Man Pages

ipset(8) - phpMan ipset(8) - phpMan

Command: man perldoc info search(apropos)  


IPSET(8)                                                              IPSET(8)



NAME
       ipset -- administration tool for IP sets

SYNOPSIS
       ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]

       COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | ver-
       sion | - }

       OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name | -terse }

       ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]

       ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]

       ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]

       ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]

       ipset destroy [ SETNAME ]

       ipset list [ SETNAME ]

       ipset save [ SETNAME ]

       ipset restore

       ipset flush [ SETNAME ]

       ipset rename SETNAME-FROM SETNAME-TO

       ipset swap SETNAME-FROM SETNAME-TO

       ipset help [ TYPENAME ]

       ipset version

       ipset -

DESCRIPTION
       ipset is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the  type  of
       the  set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address
       and port number pairs, etc. See the set type definitions below.

       Iptables matches and targets referring to sets create references, which protect the given sets in the kernel. A
       set cannot be destroyed while there is a single reference pointing to it.

OPTIONS
       The options that are recognized by ipset can be divided into several different groups.

   COMMANDS
       These  options  specify  the  desired action to perform.  Only one of them can be specified on the command line
       unless otherwise specified below.  For all the long versions of the command names, you need to use only  enough
       letters  to  ensure that ipset can differentiate it from all other commands. The ipset parser follows the order
       here when looking for the shortest match in the long command names.

       n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
              Create a set identified with setname and specified type. The type may require type specific options.  If
              the  -exist option is specified, ipset ignores the error otherwise raised when the same set (setname and
              create parameters are identical) already exists.

       add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
              Add a given entry to the set. If the -exist option is specified, ipset  ignores  if  the  entry  already
              added to the set.

       del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
              Delete an entry from a set. If the -exist option is specified, ipset ignores if the entry does not added
              to (already expired from) the set.

       test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
              Test wether an entry is in a set or not. Exit status number is zero if the tested entry is  in  the  set
              and nonzero if it is missing from the set.

       x, destroy [ SETNAME ]
              Destroy the specified set or all the sets if none is given.

              If the set has got reference(s), nothing is done and no set destroyed.

       list [ SETNAME ] [ OPTIONS ]
              List  the  header  data  and  the  entries  for the specified set, or for all sets if none is given. The
              -resolve option can be used to force name lookups (which may be slow). When the -sorted option is given,
              the  entries are listed sorted (if the given set type supports the operation). The option -output can be
              used to control the format of the listing: plain, save or xml.  (The default is plain.)  If  the  option
              -name  is  specified, just the names of the existing sets are listed. If the option -terse is specified,
              just the set names and headers are listed.

       save [ SETNAME ]
              Save the given set, or all sets if none is given to stdout in a format that restore can read.

       restore
              Restore a saved session generated by save.  The saved session can be fed from stdin.

       flush [ SETNAME ]
              Flush all entries from the specified set or flush all sets if none is given.

       e, rename SETNAME-FROM SETNAME-TO
              Rename a set. Set identified by SETNAME-TO must not exist.

       w, swap SETNAME-FROM SETNAME-TO
              Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must
              exist and identical type of sets can be swapped only.

       help [ TYPENAME ]
              Print help and set type specific help if TYPENAME is specified.

       version
              Print program version.

       -      If a dash is specified as command, then ipset enters a simple interactive mode and the commands are read
              from the standard input.  The interactive mode can be finished by entering the pseudo-command quit.


   OTHER OPTIONS
       The following additional options can be specified. The long option names cannot be abbreviated.

       -!, -exist
              Ignore errors when the exactly the same set is to be created or already added entry is added or  missing
              entry is deleted.

       -o, -output { plain | save | xml }
              Select the output format to the list command.

       -q, -quiet
              Suppress any output to stdout and stderr.  ipset will still exit with error if it cannot continue.

       -r, -resolve
              When  listing sets, enforce name lookup. The program will try to display the IP entries resolved to host
              names which requires slow DNS lookups.

       -s, -sorted
              Sorted output. When listing sets entries are listed sorted. Not supported yet.

       -n, -name
              List just the names of the existing sets, i.e. suppress listing of set headers and members.

       -t, -terse
              List the set names and headers, i.e. suppress listing of set members.


SET TYPES
       A set type comprises of the storage method by which the data is stored and the data type(s) which are stored in
       the set. Therefore the TYPENAME parameter of the create command follows the syntax

       TYPENAME := method:datatype[,datatype[,datatype]]

       where  the current list of the methods are bitmap, hash, and list and the possible data types are ip, net, mac,
       port and iface.  The dimension of a set is equal to the number of data types in its type name.

       When adding, deleting or testing entries in a set, the same comma separated data syntax must be  used  for  the
       entry parameter of the commands, i.e

       ipset add foo ipaddr,portnum,ipaddr

       The  bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order
       to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the  hash
       size  is  performed  when  adding  entries  by the ipset command. When entries added by the SET target of ipta-
       bles/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new  entry  cannot  be
       added to the set.

       All set types support the optional

       timeout value

       parameter  when  creating  a  set and adding entries. The value of the timeout parameter for the create command
       means the default timeout value (in seconds) for new entries. If a set is created with  timeout  support,  then
       the  same  timeout  option  can be used to specify non-default timeout values when adding entries. Zero timeout
       value means the entry is added permanent to the set.  The timeout  value  of  already  added  elements  can  be
       changed by readding the element using the -exist option.

       The hash set types which can store net type of data (i.e. hash:*net*) support the optional

       nomatch

       option  when  adding  entries.  When  matching elements in the set, entries marked as nomatch are skipped as if
       those were no added to the set, which makes possible to build up sets with exceptions. See the example at  hash
       type hash:net below.

       If  host names or service names with dash in the name are used instead of IP addresses or service numbers, then
       the host name or service name must be enclosed in square brackets. Example:


              ipset add foo [test-hostname],[ftp-data]

   bitmap:ip
       The bitmap:ip set type uses a memory range to store either IPv4 host (default) or  IPv4  network  addresses.  A
       bitmap:ip type of set can store up to 65536 entries.

       CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout value ]

       ADD-ENTRY := { ip | fromip-toip | ip/cidr }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { ip | fromip-toip | ip/cidr }

       TEST-ENTRY := ip

       Mandatory create options:

       range fromip-toip|ip/cidr
              Create the set from the specified inclusive address range expressed in an IPv4 address range or network.
              The size of the range (in entries) cannot exceed the limit of maximum 65536 elements.

       Optional create options:

       netmask cidr
              When the optional netmask parameter specified, network addresses will be stored in the set instead of IP
              host  addresses.  The  cidr  prefix value must be between 1-32.  An IP address will be in the set if the
              network address, which is resulted by masking the address with the specified netmask calculated from the
              prefix, can be found in the set.

       The bitmap:ip type supports adding or deleting multiple entries in one command.

       Examples:

              ipset create foo bitmap:ip range 192.168.0.0/16

              ipset add foo 192.168.1/24

              ipset test foo 192.168.1.1

   bitmap:ip,mac
       The  bitmap:ip,mac  set type uses a memory range to store IPv4 and a MAC address pairs. A bitmap:ip,mac type of
       set can store up to 65536 entries.

       CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]

       ADD-ENTRY := ip[,macaddr]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ip[,macaddr]

       TEST-ENTRY := ip[,macaddr]

       Mandatory options to use when creating a bitmap:ip,mac type of set:

       range fromip-toip|ip/cidr
              Create the set from the specified inclusive address range expressed in an IPv4 address range or network.
              The size of the range cannot exceed the limit of maximum 65536 entries.

       The bitmap:ip,mac type is exceptional in the sense that the MAC part can be left out when adding/deleting/test-
       ing entries in the set. If we add an entry without the MAC address specified, then  when  the  first  time  the
       entry  is  matched  by  the  kernel, it will automatically fill out the missing MAC address with the source MAC
       address from the packet. If the entry was specified with a timeout value, the timer starts off when the IP  and
       MAC address pair is complete.

       The  bitmap:ip,mac type of sets require two src/dst parameters of the set match and SET target netfilter kernel
       modules and the second one must be src to match, add or delete entries because the set  match  and  SET  target
       have access to the source MAC address only.

       Examples:

              ipset create foo bitmap:ip,mac range 192.168.0.0/16

              ipset add foo 192.168.1.1,12:34:56:78:9A:BC

              ipset test foo 192.168.1.1

   bitmap:port
       The  bitmap:port set type uses a memory range to store port numbers and such a set can store up to 65536 ports.

       CREATE-OPTIONS := range fromport-toport [ timeout value ]

       ADD-ENTRY := { port | fromport-toport }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { port | fromport-toport }

       TEST-ENTRY := port

       Mandatory options to use when creating a bitmap:port type of set:

       range fromport-toport
              Create the set from the specified inclusive port range.

       The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port  numbers.

       Examples:

              ipset create foo bitmap:port range 0-1024

              ipset add foo 80

              ipset test foo 80

   hash:ip
       The  hash:ip  set  type  uses  a hash to store IP host addresses (default) or network addresses. Zero valued IP
       address cannot be stored in a hash:ip type of set.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ netmask cidr ] [ timeout
       value ]

       ADD-ENTRY := ipaddr

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr

       TEST-ENTRY := ipaddr

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash size must be a power of two, the kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       netmask cidr
              When the optional netmask parameter specified, network addresses will be stored in the set instead of IP
              host  addresses.  The  cidr prefix value must be between 1-32 for IPv4 and between 1-128 for IPv6. An IP
              address will be in the set if the network address, which is resulted by masking  the  address  with  the
              netmask calculated from the prefix, can be found in the set.

       For the inet family one can add or delete multiple entries by specifying a range or a network:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       Examples:

              ipset create foo hash:ip netmask 30

              ipset add foo 192.168.1.0/24

              ipset test foo 192.168.1.2

   hash:net
       The  hash:net  set  type  uses a hash to store different sized IP network addresses.  Network address with zero
       prefix size cannot be stored in this type of sets.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr

       ADD-OPTIONS := [ timeout value ] [ nomatch ]

       DEL-ENTRY := netaddr

       TEST-ENTRY := netaddr

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be a power  of  two,  the  kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the inet family one can add or delete multiple entries by specifying a range, which is converted internally
       to network(s) equal to the range:

       netaddr := { ip[/cidr] | fromaddr-toaddr }

       When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value
       is  assumed.  When adding/deleting entries, the exact element is added/deleted and overlapping elements are not
       checked by the kernel.  When testing entries, if a host address is tested, then the kernel tries to  match  the
       host address in the networks added to the set and reports the result accordingly.

       From  the  set netfilter match point of view the searching for a match always  starts  from  the smallest  size
       of netblock (most specific prefix) to the  largest  one  (least  specific  prefix)  added  to  the  set.   When
       adding/deleting  IP  addresses   to the set by the SET netfilter target, it  will  be added/deleted by the most
       specific prefix which can be found in  the set, or by the host prefix value if the set is empty.

       The lookup time grows linearly with the number of the different prefix values added to the set.

       Example:

              ipset create foo hash:net

              ipset add foo 192.168.0.0/24

              ipset add foo 10.1.0.0/16

              ipset add foo 192.168.0/24

              ipset add foo 192.168.0/30 nomatch

       When matching the elements in the set above, all IP addresses will  match  from  the  networks  192.168.0.0/24,
       10.1.0.0/16 and 192.168.0/24 except 192.168.0/30.

   hash:ip,port
       The  hash:ip,port  set  type  uses a hash to store IP address and port number pairs.  The port number is inter-
       preted together with a protocol (default TCP) and zero protocol number cannot be used.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port

       TEST-ENTRY := ipaddr,[proto:]port

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be a power  of  two,  the  kernel
              automatically rounds up non power of two hash sizes to the first correct value

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the inet family one can add or delete multiple entries by specifying a range or a network of IPv4 addresses
       in the IP address part of the entry:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       The [proto:]port part of the elements may be expressed in the following forms, where the range  variations  are
       valid when adding or deleting entries:

       portname[-portname]
              TCP port or range of ports expressed in TCP portname identifiers from /etc/services

       portnumber[-portnumber]
              TCP port or range of ports expressed in TCP port numbers

       tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
              TCP, SCTP, UDP or UDPLITE port or port range expressed in port name(s) or port number(s)

       icmp:codename|type/code
              ICMP  codename  or  type/code.  The supported ICMP codename identifiers can always be listed by the help
              command.

       icmpv6:codename|type/code
              ICMPv6 codename or type/code. The supported ICMPv6 codename identifiers can always be listed by the help
              command.

       proto:0
              All  other  protocols,  as  an  identifier from /etc/protocols or number. The pseudo port number must be
              zero.

       The hash:ip,port type of sets require two src/dst parameters of the set match and SET target kernel modules.

       Examples:

              ipset create foo hash:ip,port

              ipset add foo 192.168.1.0/24,80-82

              ipset add foo 192.168.1.1,udp:53

              ipset add foo 192.168.1.1,vrrp:0

              ipset test foo 192.168.1.1,80

   hash:net,port
       The hash:net,port set type uses a hash to store different sized IP network address and  port  pairs.  The  port
       number  is  interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network
       address with zero prefix size is not accepted either.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := netaddr,[proto:]port

       TEST-ENTRY := netaddr,[proto:]port

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be a power  of  two,  the  kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the netaddr part of the elements see the description at the hash:net set type. For the [proto:]port part of
       the elements see the description at the hash:ip,port set type.

       When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value
       is  assumed.  When adding/deleting entries, the exact element is added/deleted and overlapping elements are not
       checked by the kernel.  When testing entries, if a host address is tested, then the kernel tries to  match  the
       host address in the networks added to the set and reports the result accordingly.

       From  the set netfilter match point of view the searching for a  match always  starts  from  the smallest  size
       of netblock (most specific prefix) to the  largest  one  (least  specific  prefix)  added  to  the  set.   When
       adding/deleting  IP  addresses   to the set by the SET netfilter target, it  will  be added/deleted by the most
       specific prefix which can be found in  the set, or by the host prefix value if the set is empty.

       The lookup time grows linearly with the number of the different prefix values added to the set.

       Examples:

              ipset create foo hash:net,port

              ipset add foo 192.168.0/24,25

              ipset add foo 10.1.0.0/16,80

              ipset test foo 192.168.0/24,25

   hash:ip,port,ip
       The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples.  The
       port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,ip

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port,ip

       TEST-ENTRY := ipaddr,[proto:]port,ip

       For  the first ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port set type.

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be a power  of  two,  the  kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       The  hash:ip,port,ip  type of sets require three src/dst parameters of the set match and SET target kernel mod-
       ules.

       Examples:

              ipset create foo hash:ip,port,ip

              ipset add foo 192.168.1.1,80,10.0.0.1

              ipset test foo 192.168.1.1,udp:53,10.0.0.1

   hash:ip,port,net
       The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples.  The
       port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Net-
       work address with zero prefix size cannot be stored either.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,netaddr

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := ipaddr,[proto:]port,netaddr

       TEST-ENTRY := ipaddr,[proto:]port,netaddr

       where netaddr := ip[/cidr]

       For the ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port  set  type.  For
       the netaddr part of the elements see the description at the hash:net set type.

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash size must be a power of two, the kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       From the set netfilter match point of view the searching for a match always  starts  from  the  smallest   size
       of  netblock  (most  specific  cidr)  to  the  largest  one  (least  specific  cidr)  added  to  the set.  When
       adding/deleting triples to the set by the SET netfilter target, it  will  be added/deleted by the most specific
       cidr which can be found in  the set, or by the host cidr value if the set is empty.

       The lookup time grows linearly with the number of the different cidr values added to the set.

       The  hash:ip,port,net type of sets require three src/dst parameters of the set match and SET target kernel mod-
       ules.

       Examples:

              ipset create foo hash:ip,port,net

              ipset add foo 192.168.1,80,10.0.0/24

              ipset add foo 192.168.2,25,10.1.0.0/16

              ipset test foo 192.168.1,80.10.0.0/24

   hash:net,iface
       The hash:net,iface set type uses a hash to store different sized IP network address and interface  name  pairs.
       Network address with zero prefix size is not accepted.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr,[physdev:]iface

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := netaddr,[physdev:]iface

       TEST-ENTRY := netaddr,[physdev:]iface

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash size must be a power of two, the kernel
              automatically rounds up non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the netaddr part of the elements see the description at the hash:net set type.

       When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value
       is  assumed.  When adding/deleting entries, the exact element is added/deleted and overlapping elements are not
       checked by the kernel.  When testing entries, if a host address is tested, then the kernel tries to  match  the
       host address in the networks added to the set and reports the result accordingly.

       From  the set netfilter match point of view the searching for a  match always  starts  from  the smallest  size
       of netblock (most specific prefix) to the  largest  one  (least  specific  prefix)  added  to  the  set.   When
       adding/deleting  IP  addresses   to the set by the SET netfilter target, it  will  be added/deleted by the most
       specific prefix which can be found in  the set, or by the host prefix value if the set is empty.

       The second direction parameter of the set match and SET target modules  corresponds  to  the  incoming/outgoing
       interface  :  src  to the incoming, while dst to the outgoing. When the interface is flagged with physdev:, the
       interface is interpreted as the incoming/outgoing bridge port.

       The lookup time grows linearly with the number of the different prefix values added to the set.

       The internal restriction of the hash:net,iface set type is that the same network prefix cannot be  stored  with
       more than 64 different interfaces in a single set.

       Examples:

              ipset create foo hash:net,iface

              ipset add foo 192.168.0/24,eth0

              ipset add foo 10.1.0.0/16,eth1

              ipset test foo 192.168.0/24,eth0

   list:set
       The list:set type uses a simple list in which you can store set names.

       CREATE-OPTIONS := [ size value ] [ timeout value ]

       ADD-ENTRY := setname [ { before | after } setname ]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := setname [ { before | after } setname ]

       TEST-ENTRY := setname [ { before | after } setname ]

       Optional create options:

       size value
              The size of the list, the default is 8.

       By the ipset commad you  can add, delete and test set names in a list:set type of set.

       By  the  set  match  or  SET  target  of netfilter you can test, add or delete entries in the sets added to the
       list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an
       entry  to  the first set to which it can be added.  The number of direction options of the match and target are
       important: sets which require more parameters than specified are skipped, while sets with equal or less parame-
       ters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command

              iptables -m set --match-set a src,dst -j SET --add-set b src,dst

       the  match and target will skip any set in a and b which stores data triples, but will match all sets with sin-
       gle or double data storage in a set and stop matching at the first successful set, and add  src  to  the  first
       single  or src,dst to the first double data storage set in b to which the entry can be added. You can imagine a
       list:set type of set as an ordered union of the set elements.

       Please note: by the ipset commad you can add, delete and test the setnames in a list:set type of set,  and  not
       the presence of a set's member (such as an IP address).

GENERAL RESTRICTIONS
       Zero valued set entries cannot be used with hash methods. Zero protocol value with ports cannot be used.

COMMENTS
       If  you  want  to  store  same  size  subnets  from a given network (say /24 blocks from a /8 network), use the
       bitmap:ip set type.  If you want to store random same size networks (say random /24 blocks),  use  the  hash:ip
       set type. If you have got random size of netblocks, use hash:net.

       Backward compatibility is maintained and old ipset syntax is still supported.

       The  iptree  and  iptreemap  set  types  are  removed: if you refer to them, they are automatically replaced by
       hash:ip type of sets.

DIAGNOSTICS
       Various error messages are printed to standard error.  The exit code is 0 for correct functioning.

BUGS
       Bugs? No, just funny features. :-) OK, just kidding...

SEE ALSO
       iptables(8), ip6tables(8)

AUTHORS
       Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
       Sven Wegener wrote the iptreemap type.

LAST REMARK
       I stand on the shoulders of giants.



Jozsef Kadlecsik                 Oct 15, 2010                         IPSET(8)