adding/deleting/testing entries, if the cidr prefix  parameter  is
    
           The lookup time grows linearly with the number of the different  prefix
           values added to the set.
    
           Examples:
    
                  ipset create foo hash:net,port
    
                  ipset add foo 192.168.0/24,25
    
                  ipset add foo 10.1.0.0/16,80
    
                  ipset test foo 192.168.0/24,25
    
       hash:ip,port,ip
           The hash:ip,port,ip set type uses a hash to store IP address, port num-
           ber and a second IP address triples. The  port  number  is  interpreted
           together  with a protocol (default TCP) and zero protocol number cannot
           be used.
    
           CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
           maxelem value ] [ timeout value ]
    
           ADD-ENTRY := ipaddr,[proto:]port,ip
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := ipaddr,[proto:]port,ip
    
           TEST-ENTRY := ipaddr,[proto:]port,ip
    
           For  the  first  ipaddr  and [proto:]port parts of the elements see the
           descriptions at the hash:ip,port set type.
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           The hash:ip,port,ip type of sets require three  src/dst  parameters  of
           the set match and SET target kernel modules.
    
           CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
           maxelem value ] [ timeout value ]
    
           ADD-ENTRY := ipaddr,[proto:]port,netaddr
    
           ADD-OPTIONS := [ timeout value ]  [ nomatch ]
    
           DEL-ENTRY := ipaddr,[proto:]port,netaddr
    
           TEST-ENTRY := ipaddr,[proto:]port,netaddr
    
           where netaddr := ip[/cidr]
    
           For the ipaddr and [proto:]port parts of the elements see the  descrip-
           tions  at  the  hash:ip,port set type. For the netaddr part of the ele-
           ments see the description at the hash:net set type.
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           From the set netfilter match point of view the searching  for  a  match
           always   starts   from   the smallest  size  of netblock (most specific
           cidr) to the largest one (least specific cidr) added to the set.   When
           adding/deleting  triples  to  the  set  by the SET netfilter target, it
           will  be added/deleted by the most specific cidr which can be found  in
           the set, or by the host cidr value if the set is empty.
    
           The  lookup  time  grows linearly with the number of the different cidr
           values added to the set.
    
           The hash:ip,port,net type of sets require three src/dst  parameters  of
           the set match and SET target kernel modules.
    
           Examples:
    
                  ipset create foo hash:ip,port,net
    
                  ipset add foo 192.168.1,80,10.0.0/24
    
                  ipset add foo 192.168.2,25,10.1.0.0/16
    
           DEL-ENTRY := netaddr,[physdev:]iface
    
           TEST-ENTRY := netaddr,[physdev:]iface
    
           where netaddr := ip[/cidr]
    
           Optional create options:
    
           family { inet | inet6 }
                  The protocol family of the IP addresses to be stored in the set.
                  The default is inet, i.e IPv4.
    
           hashsize value
                  The  initial  hash  size  for the set, default is 1024. The hash
                  size must be a power of two, the kernel automatically rounds  up
                  non power of two hash sizes to the first correct value.
    
           maxelem value
                  The  maximal  number of elements which can be stored in the set,
                  default 65536.
    
           For the netaddr part  of  the  elements  see  the  description  at  the
           hash:net set type.
    
           When  adding/deleting/testing  entries, if the cidr prefix parameter is
           not  specified,  then  the  host  prefix   value   is   assumed.   When
           adding/deleting  entries,  the exact element is added/deleted and over-
           lapping elements are not checked by the kernel.  When testing  entries,
           if  a  host  address is tested, then the kernel tries to match the host
           address in the networks added to the set and reports the result accord-
           ingly.
    
           From  the  set netfilter match point of view the searching for a  match
           always  starts  from  the smallest  size  of  netblock  (most  specific
           prefix)  to  the  largest one (least specific prefix) added to the set.
           When  adding/deleting IP addresses  to the set  by  the  SET  netfilter
           target,  it   will   be added/deleted by the most specific prefix which
           can be found in  the set, or by the host prefix value  if  the  set  is
           empty.
    
           The  second direction parameter of the set match and SET target modules
           corresponds to the incoming/outgoing interface : src to  the  incoming,
           while dst to the outgoing. When the interface is flagged with physdev:,
           the interface is interpreted as the incoming/outgoing bridge port.
    
           The lookup time grows linearly with the number of the different  prefix
           values added to the set.
    
           The  internal  restriction  of  the hash:net,iface set type is that the
           same network prefix cannot be stored with more than 64 different inter-
           faces in a single set.
           CREATE-OPTIONS := [ size value ] [ timeout value ]
    
           ADD-ENTRY := setname [ { before | after } setname ]
    
           ADD-OPTIONS := [ timeout value ]
    
           DEL-ENTRY := setname [ { before | after } setname ]
    
           TEST-ENTRY := setname [ { before | after } setname ]
    
           Optional create options:
    
           size value
                  The size of the list, the default is 8.
    
           By the ipset commad you  can add,  delete  and  test  set  names  in  a
           list:set type of set.
    
           By the set match or SET target of netfilter you can test, add or delete
           entries in the sets added to the list:set type of set. The  match  will
           try to find a matching entry in the sets and the target will try to add
           an entry to the first set to which it can  be  added.   The  number  of
           direction  options  of  the  match and target are important: sets which
           require more parameters than specified are  skipped,  while  sets  with
           equal or less parameters are checked, elements added/deleted. For exam-
           ple if a and b are list:set type of sets then in the command
    
                  iptables -m set --match-set a src,dst -j SET --add-set b src,dst
    
           the  match  and  target  will skip any set in a and b which stores data
           triples, but will match all sets with single or double data storage  in
           a set and stop matching at the first successful set, and add src to the
           first single or src,dst to the first double data storage set  in  b  to
           which the entry can be added. You can imagine a list:set type of set as
           an ordered union of the set elements.
    
           Please note: by the ipset commad you can add, delete and test the  set-
           names in a list:set type of set, and not the presence of a set's member
           (such as an IP address).
    
    
    

    GENERAL RESTRICTIONS

           Zero valued set entries cannot be used with hash methods. Zero protocol
           value with ports cannot be used.
    
    
    

    COMMENTS

           If  you  want  to store same size subnets from a given network (say /24
           blocks from a /8 network), use the bitmap:ip set type.  If you want  to
           store  random  same  size  networks  (say  random  /24 blocks), use the
           hash:ip set type. If  you  have  got  random  size  of  netblocks,  use
           hash:net.
    
           Backward compatibility is maintained and old ipset syntax is still sup-
    
    
    

    AUTHORS

           Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axels-
           son, Patrick Schaaf and Martin Josefsson.
           Sven Wegener wrote the iptreemap type.
    
    
    

    LAST REMARK

           I stand on the shoulders of giants.
    
    
    

    Jozsef Kadlecsik Oct 15, 2010 IPSET(8)

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz