Provided by: ipset_6.11-2_i386 bug

NAME

       ipset -- administration tool for IP sets

SYNOPSIS

       ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]

       COMMANDS  :=  {  create  |  add  | del | test | destroy | list | save |
       restore | flush | rename | swap | help | version | - }

       OPTIONS := { -exist | -output { plain  |  save  |  xml  }  |  -quiet  |
       -resolve | -sorted | -name | -terse }

       ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]

       ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]

       ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]

       ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]

       ipset destroy [ SETNAME ]

       ipset list [ SETNAME ]

       ipset save [ SETNAME ]

       ipset restore

       ipset flush [ SETNAME ]

       ipset rename SETNAME-FROM SETNAME-TO

       ipset swap SETNAME-FROM SETNAME-TO

       ipset help [ TYPENAME ]

       ipset version

       ipset -

DESCRIPTION

       ipset  is used to set up, maintain and inspect so called IP sets in the
       Linux kernel. Depending on the type of the set, an  IP  set  may  store
       IP(v4/v6)  addresses, (TCP/UDP) port numbers, IP and MAC address pairs,
       IP address and port number pairs, etc. See  the  set  type  definitions
       below.

       Iptables matches and targets referring to sets create references, which
       protect the given sets in the kernel. A set cannot be  destroyed  while
       there is a single reference pointing to it.

OPTIONS

       The  options  that  are recognized by ipset can be divided into several
       different groups.

   COMMANDS
       These options specify the desired action to perform.  Only one of  them
       can  be specified on the command line unless otherwise specified below.
       For all the long versions of the command names, you need  to  use  only
       enough letters to ensure that ipset can differentiate it from all other
       commands. The ipset parser follows the order here when looking for  the
       shortest match in the long command names.

       n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
              Create  a  set  identified  with setname and specified type. The
              type may require type specific options. If the -exist option  is
              specified,  ipset  ignores  the  error otherwise raised when the
              same set (setname and create parameters are  identical)  already
              exists.

       add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
              Add a given entry to the set. If the -exist option is specified,
              ipset ignores if the entry already added to the set.

       del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
              Delete an entry from a set. If the -exist option  is  specified,
              ipset  ignores  if  the entry does not added to (already expired
              from) the set.

       test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
              Test wether an entry is in a set or not. Exit status  number  is
              zero  if  the  tested  entry  is in the set and nonzero if it is
              missing from the set.

       x, destroy [ SETNAME ]
              Destroy the specified set or all the sets if none is given.

              If the set has got reference(s), nothing  is  done  and  no  set
              destroyed.

       list [ SETNAME ] [ OPTIONS ]
              List  the  header data and the entries for the specified set, or
              for all sets if none is given. The -resolve option can  be  used
              to  force  name  lookups  (which  may be slow). When the -sorted
              option is given, the entries are listed sorted (if the given set
              type  supports the operation). The option -output can be used to
              control the format of the listing: plain,  save  or  xml.   (The
              default  is  plain.)  If the option -name is specified, just the
              names of the existing sets are listed. If the option  -terse  is
              specified, just the set names and headers are listed.

       save [ SETNAME ]
              Save  the given set, or all sets if none is given to stdout in a
              format that restore can read.

       restore
              Restore a saved session generated by save.   The  saved  session
              can be fed from stdin.

       flush [ SETNAME ]
              Flush  all  entries  from the specified set or flush all sets if
              none is given.

       e, rename SETNAME-FROM SETNAME-TO
              Rename a set. Set identified by SETNAME-TO must not exist.

       w, swap SETNAME-FROM SETNAME-TO
              Swap the content of two sets, or in another words, exchange  the
              name  of  two  sets.  The referred sets must exist and identical
              type of sets can be swapped only.

       help [ TYPENAME ]
              Print help and set type specific help if TYPENAME is specified.

       version
              Print program version.

       -      If a dash is specified as command, then ipset  enters  a  simple
              interactive  mode  and  the  commands are read from the standard
              input.  The interactive mode can be  finished  by  entering  the
              pseudo-command quit.

   OTHER OPTIONS
       The  following  additional  options  can  be specified. The long option
       names cannot be abbreviated.

       -!, -exist
              Ignore errors when the exactly the same set is to be created  or
              already added entry is added or missing entry is deleted.

       -o, -output { plain | save | xml }
              Select the output format to the list command.

       -q, -quiet
              Suppress any output to stdout and stderr.  ipset will still exit
              with error if it cannot continue.

       -r, -resolve
              When listing sets, enforce name lookup. The program will try  to
              display  the  IP  entries  resolved to host names which requires
              slow DNS lookups.

       -s, -sorted
              Sorted output. When listing sets entries are listed sorted.  Not
              supported yet.

       -n, -name
              List  just the names of the existing sets, i.e. suppress listing
              of set headers and members.

       -t, -terse
              List the set names and headers, i.e.  suppress  listing  of  set
              members.

SET TYPES

       A  set type comprises of the storage method by which the data is stored
       and the data type(s)  which  are  stored  in  the  set.  Therefore  the
       TYPENAME parameter of the create command follows the syntax

       TYPENAME := method:datatype[,datatype[,datatype]]

       where  the  current  list of the methods are bitmap, hash, and list and
       the possible data  types  are  ip,  net,  mac,  port  and  iface.   The
       dimension  of  a  set  is equal to the number of data types in its type
       name.

       When adding, deleting or testing entries  in  a  set,  the  same  comma
       separated  data  syntax  must  be  used  for the entry parameter of the
       commands, i.e

       ipset add foo ipaddr,portnum,ipaddr

       The bitmap and list types use a fixed sized storage. The hash types use
       a  hash to store the elements. In order to avoid clashes in the hash, a
       limited number of chaining, and if that is exhausted, the  doubling  of
       the  hash  size  is performed when adding entries by the ipset command.
       When entries added by the SET target of  iptables/ip6tables,  then  the
       hash  size  is  fixed  and the set won't be duplicated, even if the new
       entry cannot be added to the set.

       All set types support the optional

       timeout value

       parameter when creating a set and adding  entries.  The  value  of  the
       timeout  parameter  for  the  create  command means the default timeout
       value (in seconds) for new entries. If a set is  created  with  timeout
       support,   then  the  same  timeout  option  can  be  used  to  specify
       non-default timeout values when  adding  entries.  Zero  timeout  value
       means  the  entry  is added permanent to the set.  The timeout value of
       already added elements can be changed by readding the element using the
       -exist option.

       The  hash  set types which can store net type of data (i.e. hash:*net*)
       support the optional

       nomatch

       option when adding entries. When matching elements in the set,  entries
       marked  as  nomatch  are  skipped as if those were no added to the set,
       which makes possible to build up sets with exceptions. See the  example
       at hash type hash:net below.

       If  host  names or service names with dash in the name are used instead
       of IP addresses or service numbers, then the host name or service  name
       must be enclosed in square brackets. Example:

              ipset add foo [test-hostname],[ftp-data]

   bitmap:ip
       The  bitmap:ip  set  type uses a memory range to store either IPv4 host
       (default) or IPv4 network addresses. A bitmap:ip type of set can  store
       up to 65536 entries.

       CREATE-OPTIONS  := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout
       value ]

       ADD-ENTRY := { ip | fromip-toip | ip/cidr }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { ip | fromip-toip | ip/cidr }

       TEST-ENTRY := ip

       Mandatory create options:

       range fromip-toip|ip/cidr
              Create the  set  from  the  specified  inclusive  address  range
              expressed  in  an IPv4 address range or network. The size of the
              range (in entries) cannot exceed  the  limit  of  maximum  65536
              elements.

       Optional create options:

       netmask cidr
              When the optional netmask parameter specified, network addresses
              will be stored in the set instead of IP host addresses. The cidr
              prefix value must be between 1-32.  An IP address will be in the
              set if the network address, which is  resulted  by  masking  the
              address  with  the specified netmask calculated from the prefix,
              can be found in the set.

       The bitmap:ip type supports adding or deleting multiple entries in  one
       command.

       Examples:

              ipset create foo bitmap:ip range 192.168.0.0/16

              ipset add foo 192.168.1/24

              ipset test foo 192.168.1.1

   bitmap:ip,mac
       The  bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC
       address pairs. A bitmap:ip,mac type  of  set  can  store  up  to  65536
       entries.

       CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]

       ADD-ENTRY := ip[,macaddr]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ip[,macaddr]

       TEST-ENTRY := ip[,macaddr]

       Mandatory options to use when creating a bitmap:ip,mac type of set:

       range fromip-toip|ip/cidr
              Create  the  set  from  the  specified  inclusive  address range
              expressed in an IPv4 address range or network. The size  of  the
              range cannot exceed the limit of maximum 65536 entries.

       The  bitmap:ip,mac  type  is exceptional in the sense that the MAC part
       can be left out when adding/deleting/testing entries in the set. If  we
       add  an  entry  without  the MAC address specified, then when the first
       time the entry is matched by the kernel, it will automatically fill out
       the missing MAC address with the source MAC address from the packet. If
       the entry was specified with a timeout value, the timer starts off when
       the IP and MAC address pair is complete.

       The  bitmap:ip,mac  type  of sets require two src/dst parameters of the
       set match and SET target netfilter kernel modules and  the  second  one
       must  be  src to match, add or delete entries because the set match and
       SET target have access to the source MAC address only.

       Examples:

              ipset create foo bitmap:ip,mac range 192.168.0.0/16

              ipset add foo 192.168.1.1,12:34:56:78:9A:BC

              ipset test foo 192.168.1.1

   bitmap:port
       The bitmap:port set type uses a memory range to store port numbers  and
       such a set can store up to 65536 ports.

       CREATE-OPTIONS := range fromport-toport [ timeout value ]

       ADD-ENTRY := { port | fromport-toport }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { port | fromport-toport }

       TEST-ENTRY := port

       Mandatory options to use when creating a bitmap:port type of set:

       range fromport-toport
              Create the set from the specified inclusive port range.

       The  set  match  and  SET target netfilter kernel modules interpret the
       stored numbers as TCP or UDP port numbers.

       Examples:

              ipset create foo bitmap:port range 0-1024

              ipset add foo 80

              ipset test foo 80

   hash:ip
       The hash:ip set type uses a hash to store IP host  addresses  (default)
       or  network  addresses.  Zero  valued  IP address cannot be stored in a
       hash:ip type of set.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
       maxelem value ] [ netmask cidr ] [ timeout value ]

       ADD-ENTRY := ipaddr

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr

       TEST-ENTRY := ipaddr

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default  is  1024.  The  hash
              size  must be a power of two, the kernel automatically rounds up
              non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in  the  set,
              default 65536.

       netmask cidr
              When the optional netmask parameter specified, network addresses
              will be stored in the set instead of IP host addresses. The cidr
              prefix value must be between 1-32 for IPv4 and between 1-128 for
              IPv6. An IP address will be in the set if the  network  address,
              which  is  resulted  by  masking  the  address  with the netmask
              calculated from the prefix, can be found in the set.

       For the  inet  family  one  can  add  or  delete  multiple  entries  by
       specifying a range or a network:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       Examples:

              ipset create foo hash:ip netmask 30

              ipset add foo 192.168.1.0/24

              ipset test foo 192.168.1.2

   hash:net
       The  hash:net  set type uses a hash to store different sized IP network
       addresses.  Network address with zero prefix size cannot be  stored  in
       this type of sets.

       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr

       ADD-OPTIONS := [ timeout value ] [ nomatch ]

       DEL-ENTRY := netaddr

       TEST-ENTRY := netaddr

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash
              size must be a power of two, the kernel automatically rounds  up
              non power of two hash sizes to the first correct value.

       maxelem value
              The  maximal  number of elements which can be stored in the set,
              default 65536.

       For the  inet  family  one  can  add  or  delete  multiple  entries  by
       specifying  a  range, which is converted internally to network(s) equal
       to the range:

       netaddr := { ip[/cidr] | fromaddr-toaddr }

       When adding/deleting/testing entries, if the cidr prefix  parameter  is
       not   specified,   then   the   host  prefix  value  is  assumed.  When
       adding/deleting  entries,  the  exact  element  is  added/deleted   and
       overlapping  elements  are  not  checked  by  the kernel.  When testing
       entries, if a host address is tested, then the kernel  tries  to  match
       the  host  address  in  the  networks  added to the set and reports the
       result accordingly.

       From the set netfilter match point of view the searching  for  a  match
       always   starts   from   the smallest  size  of netblock (most specific
       prefix) to the largest one (least specific prefix) added  to  the  set.
       When   adding/deleting  IP  addresses   to the set by the SET netfilter
       target, it  will  be added/deleted by the most  specific  prefix  which
       can  be  found  in   the set, or by the host prefix value if the set is
       empty.

       The lookup time grows linearly with the number of the different  prefix
       values added to the set.

       Example:

              ipset create foo hash:net

              ipset add foo 192.168.0.0/24

              ipset add foo 10.1.0.0/16

              ipset add foo 192.168.0/24

              ipset add foo 192.168.0/30 nomatch

       When  matching  the  elements  in  the set above, all IP addresses will
       match from the networks 192.168.0.0/24,  10.1.0.0/16  and  192.168.0/24
       except 192.168.0/30.

   hash:ip,port
       The  hash:ip,port  set  type  uses  a hash to store IP address and port
       number pairs.  The port number is interpreted together with a  protocol
       (default TCP) and zero protocol number cannot be used.

       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port

       TEST-ENTRY := ipaddr,[proto:]port

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash
              size must be a power of two, the kernel automatically rounds  up
              non power of two hash sizes to the first correct value

       maxelem value
              The  maximal  number of elements which can be stored in the set,
              default 65536.

       For the  inet  family  one  can  add  or  delete  multiple  entries  by
       specifying  a  range  or  a network of IPv4 addresses in the IP address
       part of the entry:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       The [proto:]port part of the elements may be expressed in the following
       forms,  where  the  range  variations are valid when adding or deleting
       entries:

       portname[-portname]
              TCP port or range of ports expressed in TCP portname identifiers
              from /etc/services

       portnumber[-portnumber]
              TCP port or range of ports expressed in TCP port numbers

       tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
              TCP,  SCTP,  UDP or UDPLITE port or port range expressed in port
              name(s) or port number(s)

       icmp:codename|type/code
              ICMP  codename  or  type/code.  The  supported   ICMP   codename
              identifiers can always be listed by the help command.

       icmpv6:codename|type/code
              ICMPv6  codename  or  type/code.  The  supported ICMPv6 codename
              identifiers can always be listed by the help command.

       proto:0
              All other protocols, as an  identifier  from  /etc/protocols  or
              number. The pseudo port number must be zero.

       The hash:ip,port type of sets require two src/dst parameters of the set
       match and SET target kernel modules.

       Examples:

              ipset create foo hash:ip,port

              ipset add foo 192.168.1.0/24,80-82

              ipset add foo 192.168.1.1,udp:53

              ipset add foo 192.168.1.1,vrrp:0

              ipset test foo 192.168.1.1,80

   hash:net,port
       The hash:net,port set type uses a hash  to  store  different  sized  IP
       network address and port pairs. The port number is interpreted together
       with a protocol (default TCP) and zero protocol number cannot be  used.
       Network address with zero prefix size is not accepted either.

       CREATE-OPTIONS  :=  [  family { inet | inet6 } ] | [ hashsize value ] [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := netaddr,[proto:]port

       TEST-ENTRY := netaddr,[proto:]port

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash
              size must be a power of two, the kernel automatically rounds  up
              non power of two hash sizes to the first correct value.

       maxelem value
              The  maximal  number of elements which can be stored in the set,
              default 65536.

       For the netaddr part  of  the  elements  see  the  description  at  the
       hash:net  set  type.  For the [proto:]port part of the elements see the
       description at the hash:ip,port set type.

       When adding/deleting/testing entries, if the cidr prefix  parameter  is
       not   specified,   then   the   host  prefix  value  is  assumed.  When
       adding/deleting  entries,  the  exact  element  is  added/deleted   and
       overlapping  elements  are  not  checked  by  the kernel.  When testing
       entries, if a host address is tested, then the kernel  tries  to  match
       the  host  address  in  the  networks  added to the set and reports the
       result accordingly.

       From the set netfilter match point of view the searching for  a   match
       always   starts   from   the smallest  size  of netblock (most specific
       prefix) to the largest one (least specific prefix) added  to  the  set.
       When   adding/deleting  IP  addresses   to the set by the SET netfilter
       target, it  will  be added/deleted by the most  specific  prefix  which
       can  be  found  in   the set, or by the host prefix value if the set is
       empty.

       The lookup time grows linearly with the number of the different  prefix
       values added to the set.

       Examples:

              ipset create foo hash:net,port

              ipset add foo 192.168.0/24,25

              ipset add foo 10.1.0.0/16,80

              ipset test foo 192.168.0/24,25

   hash:ip,port,ip
       The  hash:ip,port,ip  set  type  uses  a hash to store IP address, port
       number and a second IP address triples. The port number is  interpreted
       together  with a protocol (default TCP) and zero protocol number cannot
       be used.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,ip

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port,ip

       TEST-ENTRY := ipaddr,[proto:]port,ip

       For  the  first  ipaddr  and [proto:]port parts of the elements see the
       descriptions at the hash:ip,port set type.

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The  initial  hash  size  for the set, default is 1024. The hash
              size must be a power of two, the kernel automatically rounds  up
              non power of two hash sizes to the first correct value.

       maxelem value
              The  maximal  number of elements which can be stored in the set,
              default 65536.

       The hash:ip,port,ip type of sets require three  src/dst  parameters  of
       the set match and SET target kernel modules.

       Examples:

              ipset create foo hash:ip,port,ip

              ipset add foo 192.168.1.1,80,10.0.0.1

              ipset test foo 192.168.1.1,udp:53,10.0.0.1

   hash:ip,port,net
       The  hash:ip,port,net  set  type  uses a hash to store IP address, port
       number and IP network address triples. The port number  is  interpreted
       together  with a protocol (default TCP) and zero protocol number cannot
       be used. Network address with zero prefix size cannot be stored either.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,netaddr

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := ipaddr,[proto:]port,netaddr

       TEST-ENTRY := ipaddr,[proto:]port,netaddr

       where netaddr := ip[/cidr]

       For  the  ipaddr  and  [proto:]port  parts  of  the  elements  see  the
       descriptions at the hash:ip,port set type. For the netaddr part of  the
       elements see the description at the hash:net set type.

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default  is  1024.  The  hash
              size  must be a power of two, the kernel automatically rounds up
              non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in  the  set,
              default 65536.

       From  the  set  netfilter match point of view the searching for a match
       always  starts  from  the smallest  size  of  netblock  (most  specific
       cidr)  to the largest one (least specific cidr) added to the set.  When
       adding/deleting triples to the set by  the  SET  netfilter  target,  it
       will   be added/deleted by the most specific cidr which can be found in
       the set, or by the host cidr value if the set is empty.

       The lookup time grows linearly with the number of  the  different  cidr
       values added to the set.

       The  hash:ip,port,net  type of sets require three src/dst parameters of
       the set match and SET target kernel modules.

       Examples:

              ipset create foo hash:ip,port,net

              ipset add foo 192.168.1,80,10.0.0/24

              ipset add foo 192.168.2,25,10.1.0.0/16

              ipset test foo 192.168.1,80.10.0.0/24

   hash:net,iface
       The hash:net,iface set type uses a hash to  store  different  sized  IP
       network  address  and  interface  name pairs. Network address with zero
       prefix size is not accepted.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize  value  ]  [
       maxelem value ] [ timeout value ]

       ADD-ENTRY := netaddr,[physdev:]iface

       ADD-OPTIONS := [ timeout value ]  [ nomatch ]

       DEL-ENTRY := netaddr,[physdev:]iface

       TEST-ENTRY := netaddr,[physdev:]iface

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the set.
              The default is inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default  is  1024.  The  hash
              size  must be a power of two, the kernel automatically rounds up
              non power of two hash sizes to the first correct value.

       maxelem value
              The maximal number of elements which can be stored in  the  set,
              default 65536.

       For  the  netaddr  part  of  the  elements  see  the description at the
       hash:net set type.

       When adding/deleting/testing entries, if the cidr prefix  parameter  is
       not   specified,   then   the   host  prefix  value  is  assumed.  When
       adding/deleting  entries,  the  exact  element  is  added/deleted   and
       overlapping  elements  are  not  checked  by  the kernel.  When testing
       entries, if a host address is tested, then the kernel  tries  to  match
       the  host  address  in  the  networks  added to the set and reports the
       result accordingly.

       From the set netfilter match point of view the searching for  a   match
       always   starts   from   the smallest  size  of netblock (most specific
       prefix) to the largest one (least specific prefix) added  to  the  set.
       When   adding/deleting  IP  addresses   to the set by the SET netfilter
       target, it  will  be added/deleted by the most  specific  prefix  which
       can  be  found  in   the set, or by the host prefix value if the set is
       empty.

       The second direction parameter of the set match and SET target  modules
       corresponds  to  the incoming/outgoing interface : src to the incoming,
       while dst to the outgoing. When the interface is flagged with physdev:,
       the interface is interpreted as the incoming/outgoing bridge port.

       The  lookup time grows linearly with the number of the different prefix
       values added to the set.

       The internal restriction of the hash:net,iface set  type  is  that  the
       same  network  prefix  cannot  be  stored  with  more than 64 different
       interfaces in a single set.

       Examples:

              ipset create foo hash:net,iface

              ipset add foo 192.168.0/24,eth0

              ipset add foo 10.1.0.0/16,eth1

              ipset test foo 192.168.0/24,eth0

   list:set
       The list:set type uses a simple list in which you can store set names.

       CREATE-OPTIONS := [ size value ] [ timeout value ]

       ADD-ENTRY := setname [ { before | after } setname ]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := setname [ { before | after } setname ]

       TEST-ENTRY := setname [ { before | after } setname ]

       Optional create options:

       size value
              The size of the list, the default is 8.

       By the ipset commad you  can add,  delete  and  test  set  names  in  a
       list:set type of set.

       By the set match or SET target of netfilter you can test, add or delete
       entries in the sets added to the list:set type of set. The  match  will
       try to find a matching entry in the sets and the target will try to add
       an entry to the first set to which it can  be  added.   The  number  of
       direction  options  of  the  match and target are important: sets which
       require more parameters than specified are  skipped,  while  sets  with
       equal  or  less  parameters  are  checked,  elements added/deleted. For
       example if a and b are list:set type of sets then in the command

              iptables -m set --match-set a src,dst -j SET --add-set b src,dst

       the match and target will skip any set in a and  b  which  stores  data
       triples,  but will match all sets with single or double data storage in
       a set and stop matching at the first successful set, and add src to the
       first  single  or  src,dst to the first double data storage set in b to
       which the entry can be added. You can imagine a list:set type of set as
       an ordered union of the set elements.

       Please  note:  by  the  ipset  commad  you can add, delete and test the
       setnames in a list:set type of set, and not the  presence  of  a  set's
       member (such as an IP address).

GENERAL RESTRICTIONS

       Zero valued set entries cannot be used with hash methods. Zero protocol
       value with ports cannot be used.

COMMENTS

       If you want to store same size subnets from a given  network  (say  /24
       blocks  from a /8 network), use the bitmap:ip set type.  If you want to
       store random same size  networks  (say  random  /24  blocks),  use  the
       hash:ip  set  type.  If  you  have  got  random  size of netblocks, use
       hash:net.

       Backward compatibility is maintained and  old  ipset  syntax  is  still
       supported.

       The  iptree  and iptreemap set types are removed: if you refer to them,
       they are automatically replaced by hash:ip type of sets.

DIAGNOSTICS

       Various error messages are printed to standard error.  The exit code is
       0 for correct functioning.

BUGS

       Bugs? No, just funny features. :-) OK, just kidding...

SEE ALSO

       iptables(8), ip6tables(8)

AUTHORS

       Jozsef  Kadlecsik  wrote  ipset,  which  is  based  on ippool by Joakim
       Axelsson, Patrick Schaaf and Martin Josefsson.
       Sven Wegener wrote the iptreemap type.

LAST REMARK

       I stand on the shoulders of giants.