IP set home >
 Features >
 Download & Install >
 Tips & Examples >
 ChangeLog >
 ipset(8) >
 iptables(8) >
 ip6tables(8) >
 iptables-extensions(8) >
 libipset(3) >

 

IP set features

Set types

IP sets support the following type of sets:

  • bitmap:ip
    The bitmap:ip set type uses a memory range, where each bit represents one IP address and can store up to 65535 (B-class network) entries. You can store same size network addresses in this kind of sets as well and an IP address will be in the set if the network address it belongs to can be found in the set.
  • bitmap:ip,mac
    The bitmap:ip,mac set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A bitmap:ip,mac set type can store up to 65535 (B-class network) IP addresses with MAC.
  • bitmap:port
    The bitmap:port set type uses a memory range, where each bit represents one TCP/UDP port. A bitmap:port type of set can store up to 65535 ports.
  • hash:ip
    The hash:ip set type uses a hash to store IP addresses where clashing is resolved by storing the clashing elements in an array and, as a last resort, by dynamically growing the hash. Same size network addresses can be stored in an hash:ip type of set as well.
  • hash:net
    The hash:net set type also uses a hash to store CIDR netblocks, which may be of different sizes. The same techique is used to avoid clashes as at the hash:ip set type.
  • hash:ip,port
    The hash:ip,port is similar to hash:ip but you can store IP address and protocol-port pairs in it. TCP, SCTP, UDP, UDPLITE, ICMP and ICMPv6 are supported with port numbers/ICMP(v6) types and other protocol numbers without port information.
  • hash:ip,port,ip
    You can store IP address, port number, and IP address triples in an hash:ip,port,ip type of set.
  • hash:ip,port,net
    You can store IP address, port number and network address triples in this kind of set.
  • hash:net,port
    The set type supports to store network address and port number pairs.
  • hash:net,iface
    In this kind of set one can store network address and interface name pairs.
  • list:set
    In a list:set kind of set you can store other sets; it is like an ordered union of different sets.

set match and SET target of iptables

IP sets can be used via the set match and SET target in iptables rules. In the arguments of the extensions, the tokens src and dst can be used to specify which IP address or port to use from the packet to match the given set.

All the documentation on this site is released under the GNU/GPL license terms.