Content-type: text/html; charset=UTF-8
COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - }
OPTIONS := { -exist | -output { plain | save | xml } | json } | -quiet | -resolve | -sorted | -name | -terse | -file filename }
ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
ipset destroy [ SETNAME ]
ipset list [ SETNAME ]
ipset save [ SETNAME ]
ipset restore
ipset flush [ SETNAME ]
ipset rename SETNAME-FROM SETNAME-TO
ipset swap SETNAME-FROM SETNAME-TO
ipset help [ TYPENAME ]
ipset version
Iptables matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it.
If the set has got reference(s), nothing is done and no set destroyed.
Please note, existing sets and elements are not erased by restore unless specified so in the restore file. All commands are allowed in restore mode except list, help, version, interactive mode and restore itself.
TYPENAME := method:datatype[,datatype[,datatype]]
where the current list of the methods are bitmap, hash, and list and the possible data types are ip, net, mac, port and iface. The dimension of a set is equal to the number of data types in its type name.
When adding, deleting or testing entries in a set, the same comma separated data syntax must be used for the entry parameter of the commands, i.e
If host names or service names with dash in the name are used instead of IP addresses or service numbers, then the host name or service name must be enclosed in square brackets. Example:
In the case of host names the DNS resolver is called internally by ipset but if it returns multiple IP addresses, only the first one is used.
The bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set.
When listing the set, the number of entries printed in the header might be larger than the listed number of entries for sets with the timeout extensions: the number of entries in the set is updated when elements added/deleted to the set and periodically when the garbage collector evicts the timed out entries.
In the above, your shell will of course escape the quotation marks and ipset will see the quote marks in the argument for the comment, which will result in a parse error. If you are writing your own system, you should avoid creating comments containing a quotation mark if you do not want to break "ipset save" and "ipset restore", nonetheless, the kernel will not stop you from doing so. The following is perfectly acceptable:
ipaddr := { ip | fromaddr-toaddr | ip/cidr }
netaddr := { fromaddr-toaddr | ip/cidr }
Example:
When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too.
CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := { ip | fromip-toip | ip/cidr }
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := { ip | fromip-toip | ip/cidr }
TEST-ENTRY := ip
Mandatory create options:
Optional create options:
The bitmap:ip type supports adding or deleting multiple entries in one command.
Examples:
CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ip[,macaddr]
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ip[,macaddr]
TEST-ENTRY := ip[,macaddr]
Mandatory options to use when creating a bitmap:ip,mac type of set:
The bitmap:ip,mac type is exceptional in the sense that the MAC part can be left out when adding/deleting/testing entries in the set. If we add an entry without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the MAC address from the packet. The source MAC address is used if the entry matched due to a src parameter of the set match, and the destination MAC address is used if available and the entry matched due to a dst parameter. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete.
The bitmap:ip,mac type of sets require two src/dst parameters of the set match and SET target netfilter kernel modules. For matches on destination MAC addresses, see COMMENTS below.
Examples:
CREATE-OPTIONS := range fromport-toport [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := { [proto:]port | [proto:]fromport-toport }
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := { [proto:]port | [proto:]fromport-toport }
TEST-ENTRY := [proto:]port
Mandatory options to use when creating a bitmap:port type of set:
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers.
proto only needs to be specified if a service name is used and that name does not exist as a TCP service. The protocol is never stored in the set, just the port number of the service.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ netmask cidr ] [ bitmask mask ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr
TEST-ENTRY := ipaddr
Optional create options:
CREATE-OPTIONS := [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := macaddr
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := macaddr
TEST-ENTRY := macaddr
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr,macaddr
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr,macaddr
TEST-ENTRY := ipaddr,macaddr
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr
TEST-ENTRY := netaddr
where netaddr := ip[/cidr]
When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty.
The lookup time grows linearly with the number of the different prefix values added to the set.
Example:
When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except the ones from 192.168.0/30.
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ netmask cidr ] [ bitmask mask ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,netaddr
TEST-ENTRY := netaddr,netaddr
where netaddr := ip[/cidr]
When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) with the first param having precedence. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty.
The lookup time grows linearly with the number of the different prefix values added to the first parameter of the set. The number of secondary prefixes further increases this as the list of secondary prefixes is traversed per primary prefix.
Optional create options:
Example:
When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24<->10.0.1.0/24, 10.1.0.0/16<->10.255.0.0/24 and 192.168.0/24<->192.168.54.0/24 except the ones from 192.168.0/30<->192.168.64/30.
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ netmask cidr ] [ bitmask mask ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr,[proto:]port
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr,[proto:]port
TEST-ENTRY := ipaddr,[proto:]port
The [proto:]port part of the elements may be expressed in the following forms, where the range variations are valid when adding or deleting entries:
The hash:ip,port type of sets require two src/dst parameters of the set match and SET target kernel modules.
Optional create options:
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,[proto:]port
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,[proto:]port
TEST-ENTRY := netaddr,[proto:]port
where netaddr := ip[/cidr]
For the netaddr part of the elements see the description at the hash:net set type. For the [proto:]port part of the elements see the description at the hash:ip,port set type.
When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty.
The lookup time grows linearly with the number of the different prefix values added to the set.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr,[proto:]port,ip
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr,[proto:]port,ip
TEST-ENTRY := ipaddr,[proto:]port,ip
For the first ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port set type.
The hash:ip,port,ip type of sets require three src/dst parameters of the set match and SET target kernel modules.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr,[proto:]port,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr,[proto:]port,netaddr
TEST-ENTRY := ipaddr,[proto:]port,netaddr
where netaddr := ip[/cidr]
For the ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port set type. For the netaddr part of the elements see the description at the hash:net set type.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the SET netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty.
The lookup time grows linearly with the number of the different cidr values added to the set.
The hash:ip,port,net type of sets require three src/dst parameters of the set match and SET target kernel modules.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ markmask value ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr,mark
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr,mark
TEST-ENTRY := ipaddr,mark
Optional create options:
The mark can be any value between 0 and 4294967295.
The hash:ip,mark type of sets require two src/dst parameters of the set match and SET target kernel modules.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,[proto:]port,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,[proto:]port,netaddr
TEST-ENTRY := netaddr,[proto:]port,netaddr
where netaddr := ip[/cidr]
For the [proto:]port part of the elements see the description at the hash:ip,port set type. For the netaddr part of the elements see the description at the hash:net set type.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the SET netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. The first subnet has precedence when performing the most-specific lookup, just as for hash:net,net
The lookup time grows linearly with the number of the different cidr values added to the set and by the number of secondary cidr values per primary.
The hash:net,port,net type of sets require three src/dst parameters of the set match and SET target kernel modules.
Examples:
CREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,[physdev:]iface
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] [ wildcard ]
DEL-ENTRY := netaddr,[physdev:]iface
TEST-ENTRY := netaddr,[physdev:]iface
where netaddr := ip[/cidr]
For the netaddr part of the elements see the description at the hash:net set type.
When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly.
From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty.
The second direction parameter of the set match and SET target modules corresponds to the incoming/outgoing interface: src to the incoming one (similar to the -i flag of iptables), while dst to the outgoing one (similar to the -o flag of iptables). When the interface is flagged with physdev:, the interface is interpreted as the incoming/outgoing bridge port.
The lookup time grows linearly with the number of the different prefix values added to the set.
The internal restriction of the hash:net,iface set type is that the same network prefix cannot be stored with more than 64 different interfaces in a single set.
Examples:
CREATE-OPTIONS := [ size value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := setname [ { before | after } setname ]
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := setname [ { before | after } setname ]
TEST-ENTRY := setname [ { before | after } setname ]
Optional create options:
By the ipset command you can add, delete and test set names in a list:set type of set.
By the set match or SET target of netfilter you can test, add or delete entries in the sets added to the list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command
the match and target will skip any set in a and b which stores data triples, but will match all sets with single or double data storage in a set and stop matching at the first successful set, and add src to the first single or src,dst to the first double data storage set in b to which the entry can be added. You can imagine a list:set type of set as an ordered union of the set elements.
Please note: by the ipset command you can add, delete and test the setnames in a list:set type of set, and not the presence of a set's member (such as an IP address).
Matching on destination MAC addresses using the dst parameter of the set match netfilter kernel modules will only work if the destination MAC address is available in the packet at the given processing stage, that is, it only applies for incoming packets in the PREROUTING, INPUT and FORWARD chains, against the MAC address as originally found in the received packet (typically, one of the MAC addresses of the local host). This is not the destination MAC address a destination IP address resolves to, after routing. If the MAC address is not available (e.g. in the OUTPUT chain), the packet will simply not match.
Backward compatibility is maintained and old ipset syntax is still supported.
The iptree and iptreemap set types are removed: if you refer to them, they are automatically replaced by hash:ip type of sets.