Provided by: shorewall_5.2.8-2_all bug

NAME

       ipsets - Specifying the name if an ipset in Shorewall configuration files

SYNOPSIS

       +ipsetname

       +ipsetname[flag,...]

       +[ipsetname,...]

DESCRIPTION

       Note: In the above syntax descriptions, the square brackets ("[]") are to be taken
       literally rather than as meta-characters.

       In most places where a network address may be entered, an ipset may be substituted. Set
       names must be prefixed by the character "+", must start with a letter and may be composed
       of alphanumeric characters, "-" and "_".

       Whether the set is matched against the packet source or destination is determined by which
       column the set name appears (SOURCE or DEST). For those set types that specify a tuple,
       two alternative syntaxes are available:
           [number] - Indicates that 'src' or
                 'dst' should be repeated number times.
                 Example: myset[2].
           [flag,...] where
                 flag is src or
                 dst. Example: myset[src,dst].

       In a SOURCE or SPORT column, the following pairs are equivalent:

       •   +myset[2] and +myset[src,src]

       In a DEST or DPORT column, the following pairs are equivalent:

       •   +myset[2] and +myset[dst,dst]

       Beginning with Shorewall 4.4.14, multiple source or destination matches may be specified
       by enclosing the set names within +[...]. The set names need not be prefixed with '+'.
       When such a list of sets is specified, matching packets must match all of the listed sets.

       For information about set lists and exclusion, see shorewall-exclusion[1] (5).

       Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a
       packet matches an ipset. You do that by listing the objects separated by commas within
       parentheses.

       Example:
           +myset[src](myobject)

       In that example, when the source address of a packet matches the myset ipset, the myobject
       nfacct counter will be incremented.

       Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if any) can be
       immediately be followed by a list of match options.

           Important
           These additional match options are not available in shorewall-tcfilters(5)[2].

       Available options are:

       nomatch
           If the set type supports the nomatch flag, then the matching is reversed: a match with
           an element flagged with nomatch returns true, while a match with a plain element
           returns false. This option requires the 'Ipset Match nomatch' capability in your
           kernel and ip[6]tables.

       no-update-counters
           The packet and byte counters of the matching element in the set won't be updated. By
           default, the packet and byte counters are updated. This option and those that follow
           require the 'Ipset Match counters' capability in your kernel and ip[6]tables.

       no-update-subcounters
           The packet and byte counters of the matching element in the member set of a list type
           of set won't be updated. Default the packet and byte counters are updated.

       packets=value
           If the packet is matched an element in the set, match only if the packet counter of
           the element matches the given value also.

       packets<value
           If the packet is matched an element in the set, match only if the packet counter of
           the element is less than the given value as well.

       packets>value
           If the packet is matched an element in the set, match only if the packet counter of
           the element is greater than the given value as well.

       packets!=value
           If the packet is matched an element in the set, match only if the packet counter of
           the element does not match the given value also.

       bytes=value
           If the packet is matched an element in the set, match only if the byte counter of the
           element matches the given value also.

       bytes<value
           If the packet is matched an element in the set, match only if the byte counter of the
           element is less than the given value as well.

       bytes>value
           If the packet is matched an element in the set, match only if the byte counter of the
           element is greater than the given value as well.

       bytes<>value
           If the packet is matched an element in the set, match only if the byte counter of the
           element does not match the given value also.

EXAMPLES

       In the examples that follow, myset, myset1 and myset2 are ipsets and myObject is an NFacct
       object name.

       +myset

       +myset[src]

       +myset[2]

       +[myset1,myset2[dst]]

       +myset[src](myObject)

       +myset[src,nomatch,packets>100]

       +myset[nomatch,no-update-counters](myObject)

FILES

       /etc/shorewall/accounting

       /etc/shorewall6/accounting

       /etc/shorewall/blrules

       /etc/shorewall6/blrules

       /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may not be used in this
       file.

       /etc/shorewall6/hosts -- Note: Multiple matches enclosed in +[...] may not be used in this
       file.

       /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may not be used in
       this file.

       /etc/shorewall6/maclist -- Note: Multiple matches enclosed in +[...] may not be used in
       this file.

       /etc/shorewall/rules

       /etc/shorewall6/rules

       /etc/shorewall/secmarks

       /etc/shorewall6/secmarks

       /etc/shorewall/mangle

       /etc/shorewall6/mangle

       /etc/shorewall/snat

       /etc/shorewall6/snat

SEE ALSO

       shorewall(8)

NOTES

        1. shorewall-exclusion
           https://shorewall.org/manpages/shorewall-exclusion.html

        2. shorewall-tcfilters(5)
           https://shorewall.org/manpages/shorewall-tcfilters.html