xtables-addons/extensions/ipset/ipset.8

.TH IPSET 8 "Feb 05, 2004" "" ""
.\"
.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
.\"
.\"	This program is free software; you can redistribute it and/or modify
.\"	it under the terms of the GNU General Public License as published by
.\"	the Free Software Foundation; either version 2 of the License, or
.\"	(at your option) any later version.
.\"
.\"	This program is distributed in the hope that it will be useful,
.\"	but WITHOUT ANY WARRANTY; without even the implied warranty of
.\"	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"	GNU General Public License for more details.
.\"
.\"	You should have received a copy of the GNU General Public License
.\"	along with this program; if not, write to the Free Software
.\"	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"
.SH NAME
ipset \(em administration tool for IP sets
.SH SYNOPSIS
.PP
\fBipset \-N\fP \fIset\fP \fItype-specification\fP [\fIoptions\fP...]
.PP
\fBipset\fP {\fB\-F\fP|\fB\-H\fP|\fB\-L\fP|\fB\-S\fP|\fB\-X\fP} [\fIset\fP]
[\fIoptions\fP...]
.PP
\fBipset\fP {\fB\-E\fP|\fB\-W\fP} \fIfrom-set\fP \fIto-set\fP
.PP
\fBipset\fP {\fB\-A\fP|\fB\-D\fP|\fB\-T\fP} \fIset\fP \fIentry\fP
.PP
\fBipset \-R\fP
.PP
\fBipset\fP {\fB-V\fP|\fB\-v\fP}
.SH DESCRIPTION
.B ipset
is used to set up, maintain and inspect so called IP sets in the Linux
kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
port numbers or additional informations besides IP addresses: the word IP 
means a general term here. See the set type definitions below.
.P
Iptables matches and targets referring to sets creates references, which
protects the given sets in the kernel. A set cannot be removed (destroyed)
while there is a single reference pointing to it.
.SH OPTIONS
The options that are recognized by
.B ipset
can be divided into several different groups.
.SS COMMANDS
These options specify the specific action to perform.  Only one of them
can be specified on the command line unless otherwise specified
below.  For all the long versions of the command and option names, you
need to use only enough letters to ensure that
.B ipset
can differentiate it from all other options.
.TP
\fB\-N\fP, \fB\-\-create\fP \fIsetname\fP \fItype\fP \fItype-specific-options\fP
Create a set identified with setname and specified type. 
Type-specific options must be supplied.
.TP
\fB\-X\fP, \fB\-\-destroy\fP [\fIsetname\fP]
Destroy the specified set or all the sets if none is given.

If the set has got references, nothing is done.
.TP
\fB\-F\fP, \fB\-\-flush\fP [\fIsetname\fP]
Delete all entries from the specified set or flush
all sets if none is given.
.TP
\fB\-E\fP, \fB\-\-rename\fP \fIfrom-setname\fP \fIto-setname\fP
Rename a set. Set identified by to-setname must not exist.
.TP
\fB\-W\fP, \fB\-\-swap\fP \fIfrom-setname\fP \fIto-setname\fP
Swap the content of two sets, or in another words, 
exchange the name of two sets. The referred sets must exist and
identical type of sets can be swapped only.
.TP
\fB\-L\fP, \fB\-\-list\fP [\fIsetname\fP]
List the entries for the specified set, or for
all sets if none is given. The
\fB\-r\fP/\fB\-\-resolve\fP
option can be used to force name lookups (which may be slow). When the
\fB\-s\fP/\fB\-\-sorted\fP
option is given, the entries are listed sorted (if the given set
type supports the operation).
.TP
\fB\-S\fP, \fB\-\-save\fP [\fIsetname\fP]
Save the given set, or all sets if none is given
to stdout in a format that \fB\-\-restore\fP can read.
.TP
\fB\-R\fP, \fB\-\-restore\fP
Restore a saved session generated by \fB\-\-save\fP. The saved session
can be fed from stdin.

When generating a session file please note that the supported commands
(create set and add element) must appear in a strict order: first create
the set, then add all elements. Then create the next set, add all its elements
and so on. Also, it is a restore operation, so the sets being restored must 
not exist.
.TP
\fB\-A\fP, \fB\-\-add\fP \fIsetname\fP \fIentry\fP
Add an entry to a set.
.TP
\fB\-D\fP, \fB\-\-del\fP \fIsetname\fP \fIentry\fP
Delete an entry from a set.
.TP
\fB-T\fP, \fB\-\-test\fP \fIsetname\fP \fIentry\fP
Test wether an entry is in a set or not. Exit status number is zero
if the tested entry is in the set and nonzero if it is missing from
the set.
.TP
\fB\-H\fP, \fB\-\-help\fP [\fIsettype\fP]
Print help and settype specific help if settype specified.
.TP
\fB\-V\fP, \fB\-v\fP, \fB\-\-version\fP
Print program version and protocol version.
.P
.SS "OTHER OPTIONS"
The following additional options can be specified:
.TP
\fB\-r\fP, \fB\-\-resolve\fP
When listing sets, enforce name lookup. The 
program will try to display the IP entries resolved to 
host names or services (whenever applicable), which can trigger
.B
slow
DNS 
lookups.
.TP
\fB\-s\fP, \fB\-\-sorted\fP
Sorted output. When listing sets, entries are listed sorted.
.TP
\fB\-n\fP, \fB\-\-numeric\fP
Numeric output. When listing sets, IP addresses and 
port numbers will be printed in numeric format. This is the default.
.TP
\fB\-q\fP, \fB\-\-quiet\fP
Suppress any output to stdout and stderr. ipset will still return
possible errors.
.SH SET TYPES
ipset supports the following set types:
.SS ipmap
The ipmap set type uses a memory range, where each bit represents
one IP address. An ipmap set can store up to 65536 (B-class network)
IP addresses. The ipmap set type is very fast and memory cheap, great
for use when one want to match certain IPs in a range. If the optional
\fB\-\-netmask\fP
parameter is specified with a CIDR netmask value between 1-31 then
network addresses are stored in the given set: i.e an
IP address will be in the set if the network address, which is resulted
by masking the address with the specified netmask, can be found in the set.
.P
Options to use when creating an ipmap set:
.TP
\fB\-\-from\fP \fIfrom-addr\fP
.TP
\fB\-\-to\fP \fIto-addr\fP
Create an ipmap set from the specified address range.
.TP
\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
Create an ipmap set from the specified network.
.TP
\fB\-\-netmask\fP \fIprefixlen\fP
When the optional
\fB\-\-netmask\fP
parameter specified, network addresses will be 
stored in the set instead of IP addresses, and the \fIfrom-addr\fP parameter
must be a network address. The \fIprefixlen\fP value must be between 1-31.
.PP
Example:
.IP
ipset \-N test ipmap \-\-network 192.168.0.0/16 
.SS macipmap
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
up to 65536 (B-class network) IP addresses with MAC.
When adding an entry to a macipmap set, you must specify the entry as
"\fIaddress\fP\fB,\fP\fImac\fP".
When deleting or testing macipmap entries, the
"\fB,\fP\fImac\fP"
part is not mandatory.
.P
Options to use when creating an macipmap set:
.TP
\fB\-\-from\fP \fIfrom-addr\fP
.TP
\fB\-\-to\fP \fIto-addr\fP
Create a macipmap set from the specified address range.
.TP
\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
Create a macipmap set from the specified network.
.TP
\fB\-\-matchunset\fP
When the optional
\fB\-\-matchunset\fP
parameter specified, IP addresses which could be stored 
in the set but not set yet, will always match.
.P
Please note, the 
"set"
and
"SET"
netfilter kernel modules
.B
always
use the source MAC address from the packet to match, add or delete
entries from a macipmap type of set.
.SS portmap
The portmap set type uses a memory range, where each bit represents
one port. A portmap set type can store up to 65536 ports.
The portmap set type is very fast and memory cheap.
.P
Options to use when creating an portmap set:
.TP
\fB\-\-from\fP \fIfrom-port\fP
.TP
\fB\-\-to\fP \fIto-port\fP
Create a portmap set from the specified port range.
.SS iphash
The iphash set type uses a hash to store IP addresses.
In order to avoid clashes in the hash double-hashing, and as a last
resort, dynamic growing of the hash performed. The iphash set type is
great to store random addresses. If the optional
\fB\-\-netmask\fP
parameter is specified with a CIDR prefix length value between 1-31 then
network addresses are stored in the given set: i.e an
IP address will be in the set if the network address, which is resulted
by masking the address with the specified netmask, can be found in the set.
.P
Options to use when creating an iphash set:
.TP
\fB\-\-hashsize\fP \fIhashsize\fP
The initial hash size (default 1024)
.TP
\fB\-\-probes\fP \fIprobes\fP
How many times try to resolve clashing at adding an IP to the hash 
by double-hashing (default 8).
.TP
\fB\-\-resize\fP \fIpercent\fP
Increase the hash size by this many percent (default 50) when adding
an IP to the hash could not be performed after
\fIprobes\fP
number of double-hashing. 
.TP
\fB\-\-netmask\fP \fIprefixlen\fP
When the optional
\fB\-\-netmask\fP
parameter specified, network addresses will be 
stored in the set instead of IP addresses. The \fIprefixlen\fP value must
be between 1-31.
.P
The iphash type of sets can store up to 65536 entries. If a set is full,
no new entries can be added to it.
.P
Sets created by zero valued resize parameter won't be resized at all.
The lookup time in an iphash type of set grows approximately linearly with
the value of the 
\fIprobes\fP
parameter. In general higher 
\fIprobes\fP
value results better utilized hash while smaller value
produces larger, sparser hash.
.PP
Example:
.IP
ipset \-N test iphash \-\-probes 2
.SS nethash
The nethash set type uses a hash to store different size of
network addresses. The
.I
entry
used in the ipset commands must be in the form
"\fIaddress\fP\fB/\fP\fIprefixlen\fP"
where prefixlen must be in the inclusive range of 1-31.
In order to avoid clashes in the hash 
double-hashing, and as a last resort, dynamic growing of the hash performed.
.P
Options to use when creating an nethash set:
.TP
\fB\-\-hashsize\fP \fIhashsize\fP
The initial hash size (default 1024)
.TP
\fB\-\-probes\fP \fIprobes\fP
How many times try to resolve clashing at adding an IP to the hash 
by double-hashing (default 4).
.TP
\fB\-\-resize\fP \fIpercent\fP
Increase the hash size by this many percent (default 50) when adding
an IP to the hash could not be performed after
.P
The nethash type of sets can store up to 65536 entries. If a set is full,
no new entries can be added to it.
.P
An IP address will be in a nethash type of set if it belongs to any of the
netblocks added to the set. The matching always start from the smallest
size of netblock (most specific netmask) to the largest ones (least
specific netmasks). When adding/deleting IP addresses
to a nethash set by the
"SET"
netfilter kernel module, it will be added/deleted by the smallest
netblock size which can be found in the set, or by /31 if the set is empty.
.P
The lookup time in a nethash type of set grows approximately linearly 
with the times of the
\fIprobes\fP
parameter and the number of different mask parameters in the hash.
Otherwise the same speed and memory efficiency comments applies here 
as at the iphash type.
.SS ipporthash
The ipporthash set type uses a hash to store IP address and port pairs.
In order to avoid clashes in the hash double-hashing, and as a last
resort, dynamic growing of the hash performed. An ipporthash set can 
store up to 65536 (B-class network) IP addresses with all possible port
values. When adding, deleting and testing values in an ipporthash type of
set, the entries must be specified as
"\fIaddress\fP\fB,\fP\fIport\fP".
.P
The ipporthash types of sets evaluates two src/dst parameters of the 
"set"
match and 
"SET"
target. 
.P
Options to use when creating an ipporthash set:
.TP
\fB\-\-from\fP \fIfrom-addr\fP
.TP
\fB\-\-to\fP \fIto-addr\fP
Create an ipporthash set from the specified address range.
.TP
\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
Create an ipporthash set from the specified network.
.TP
\fB\-\-hashsize\fP \fIhashsize\fP
The initial hash size (default 1024)
.TP
\fB\-\-probes\fP \fIprobes\fP
How many times try to resolve clashing at adding an IP to the hash 
by double-hashing (default 8).
.TP
\fB\-\-resize\fP \fIpercent\fP
Increase the hash size by this many percent (default 50) when adding
an IP to the hash could not be performed after
\fIprobes\fP
number of double-hashing.
.P
The same resizing, speed and memory efficiency comments applies here 
as at the iphash type.
.SS ipportiphash
The ipportiphash set type uses a hash to store IP address,port and IP
address triples. The first IP address must come form a maximum /16
sized network or range while the port number and the second IP address
parameters are arbitrary. When adding, deleting and testing values in an 
ipportiphash type of set, the entries must be specified as
"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP".
.P
The ipportiphash types of sets evaluates three src/dst parameters of the 
"set"
match and 
"SET"
target. 
.P
Options to use when creating an ipportiphash set:
.TP
\fB\-\-from\fP \fIfrom-addr\fP
.TP
\fB\-\-to\fP \fIto-addr\fP
Create an ipportiphash set from the specified address range.
.TP
\fB\-\-network\fP \fIaddr\fP\fB/\fP\fImask\fP
Create an ipportiphash set from the specified network.
.TP
\fB\-\-hashsize\fP \fIhashsize\fP
The initial hash size (default 1024)
.TP
\fB\-\-probes\fP \fIprobes\fP
How many times try to resolve clashing at adding an IP to the hash 
by double-hashing (default 8).
.TP
\fB\-\-resize\fP \fIpercent\fP
Increase the hash size by this many percent (default 50) when adding
an IP to the hash could not be performed after
\fIprobes\fP
number of double-hashing.
.P
The same resizing, speed and memory efficiency comments applies here 
as at the iphash type.
.SS ipportnethash
The ipportnethash set type uses a hash to store IP address, port, and
network address triples. The IP address must come form a maximum /16
sized network or range while the port number and the network address
parameters are arbitrary, but the size of the network address must be
between /1-/31. When adding, deleting 
and testing values in an ipportnethash type of set, the entries must be
specified as
"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP\fB/\fP\fIprefixlen\fP".
.P
The ipportnethash types of sets evaluates three src/dst parameters of the 
"set"
match and 
"SET"
target. 
.P
Options to use when creating an ipportnethash set:
.TP
\fB\-\-from\fP \fIfrom-address\fP
.TP
\fB\-\-to\fP \fIto-address\fP
Create an ipporthash set from the specified range.
.TP
\fB\-\-network\fP \fIaddress\fP\fB/\fP\fImask\fP
Create an ipporthash set from the specified network.
.TP
\fB\-\-hashsize\fP \fIhashsize\fP
The initial hash size (default 1024)
.TP
\fB\-\-probes\fP \fIprobes\fP
How many times try to resolve clashing at adding an IP to the hash 
by double-hashing (default 8).
.TP
\fB\-\-resize\fP \fIpercent\fP
Increase the hash size by this many percent (default 50) when adding
an IP to the hash could not be performed after
\fIprobes\fP
number of double-hashing.
.P
The same resizing, speed and memory efficiency comments applies here 
as at the iphash type.
.SS iptree
The iptree set type uses a tree to store IP addresses, optionally 
with timeout values.
.P
Options to use when creating an iptree set:
.TP
\fB\-\-timeout\fP \fIvalue\fP
The timeout value for the entries in seconds (default 0)
.P
If a set was created with a nonzero valued 
\fB\-\-timeout\fP
parameter then one may add IP addresses to the set with a specific 
timeout value using the syntax 
"\fIaddress\fP\fB,\fP\fItimeout-value\fP".
Similarly to the hash types, the iptree type of sets can store up to 65536
entries.
.SS iptreemap
The iptreemap set type uses a tree to store IP addresses or networks, 
where the last octet of an IP address are stored in a bitmap.
As input entry, you can add IP addresses, CIDR blocks or network ranges
to the set. Network ranges can be specified in the format
"\fIaddress1\fP\fB-\fP\fIaddress2\fP".
.P
Options to use when creating an iptreemap set:
.TP
\fB\-\-gc\fP \fIvalue\fP
How often the garbage collection should be called, in seconds (default 300)
.SS setlist
The setlist type uses a simple list in which you can store sets. By the
ipset
command you can add, delete and test sets in a setlist type of set.
You can specify the sets as
"\fIsetname\fP[\fB,\fP{\fBafter\fP|\fBbefore\fP},\fIsetname\fP]".
By default new sets are added after (appended to) the existing
elements. Setlist type of sets cannot be added to a setlist type of set.
.P
Options to use when creating a setlist type of set:
.TP
\fB\-\-size\fP \fIsize\fP
Create a setlist type of set with the given size (default 8).
.PP
By the
"set"
match or
"SET"
target of
\fBiptables\fP(8)
you can test, add or delete entries in the sets. The match
will try to find a matching IP address/port in the sets and 
the target will try to add the IP address/port to the first set
to which it can be added. The number of src,dst options of
the match and target are important: sets which eats more src,dst
parameters than specified are skipped, while sets with equal
or less parameters are checked, elements added. For example
if
.I
a
and
.I
b
are setlist type of sets then in the command
.IP
iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add-set b src,dst
.PP
the match and target will skip any set in
.I a
and
.I b
which stores 
data triples, but will check all sets with single or double
data storage in
.I a
set and add src to the first single or src,dst to the first double 
data storage set in
\fIb\fP.
You can imagine a setlist type of set as an ordered union of
the set elements. 
.P
Please note: by the ipset command you can add, delete and
.B test
the setnames in a setlist type of set, and not the presence of 
a set's member (such as an IP address).
.SH GENERAL RESTRICTIONS
Setnames starting with colon (:) cannot be defined. Zero valued set 
entries cannot be used with hash type of sets.
.SH COMMENTS
If you want to store same size subnets from a given network
(say /24 blocks from a /8 network), use the ipmap set type.
If you want to store random same size networks (say random /24 blocks), 
use the iphash set type. If you have got random size of netblocks, 
use nethash.
.P
Old separator tokens (':' and '%") are still accepted.
.P
Binding support is removed.
.SH DIAGNOSTICS
Various error messages are printed to standard error.  The exit code
is 0 for correct functioning.  Errors which appear to be caused by
invalid or abused command line parameters cause an exit code of 2, and
other errors cause an exit code of 1.
.SH BUGS
Bugs? No, just funny features. :-)
OK, just kidding...
.SH SEE ALSO
.BR iptables (8),
.SH AUTHORS
Jozsef Kadlecsik wrote ipset, which is based on ippool by
Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
.P
Sven Wegener wrote the iptreemap type.
.SH LAST REMARK
.BR "I stand on the shoulders of giants."