mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-21 12:04:56 +02:00
ipset: fast forward to v4.0
This commit is contained in:
Jan Engelhardt
@@ -26,13 +26,11 @@ ipset \- administration tool for IP sets
|
||||
.br
|
||||
.BR "ipset -[EW] " "from-set to-set"
|
||||
.br
|
||||
.BR "ipset -[ADU] " "set entry"
|
||||
.br
|
||||
.BR "ipset -B " "set entry -b binding"
|
||||
.br
|
||||
.BR "ipset -T " "set entry [-b binding]"
|
||||
.BR "ipset -[ADT] " "set entry"
|
||||
.br
|
||||
.BR "ipset -R "
|
||||
.br
|
||||
.BR "ipset -[Vv] "
|
||||
.SH DESCRIPTION
|
||||
.B ipset
|
||||
is used to set up, maintain and inspect so called IP sets in the Linux
|
||||
@@ -40,19 +38,9 @@ kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
|
||||
port numbers or additional informations besides IP addresses: the word IP
|
||||
means a general term here. See the set type definitions below.
|
||||
.P
|
||||
Any entry in a set can be bound to another set, which forms a relationship
|
||||
between a set element and the set it is bound to. In order to define a
|
||||
binding it is not required that the entry be already added to the set.
|
||||
The sets may have a default binding, which is valid for every set element
|
||||
for which there is no binding defined at all.
|
||||
.P
|
||||
IP set bindings pointing to sets and iptables matches and targets
|
||||
referring to sets creates references, which protects the given sets in
|
||||
the kernel. A set cannot be removed (destroyed) while there is a single
|
||||
reference pointing to it.
|
||||
.P
|
||||
.B
|
||||
Please note, binding sets is a deprecated feature and will be removed in a later release. Switch to the multidata type of sets from using bindings.
|
||||
Iptables matches and targets referring to sets creates references, which
|
||||
protects the given sets in the kernel. A set cannot be removed (destroyed)
|
||||
while there is a single reference pointing to it.
|
||||
.SH OPTIONS
|
||||
The options that are recognized by
|
||||
.B ipset
|
||||
@@ -70,21 +58,13 @@ Create a set identified with setname and specified type.
|
||||
Type-specific options must be supplied.
|
||||
.TP
|
||||
.BI "-X, --destroy " "[\fIsetname\fP]"
|
||||
Destroy the specified set, or all sets if none or the keyword
|
||||
.B
|
||||
:all:
|
||||
is specified.
|
||||
Before destroying the set, all bindings belonging to the
|
||||
set elements and the default binding of the set are removed.
|
||||
Destroy the specified set or all the sets if none is given.
|
||||
|
||||
If the set has got references, nothing is done.
|
||||
.TP
|
||||
.BI "-F, --flush " "[\fIsetname\fP]"
|
||||
Delete all entries from the specified set, or flush
|
||||
all sets if none or the keyword
|
||||
.B
|
||||
:all:
|
||||
is given. Bindings are not affected by the flush operation.
|
||||
Delete all entries from the specified set or flush
|
||||
all sets if none is given.
|
||||
.TP
|
||||
.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
|
||||
Rename a set. Set identified by to-setname must not exist.
|
||||
@@ -95,102 +75,63 @@ exchange the name of two sets. The referred sets must exist and
|
||||
identical type of sets can be swapped only.
|
||||
.TP
|
||||
.BI "-L, --list " "[\fIsetname\fP]"
|
||||
List the entries and bindings for the specified set, or for
|
||||
all sets if none or the keyword
|
||||
.B
|
||||
:all:
|
||||
is given. The
|
||||
.B "-n, --numeric"
|
||||
option can be used to suppress name lookups and generate numeric
|
||||
output. When the
|
||||
List the entries for the specified set, or for
|
||||
all sets if none is given. The
|
||||
.B "-r, --resolve"
|
||||
option can be used to force name lookups (which may be slow). When the
|
||||
.B "-s, --sorted"
|
||||
option is given, the entries are listed sorted (if the given set
|
||||
type supports the operation).
|
||||
.TP
|
||||
.BI "-S, --save " "[\fIsetname\fP]"
|
||||
Save the given set, or all sets if none or the keyword
|
||||
.B
|
||||
:all:
|
||||
is specified to stdout in a format that --restore can read.
|
||||
Save the given set, or all sets if none is given
|
||||
to stdout in a format that --restore can read.
|
||||
.TP
|
||||
.BI "-R, --restore "
|
||||
Restore a saved session generated by --save. The saved session
|
||||
can be fed from stdin.
|
||||
|
||||
When generating a session file please note that the supported commands
|
||||
(create set, add element, bind) must appear in a strict order: first create
|
||||
(create set and add element) must appear in a strict order: first create
|
||||
the set, then add all elements. Then create the next set, add all its elements
|
||||
and so on. Finally you can list all binding commands. Also, it is a restore
|
||||
operation, so the sets being restored must not exist.
|
||||
and so on. Also, it is a restore operation, so the sets being restored must
|
||||
not exist.
|
||||
.TP
|
||||
.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
|
||||
Add an IP to a set.
|
||||
Add an IP entry to a set.
|
||||
.TP
|
||||
.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
|
||||
Delete an IP from a set.
|
||||
Delete an IP entry from a set.
|
||||
.TP
|
||||
.BI "-T, --test " "\fIsetname\fP \fIIP
|
||||
Test wether an IP is in a set or not. Exit status number is zero
|
||||
Test wether an IP entry is in a set or not. Exit status number is zero
|
||||
if the tested IP is in the set and nonzero if it is missing from
|
||||
the set.
|
||||
.TP
|
||||
.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
|
||||
Test wether the IP belonging to the set points to the specified binding.
|
||||
Exit status number is zero if the binding points to the specified set,
|
||||
otherwise it is nonzero. The keyword
|
||||
.B
|
||||
:default:
|
||||
can be used to test the default binding of the set.
|
||||
.TP
|
||||
.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
|
||||
Bind the IP in setname to to-setname.
|
||||
.TP
|
||||
.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
|
||||
Delete the binding belonging to IP in set setname.
|
||||
.TP
|
||||
.BI "-H, --help " "[settype]"
|
||||
Print help and settype specific help if settype specified.
|
||||
.TP
|
||||
.BI "-V, -v, --version "
|
||||
Print program version and protocol version.
|
||||
.P
|
||||
At the
|
||||
.B
|
||||
-B, -U
|
||||
and
|
||||
.B
|
||||
-T
|
||||
commands you can use the token
|
||||
.B
|
||||
:default:
|
||||
to bind, unbind or test the default binding of a set instead
|
||||
of an IP. At the
|
||||
.B
|
||||
-U
|
||||
command you can use the token
|
||||
.B
|
||||
:all:
|
||||
to destroy the bindings of all elements of a set.
|
||||
.SS "OTHER OPTIONS"
|
||||
The following additional options can be specified:
|
||||
.TP
|
||||
.B "-b, --binding setname"
|
||||
The option specifies the value of the binding for the
|
||||
.B "-B"
|
||||
binding command, for which it is a mandatory option.
|
||||
You can use it in the
|
||||
.B "-T"
|
||||
test command as well to test bindings.
|
||||
.B "-r, --resolve"
|
||||
When listing sets, enforce name lookup. The
|
||||
program will try to display the IP entries resolved to
|
||||
host names or services (whenever applicable), which can trigger
|
||||
.B
|
||||
slow
|
||||
DNS
|
||||
lookups.
|
||||
.TP
|
||||
.B "-s, --sorted"
|
||||
Sorted output. When listing sets, entries are listed sorted.
|
||||
.TP
|
||||
.B "-n, --numeric"
|
||||
Numeric output. When listing sets, bindings, IP addresses and
|
||||
port numbers will be printed in numeric format. By default the
|
||||
program will try to display them as host names, network names
|
||||
or services (whenever applicable), which can trigger
|
||||
.B
|
||||
slow
|
||||
DNS
|
||||
lookups.
|
||||
Numeric output. When listing sets, IP addresses and
|
||||
port numbers will be printed in numeric format. This is the default.
|
||||
.TP
|
||||
.B "-q, --quiet"
|
||||
Suppress any output to stdout and stderr. ipset will still return
|
||||
@@ -224,6 +165,10 @@ When the optional
|
||||
parameter specified, network addresses will be
|
||||
stored in the set instead of IP addresses, and the from-IP parameter
|
||||
must be a network address. The CIDR-netmask value must be between 1-31.
|
||||
.PP
|
||||
Example:
|
||||
.IP
|
||||
ipset \-N test ipmap \-\-network 192.168.0.0/16
|
||||
.SS macipmap
|
||||
The macipmap set type uses a memory range, where each 8 bytes
|
||||
represents one IP and a MAC addresses. A macipmap set type can store
|
||||
@@ -319,6 +264,10 @@ parameter. In general higher
|
||||
probe
|
||||
value results better utilized hash while smaller value
|
||||
produces larger, sparser hash.
|
||||
.PP
|
||||
Example:
|
||||
.IP
|
||||
ipset \-N test iphash \-\-probes 2
|
||||
.SS nethash
|
||||
The nethash set type uses a hash to store different size of
|
||||
network addresses. The
|
||||
@@ -538,7 +487,7 @@ Options to use when creating a setlist type of set:
|
||||
.TP
|
||||
.BR "--size " size
|
||||
Create a setlist type of set with the given size (default 8).
|
||||
.P
|
||||
.PP
|
||||
By the
|
||||
.I
|
||||
set
|
||||
@@ -562,8 +511,9 @@ and
|
||||
.I
|
||||
b
|
||||
are setlist type of sets then in the command
|
||||
.TP
|
||||
iptables -m set --match-set a src,dst -j SET --add-set b src,dst
|
||||
.IP
|
||||
iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst
|
||||
.PP
|
||||
the match and target will skip any set in
|
||||
.I a
|
||||
and
|
||||
@@ -589,6 +539,8 @@ use the iphash set type. If you have got random size of netblocks,
|
||||
use nethash.
|
||||
.P
|
||||
Old separator tokens (':' and '%") are still accepted.
|
||||
.P
|
||||
Binding support is removed.
|
||||
.SH DIAGNOSTICS
|
||||
Various error messages are printed to standard error. The exit code
|
||||
is 0 for correct functioning. Errors which appear to be caused by
|
||||
|
||||
Reference in New Issue
Block a user