ipset man page on Mandriva

Man page or keyword search:  
man Server   17060 pages
apropos Keyword Search (all sections)
Output format
Mandriva logo
[printable version]

IPSET(8)							      IPSET(8)

NAME
       ipset — administration tool for IP sets

SYNOPSIS
       ipset -N set type-specification [options...]

       ipset {-F|-H|-L|-S|-X} [set] [options...]

       ipset {-E|-W} from-set to-set

       ipset {-A|-D|-T} set entry

       ipset -R

       ipset {-V|-v}

DESCRIPTION
       ipset  is used to set up, maintain and inspect so called IP sets in the
       Linux kernel. Depending on the type, an IP set may store IP  addresses,
       (TCP/UDP) port numbers or additional informations besides IP addresses:
       the word IP means a general term here. See  the	set  type  definitions
       below.

       Iptables	 matches  and  targets	referring  to sets creates references,
       which protects the given sets in the kernel. A set  cannot  be  removed
       (destroyed) while there is a single reference pointing to it.

OPTIONS
       The  options  that  are recognized by ipset can be divided into several
       different groups.

   COMMANDS
       These options specify the specific action to perform.  Only one of them
       can  be specified on the command line unless otherwise specified below.
       For all the long versions of the command and option names, you need  to
       use  only enough letters to ensure that ipset can differentiate it from
       all other options.

       -N, --create setname type type-specific-options
	      Create a set identified with setname and specified type.	 Type-
	      specific options must be supplied.

       -X, --destroy [setname]
	      Destroy the specified set or all the sets if none is given.

	      If the set has got references, nothing is done.

       -F, --flush [setname]
	      Delete  all  entries from the specified set or flush all sets if
	      none is given.

       -E, --rename from-setname to-setname
	      Rename a set. Set identified by to-setname must not exist.

       -W, --swap from-setname to-setname
	      Swap the content of two sets, or in another words, exchange  the
	      name  of	two  sets.  The referred sets must exist and identical
	      type of sets can be swapped only.

       -L, --list [setname]
	      List the entries for the specified set, or for all sets if  none
	      is  given.  The  -r/--resolve  option  can be used to force name
	      lookups (which may be slow).  When  the  -s/--sorted  option  is
	      given, the entries are listed sorted (if the given set type sup‐
	      ports the operation).

       -S, --save [setname]
	      Save the given set, or all sets if none is given to stdout in  a
	      format that --restore can read.

       -R, --restore
	      Restore  a  saved session generated by --save. The saved session
	      can be fed from stdin.

	      When generating a session file please note  that	the  supported
	      commands	(create	 set  and add element) must appear in a strict
	      order: first create the set, then add all elements. Then	create
	      the  next	 set,  add  all	 its elements and so on. Also, it is a
	      restore operation, so the sets being restored must not exist.

       -A, --add setname entry
	      Add an entry to a set.

       -D, --del setname entry
	      Delete an entry from a set.

       -T, --test setname entry
	      Test wether an entry is in a set or not. Exit status  number  is
	      zero  if	the  tested  entry  is in the set and nonzero if it is
	      missing from the set.

       -H, --help [settype]
	      Print help and settype specific help if settype specified.

       -V, -v, --version
	      Print program version and protocol version.

   OTHER OPTIONS
       The following additional options can be specified:

       -r, --resolve
	      When listing sets, enforce name lookup. The program will try  to
	      display the IP entries resolved to host names or services (when‐
	      ever applicable), which can trigger slow DNS lookups.

       -s, --sorted
	      Sorted output. When listing sets, entries are listed sorted.

       -n, --numeric
	      Numeric output. When listing sets, IP addresses and port numbers
	      will be printed in numeric format. This is the default.

       -q, --quiet
	      Suppress	any  output  to	 stdout	 and  stderr. ipset will still
	      return possible errors.

SET TYPES
       ipset supports the following set types:

   ipmap
       The ipmap set type uses a memory range, where each bit  represents  one
       IP  address.  An	 ipmap	set can store up to 65536 (B-class network) IP
       addresses. The ipmap set type is very fast and memory cheap, great  for
       use  when  one  want  to	 match certain IPs in a range. If the optional
       --netmask parameter is specified with a CIDR netmask value between 1-31
       then  network  addresses are stored in the given set: i.e an IP address
       will be in the set if the network address, which is resulted by masking
       the address with the specified netmask, can be found in the set.

       Options to use when creating an ipmap set:

       --from from-addr

       --to to-addr
	      Create an ipmap set from the specified address range.

       --network addr/mask
	      Create an ipmap set from the specified network.

       --netmask prefixlen
	      When   the   optional  --netmask	parameter  specified,  network
	      addresses will be stored in the set instead of IP addresses, and
	      the from-addr parameter must be a network address. The prefixlen
	      value must be between 1-31.

       Example:

	      ipset -N test ipmap --network 192.168.0.0/16

   macipmap
       The macipmap set type uses a memory range, where each  8	 bytes	repre‐
       sents  one  IP and a MAC addresses. A macipmap set type can store up to
       65536 (B-class network) IP addresses with MAC.  When adding an entry to
       a  macipmap  set,  you  must  specify the entry as "address,mac".  When
       deleting or testing macipmap entries, the ",mac" part is not mandatory.

       Options to use when creating an macipmap set:

       --from from-addr

       --to to-addr
	      Create a macipmap set from the specified address range.

       --network addr/mask
	      Create a macipmap set from the specified network.

       --matchunset
	      When the optional --matchunset parameter specified, IP addresses
	      which  could  be	stored in the set but not set yet, will always
	      match.

       Please note, the "set" and "SET" netfilter kernel  modules  always  use
       the  source MAC address from the packet to match, add or delete entries
       from a macipmap type of set.

   portmap
       The portmap set type uses a memory range, where each bit represents one
       port.  A portmap set type can store up to 65536 ports.  The portmap set
       type is very fast and memory cheap.

       Options to use when creating an portmap set:

       --from from-port

       --to to-port
	      Create a portmap set from the specified port range.

   iphash
       The iphash set type uses a hash to store IP  addresses.	 In  order  to
       avoid clashes in the hash double-hashing, and as a last resort, dynamic
       growing of the hash performed. The iphash set type is  great  to	 store
       random addresses. If the optional --netmask parameter is specified with
       a CIDR prefix length value between  1-31	 then  network	addresses  are
       stored  in  the	given set: i.e an IP address will be in the set if the
       network address, which is resulted by  masking  the  address  with  the
       specified netmask, can be found in the set.

       Options to use when creating an iphash set:

       --hashsize hashsize
	      The initial hash size (default 1024)

       --probes probes
	      How  many	 times	try to resolve clashing at adding an IP to the
	      hash by double-hashing (default 8).

       --resize percent
	      Increase the hash size by this many percent  (default  50)  when
	      adding  an  IP  to  the hash could not be performed after probes
	      number of double-hashing.

       --netmask prefixlen
	      When  the	 optional  --netmask  parameter	  specified,   network
	      addresses will be stored in the set instead of IP addresses. The
	      prefixlen value must be between 1-31.

       The iphash type of sets can store up to 65536  entries.	If  a  set  is
       full, no new entries can be added to it.

       Sets  created  by zero valued resize parameter won't be resized at all.
       The lookup time in an iphash type of set grows  approximately  linearly
       with  the value of the probes parameter. In general higher probes value
       results better utilized	hash  while  smaller  value  produces  larger,
       sparser hash.

       Example:

	      ipset -N test iphash --probes 2

   nethash
       The  nethash  set  type	uses a hash to store different size of network
       addresses. The entry used in the ipset commands must  be	 in  the  form
       "address/prefixlen"  where  prefixlen must be in the inclusive range of
       1-31.  In order to avoid clashes in the hash double-hashing, and	 as  a
       last resort, dynamic growing of the hash performed.

       Options to use when creating an nethash set:

       --hashsize hashsize
	      The initial hash size (default 1024)

       --probes probes
	      How  many	 times	try to resolve clashing at adding an IP to the
	      hash by double-hashing (default 4).

       --resize percent
	      Increase the hash size by this many percent  (default  50)  when
	      adding an IP to the hash could not be performed after

       The  nethash  type  of  sets can store up to 65536 entries. If a set is
       full, no new entries can be added to it.

       An IP address will be in a nethash type of set if it belongs to any  of
       the  netblocks  added  to  the  set. The matching always start from the
       smallest size of netblock (most specific netmask) to the	 largest  ones
       (least  specific	 netmasks).  When  adding/deleting  IP	addresses to a
       nethash	set  by	 the  "SET"  netfilter	kernel	module,	 it  will   be
       added/deleted  by  the smallest netblock size which can be found in the
       set, or by /31 if the set is empty.

       The lookup time in a nethash type of set grows  approximately  linearly
       with the times of the probes parameter and the number of different mask
       parameters in the hash.	Otherwise the same speed and memory efficiency
       comments applies here as at the iphash type.

   ipporthash
       The ipporthash set type uses a hash to store IP address and port pairs.
       In order to avoid clashes in the hash double-hashing,  and  as  a  last
       resort,	dynamic	 growing  of the hash performed. An ipporthash set can
       store up to 65536 (B-class network) IP addresses with all possible port
       values.	When adding, deleting and testing values in an ipporthash type
       of set, the entries must be specified as "address,port".

       The ipporthash types of sets evaluates two src/dst  parameters  of  the
       "set" match and "SET" target.

       Options to use when creating an ipporthash set:

       --from from-addr

       --to to-addr
	      Create an ipporthash set from the specified address range.

       --network addr/mask
	      Create an ipporthash set from the specified network.

       --hashsize hashsize
	      The initial hash size (default 1024)

       --probes probes
	      How  many	 times	try to resolve clashing at adding an IP to the
	      hash by double-hashing (default 8).

       --resize percent
	      Increase the hash size by this many percent  (default  50)  when
	      adding  an  IP  to  the hash could not be performed after probes
	      number of double-hashing.

       The same resizing, speed and memory efficiency comments applies here as
       at the iphash type.

   ipportiphash
       The  ipportiphash  set type uses a hash to store IP address,port and IP
       address triples. The first IP address must  come	 form  a  maximum  /16
       sized  network or range while the port number and the second IP address
       parameters are arbitrary. When adding, deleting and testing  values  in
       an  ipportiphash	 type  of  set,	 the  entries  must  be	 specified  as
       "address,port,address".

       The ipportiphash types of sets evaluates three  src/dst	parameters  of
       the "set" match and "SET" target.

       Options to use when creating an ipportiphash set:

       --from from-addr

       --to to-addr
	      Create an ipportiphash set from the specified address range.

       --network addr/mask
	      Create an ipportiphash set from the specified network.

       --hashsize hashsize
	      The initial hash size (default 1024)

       --probes probes
	      How  many	 times	try to resolve clashing at adding an IP to the
	      hash by double-hashing (default 8).

       --resize percent
	      Increase the hash size by this many percent  (default  50)  when
	      adding  an  IP  to  the hash could not be performed after probes
	      number of double-hashing.

       The same resizing, speed and memory efficiency comments applies here as
       at the iphash type.

   ipportnethash
       The  ipportnethash  set type uses a hash to store IP address, port, and
       network address triples. The IP address must come form  a  maximum  /16
       sized  network  or  range while the port number and the network address
       parameters are arbitrary, but the size of the network address  must  be
       between	/1-/31. When adding, deleting and testing values in an ipport‐
       nethash	 type	of   set,   the	  entries   must   be	specified   as
       "address,port,address/prefixlen".

       The  ipportnethash  types of sets evaluates three src/dst parameters of
       the "set" match and "SET" target.

       Options to use when creating an ipportnethash set:

       --from from-address

       --to to-address
	      Create an ipporthash set from the specified range.

       --network address/mask
	      Create an ipporthash set from the specified network.

       --hashsize hashsize
	      The initial hash size (default 1024)

       --probes probes
	      How many times try to resolve clashing at adding an  IP  to  the
	      hash by double-hashing (default 8).

       --resize percent
	      Increase	the  hash  size by this many percent (default 50) when
	      adding an IP to the hash could not  be  performed	 after	probes
	      number of double-hashing.

       The same resizing, speed and memory efficiency comments applies here as
       at the iphash type.

   iptree
       The iptree set type uses a tree to store IP addresses, optionally  with
       timeout values.

       Options to use when creating an iptree set:

       --timeout value
	      The timeout value for the entries in seconds (default 0)

       If a set was created with a nonzero valued --timeout parameter then one
       may add IP addresses to the set with a specific timeout value using the
       syntax  "address,timeout-value".	  Similarly  to	 the  hash  types, the
       iptree type of sets can store up to 65536 entries.

   iptreemap
       The iptreemap set type uses a tree to store IP addresses	 or  networks,
       where the last octet of an IP address are stored in a bitmap.  As input
       entry, you can add IP addresses, CIDR blocks or network ranges  to  the
       set. Network ranges can be specified in the format "address1-address2".

       Options to use when creating an iptreemap set:

       --gc value
	      How  often  the  garbage collection should be called, in seconds
	      (default 300)

   setlist
       The setlist type uses a simple list in which you can store sets. By the
       ipset  command  you  can add, delete and test sets in a setlist type of
       set.  You can specify the sets  as  "setname[,{after|before},setname]".
       By  default  new	 sets  are added after (appended to) the existing ele‐
       ments. Setlist type of sets cannot be added to a setlist type of set.

       Options to use when creating a setlist type of set:

       --size size
	      Create a setlist type of set with the given size (default 8).

       By the "set" match or "SET" target of iptables(8) you can test, add  or
       delete  entries	in  the sets. The match will try to find a matching IP
       address/port in the sets	 and  the  target  will	 try  to  add  the  IP
       address/port  to	 the first set to which it can be added. The number of
       src,dst options of the match and target are important: sets which  eats
       more  src,dst  parameters  than	specified are skipped, while sets with
       equal or less parameters are checked, elements added. For example if  a
       and b are setlist type of sets then in the command

	      iptables -m set --match-set a src,dst -j SET --add-set b src,dst

       the  match  and	target	will skip any set in a and b which stores data
       triples, but will check all sets with single or double data storage  in
       a  set  and  add src to the first single or src,dst to the first double
       data storage set in b.

       You can imagine a setlist type of set as an ordered union  of  the  set
       elements.

GENERAL RESTRICTIONS
       Setnames	 starting  with	 colon	(:) cannot be defined. Zero valued set
       entries cannot be used with hash type of sets.

COMMENTS
       If you want to store same size subnets from a given  network  (say  /24
       blocks  from  a	/8  network),  use the ipmap set type.	If you want to
       store random same size networks (say random /24 blocks), use the iphash
       set type. If you have got random size of netblocks, use nethash.

       Old separator tokens (':' and '%") are still accepted.

       Binding support is removed.

DIAGNOSTICS
       Various error messages are printed to standard error.  The exit code is
       0 for correct functioning.  Errors which appear to be caused by invalid
       or  abused  command  line parameters cause an exit code of 2, and other
       errors cause an exit code of 1.

BUGS
       Bugs? No, just funny features. :-) OK, just kidding...

SEE ALSO
       iptables(8),

AUTHORS
       Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axels‐
       son, Patrick Schaaf and Martin Josefsson.

       Sven Wegener wrote the iptreemap type.

LAST REMARK
       I stand on the shoulders of giants.

				 Feb 05, 2004			      IPSET(8)
[top]

List of man pages available for Mandriva

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net