IP set home >
 Features >
 Download & Install >
 Tips & Examples >
 ipset(8) >
 iptables(8) >
 ChangeLog >

 

IP set features

Set types

IP sets support the following type of sets:

  • ipmap
    The ipmap set type uses a memory range, where each bit represents one IP address and can store up to 65535 (B-class network) entries. You can store same size network addresses in an ipset as well and an IP address will be in the set if the network address it belongs to can be found in the set.
  • macipmap
    The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store up to 65535 (B-class network) IP addresses with MAC.
  • portmap
    The portmap set type uses a memory range, where each bit represents one port. A portmap type of set can store up to 65535 ports.
  • iphash
    The iphash set type uses a hash to store IP addresses where clashing is resolved by double-hashing and, as a last resort, by dynamically growing the hash. Same size network addresses can be stored in an iphash as well.
  • nethash
    The nethash set type also uses a hash to store CIDR netblocks, which may be of different sizes. The same techique is used to avoid clashes as at the iphash set type.
  • ipporthash
    The ipporthash is similar to iphash but you can store IP address and port pairs in it. In the pair the IP address must come from a max /16 sized network or IP address range, the port number is arbitrary.
  • ipportiphash
    You can store IP address, port number, and IP address triples in an ipportiphash type of set, where the first IP address must come from a max /16 sized network or IP address range. The port number and the second IP address are arbitrary.
  • ipportnethash
    You can store IP address, port number and network address triples in this kind of set. The first IP address must come from a max /16 sized network or IP address range, the port number is arbitrary and the network address is any network with /1-/31 size.
  • iptree
    The iptree set type uses a tree to store IP addresses, optionally with timeout values.
  • iptreemap
    The iptreemap set type uses a tree to store IP addresses, where the last octet of an IP address is stored in a bitmap.
  • setlist
    In a setlist kind of set you can store other sets; it is like an ordered union of different sets.

set match and SET target of iptables

IP sets can be used via the set match and SET target in iptables rules. In the arguments of the extensions, the tokens src and dst can be used to specify which IP address or port to use from the packet to match the given set.

All the documentation on this site is released under the GNU/GPL license terms.