Provided by: xtables-addons-common_1.40-1_amd64 bug

NAME

       ipset — administration tool for IP sets

SYNOPSIS

       ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]

       COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename
       | swap | help | version | - }

       OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name
       | -terse }

       ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]

       ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]

       ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]

       ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]

       ipset destroy [ SETNAME ]

       ipset list [ SETNAME ]

       ipset save [ SETNAME ]

       ipset restore

       ipset flush [ SETNAME ]

       ipset rename SETNAME-FROM SETNAME-TO

       ipset swap SETNAME-FROM SETNAME-TO

       ipset help [ TYPENAME ]

       ipset version

       ipset -

DESCRIPTION

       ipset  is  used  to  set  up,  maintain and inspect so called IP sets in the Linux kernel.
       Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP)  port
       numbers, IP and MAC address pairs, IP address and port number pairs, etc. See the set type
       definitions below.

       Iptables matches and targets referring to sets create references, which protect the  given
       sets  in  the kernel. A set cannot be destroyed while there is a single reference pointing
       to it.

OPTIONS

       The options that are recognized by ipset can be divided into several different groups.

   COMMANDS
       These options specify the desired action to perform.  Only one of them can be specified on
       the  command  line  unless  otherwise  specified  below.  For all the long versions of the
       command names, you need to use only enough letters to ensure that ipset can  differentiate
       it  from  all other commands. The ipset parser follows the order here when looking for the
       shortest match in the long command names.

       n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
              Create a set identified with setname and specified type. The type may require  type
              specific  options.  If  the  -exist  option  is  specified, ipset ignores the error
              otherwise raised when the same set (setname and create  parameters  are  identical)
              already exists.

       add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
              Add  a  given entry to the set. If the -exist option is specified, ipset ignores if
              the entry already added to the set.

       del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
              Delete an entry from a set. If the -exist option is specified, ipset ignores if the
              entry does not added to (already expired from) the set.

       test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
              Test  wether  an entry is in a set or not. Exit status number is zero if the tested
              entry is in the set and nonzero if it is missing from the set.

       x, destroy [ SETNAME ]
              Destroy the specified set or all the sets if none is given.

              If the set has got reference(s), nothing is done and no set destroyed.

       list [ SETNAME ] [ OPTIONS ]
              List the header data and the entries for the specified set, or for all sets if none
              is  given.  The  -resolve  option  can  be used to force name lookups (which may be
              slow). When the -sorted option is given, the entries  are  listed  sorted  (if  the
              given  set  type supports the operation). The option -output can be used to control
              the format of the listing: plain, save or xml.  (The default  is  plain.)   If  the
              option  -name  is specified, just the names of the existing sets are listed. If the
              option -terse is specified, just the set names and headers are listed.

       save [ SETNAME ]
              Save the given set, or all sets if none is given to stdout in a format that restore
              can read.

       restore
              Restore  a  saved  session  generated  by  save.  The saved session can be fed from
              stdin.

       flush [ SETNAME ]
              Flush all entries from the specified set or flush all sets if none is given.

       e, rename SETNAME-FROM SETNAME-TO
              Rename a set. Set identified by SETNAME-TO must not exist.

       w, swap SETNAME-FROM SETNAME-TO
              Swap the content of two sets, or in another words, exchange the name of  two  sets.
              The referred sets must exist and identical type of sets can be swapped only.

       help [ TYPENAME ]
              Print help and set type specific help if TYPENAME is specified.

       version
              Print program version.

       -      If  a dash is specified as command, then ipset enters a simple interactive mode and
              the commands are read from  the  standard  input.   The  interactive  mode  can  be
              finished by entering the pseudo-command quit.

   OTHER OPTIONS
       The  following  additional  options  can  be  specified.  The  long option names cannot be
       abbreviated.

       -!, -exist
              Ignore errors when the exactly the same set is to be created or already added entry
              is added or missing entry is deleted.

       -o, -output { plain | save | xml }
              Select the output format to the list command.

       -q, -quiet
              Suppress  any  output to stdout and stderr.  ipset will still exit with error if it
              cannot continue.

       -r, -resolve
              When listing sets, enforce name lookup. The program will  try  to  display  the  IP
              entries resolved to host names which requires slow DNS lookups.

       -s, -sorted
              Sorted output. When listing sets entries are listed sorted. Not supported yet.

       -n, -name
              List  just the names of the existing sets, i.e. suppress listing of set headers and
              members.

       -t, -terse
              List the set names and headers, i.e. suppress listing of set members.

SET TYPES

       A set type comprises of the storage method by which  the  data  is  stored  and  the  data
       type(s)  which  are  stored  in  the  set.  Therefore the TYPENAME parameter of the create
       command follows the syntax

       TYPENAME := method:datatype[,datatype[,datatype]]

       where the current list of the methods are bitmap, hash, and list  and  the  possible  data
       types  are ip, net, mac, port and iface.  The dimension of a set is equal to the number of
       data types in its type name.

       When adding, deleting or testing entries in a set, the same comma  separated  data  syntax
       must be used for the entry parameter of the commands, i.e

       ipset add foo ipaddr,portnum,ipaddr

       The  bitmap  and  list types use a fixed sized storage. The hash types use a hash to store
       the elements. In order to avoid clashes in the hash, a limited number of chaining, and  if
       that  is  exhausted, the doubling of the hash size is performed when adding entries by the
       ipset command. When entries added by the SET target of iptables/ip6tables, then  the  hash
       size  is  fixed  and the set won't be duplicated, even if the new entry cannot be added to
       the set.

       All set types support the optional

       timeout value

       parameter when creating a set and adding entries. The value of the timeout  parameter  for
       the  create command means the default timeout value (in seconds) for new entries. If a set
       is created with timeout support, then the same timeout  option  can  be  used  to  specify
       non-default  timeout  values  when  adding  entries. Zero timeout value means the entry is
       added permanent to the set.  The timeout value of already added elements can be changed by
       readding the element using the -exist option.

   bitmap:ip
       The  bitmap:ip  set  type  uses a memory range to store either IPv4 host (default) or IPv4
       network addresses. A bitmap:ip type of set can store up to 65536 entries.

       CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout value ]

       ADD-ENTRY := { ip | fromip-toip | ip/cidr }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { ip | fromip-toip | ip/cidr }

       TEST-ENTRY := ip

       Mandatory create options:

       range fromip-toip|ip/cidr
              Create the set from the specified inclusive address  range  expressed  in  an  IPv4
              address  range  or  network.  The  size of the range (in entries) cannot exceed the
              limit of maximum 65536 elements.

       Optional create options:

       netmask cidr
              When the optional netmask parameter specified, network addresses will be stored  in
              the  set  instead of IP host addresses. The cidr prefix value must be between 1-32.
              An IP address will be in the set if the  network  address,  which  is  resulted  by
              masking  the  address with the specified netmask calculated from the prefix, can be
              found in the set.

       The bitmap:ip type supports adding or deleting multiple entries in one command.

       Examples:

              ipset create foo bitmap:ip range 192.168.0.0/16

              ipset add foo 192.168.1/24

              ipset test foo 192.168.1.1

   bitmap:ip,mac
       The bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC  address  pairs.  A
       bitmap:ip,mac type of set can store up to 65536 entries.

       CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ]

       ADD-ENTRY := ip[,macaddr]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ip[,macaddr]

       TEST-ENTRY := ip[,macaddr]

       Mandatory options to use when creating a bitmap:ip,mac type of set:

       range fromip-toip|ip/cidr
              Create  the  set  from  the  specified inclusive address range expressed in an IPv4
              address range or network. The size of the range cannot exceed the limit of  maximum
              65536 entries.

       The  bitmap:ip,mac type is exceptional in the sense that the MAC part can be left out when
       adding/deleting/testing entries in the set. If we add an entry  without  the  MAC  address
       specified,  then  when  the  first  time  the  entry  is  matched  by  the kernel, it will
       automatically fill out the missing MAC address  with  the  source  MAC  address  from  the
       packet.  If the entry was specified with a timeout value, the timer starts off when the IP
       and MAC address pair is complete.

       The bitmap:ip,mac type of sets require two src/dst parameters of the  set  match  and  SET
       target  netfilter  kernel  modules  and the second one must be src to match, add or delete
       entries because the set match and SET target have access to the source MAC address only.

       Examples:

              ipset create foo bitmap:ip,mac range 192.168.0.0/16

              ipset add foo 192.168.1.1,12:34:56:78:9A:BC

              ipset test foo 192.168.1.1

   bitmap:port
       The bitmap:port set type uses a memory range to store port numbers  and  such  a  set  can
       store up to 65536 ports.

       CREATE-OPTIONS := range fromport-toport [ timeout value ]

       ADD-ENTRY := { port | fromport-toport }

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := { port | fromport-toport }

       TEST-ENTRY := port

       Mandatory options to use when creating a bitmap:port type of set:

       range fromport-toport
              Create the set from the specified inclusive port range.

       The  set match and SET target netfilter kernel modules interpret the stored numbers as TCP
       or UDP port numbers.

       Examples:

              ipset create foo bitmap:port range 0-1024

              ipset add foo 80

              ipset test foo 80

   hash:ip
       The hash:ip set type uses  a  hash  to  store  IP  host  addresses  (default)  or  network
       addresses. Zero valued IP address cannot be stored in a hash:ip type of set.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       netmask cidr ] [ timeout value ]

       ADD-ENTRY := ipaddr

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr

       TEST-ENTRY := ipaddr

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the  set.  The  default  is
              inet, i.e IPv4.

       hashsize value
              The  initial  hash size for the set, default is 1024. The hash size must be a power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       netmask cidr
              When  the optional netmask parameter specified, network addresses will be stored in
              the set instead of IP host addresses. The cidr prefix value must  be  between  1-32
              for  IPv4  and  between  1-128  for  IPv6.  An IP address will be in the set if the
              network address, which  is  resulted  by  masking  the  address  with  the  netmask
              calculated from the prefix, can be found in the set.

       For  the  inet  family  one  can add or delete multiple entries by specifying a range or a
       network:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       Examples:

              ipset create foo hash:ip netmask 30

              ipset add foo 192.168.1.0/24

              ipset test foo 192.168.1.2

   hash:net
       The hash:net set type uses a hash to store different sized IP network addresses.   Network
       address with zero prefix size cannot be stored in this type of sets.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       timeout value ]

       ADD-ENTRY := netaddr

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := netaddr

       TEST-ENTRY := netaddr

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the  set.  The  default  is
              inet, i.e IPv4.

       hashsize value
              The  initial  hash size for the set, default is 1024. The hash size must be a power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the inet family one can add or delete multiple entries by specifying a range, which is
       converted internally to network(s) equal to the range:

       netaddr := { ip[/cidr] | fromaddr-toaddr }

       When adding/deleting/testing entries, if the cidr prefix parameter is not specified,  then
       the  host  prefix  value  is  assumed.  When adding/deleting entries, the exact element is
       added/deleted and overlapping elements are  not  checked  by  the  kernel.   When  testing
       entries,  if  a host address is tested, then the kernel tries to match the host address in
       the networks added to the set and reports the result accordingly.

       From the set netfilter match point of view the searching for a match always  starts   from
       the  smallest  size  of netblock (most specific prefix) to the largest one (least specific
       prefix) added to the set.  When  adding/deleting IP addresses   to  the  set  by  the  SET
       netfilter  target,  it   will   be  added/deleted by the most specific prefix which can be
       found in  the set, or by the host prefix value if the set is empty.

       The lookup time grows linearly with the number of the different prefix values added to the
       set.

       Examples:

              ipset create foo hash:net

              ipset add foo 192.168.0.0/24

              ipset add foo 10.1.0.0/16

              ipset test foo 192.168.0/24

   hash:ip,port
       The hash:ip,port set type uses a hash to store IP address and port number pairs.  The port
       number is interpreted together with a protocol (default  TCP)  and  zero  protocol  number
       cannot be used.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port

       TEST-ENTRY := ipaddr,[proto:]port

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the  set.  The  default  is
              inet, i.e IPv4.

       hashsize value
              The  initial  hash size for the set, default is 1024. The hash size must be a power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For  the  inet  family  one  can add or delete multiple entries by specifying a range or a
       network of IPv4 addresses in the IP address part of the entry:

       ipaddr := { ip | fromaddr-toaddr | ip/cidr }

       The [proto:]port part of the elements may be expressed in the following forms,  where  the
       range variations are valid when adding or deleting entries:

       portname[-portname]
              TCP port or range of ports expressed in TCP portname identifiers from /etc/services

       portnumber[-portnumber]
              TCP port or range of ports expressed in TCP port numbers

       tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]
              TCP,  SCTP,  UDP  or  UDPLITE  port or port range expressed in port name(s) or port
              number(s)

       icmp:codename|type/code
              ICMP codename or type/code. The supported ICMP codename identifiers can  always  be
              listed by the help command.

       icmpv6:codename|type/code
              ICMPv6  codename or type/code. The supported ICMPv6 codename identifiers can always
              be listed by the help command.

       proto:0
              All other protocols, as an identifier from /etc/protocols  or  number.  The  pseudo
              port number must be zero.

       The  hash:ip,port  type  of  sets  require two src/dst parameters of the set match and SET
       target kernel modules.

       Examples:

              ipset create foo hash:ip,port

              ipset add foo 192.168.1.0/24,80-82

              ipset add foo 192.168.1.1,udp:53

              ipset add foo 192.168.1.1,vrrp:0

              ipset test foo 192.168.1.1,80

   hash:net,port
       The hash:net,port set type uses a hash to store different sized  IP  network  address  and
       port pairs. The port number is interpreted together with a protocol (default TCP) and zero
       protocol number cannot be used. Network address with zero  prefix  size  is  not  accepted
       either.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       timeout value ]

       ADD-ENTRY := netaddr,[proto:]port

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := netaddr,[proto:]port

       TEST-ENTRY := netaddr,[proto:]port

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the  set.  The  default  is
              inet, i.e IPv4.

       hashsize value
              The  initial  hash size for the set, default is 1024. The hash size must be a power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the netaddr part of the elements see the description at the hash:net set type. For the
       [proto:]port part of the elements see the description at the hash:ip,port set type.

       When adding/deleting/testing entries, if the cidr prefix parameter is not specified,  then
       the  host  prefix  value  is  assumed.  When adding/deleting entries, the exact element is
       added/deleted and overlapping elements are  not  checked  by  the  kernel.   When  testing
       entries,  if  a host address is tested, then the kernel tries to match the host address in
       the networks added to the set and reports the result accordingly.

       From the set netfilter match point of view the searching for a  match always  starts  from
       the  smallest  size  of netblock (most specific prefix) to the largest one (least specific
       prefix) added to the set.  When  adding/deleting IP addresses   to  the  set  by  the  SET
       netfilter  target,  it   will   be  added/deleted by the most specific prefix which can be
       found in  the set, or by the host prefix value if the set is empty.

       The lookup time grows linearly with the number of the different prefix values added to the
       set.

       Examples:

              ipset create foo hash:net,port

              ipset add foo 192.168.0/24,25

              ipset add foo 10.1.0.0/16,80

              ipset test foo 192.168.0/24,25

   hash:ip,port,ip
       The  hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP
       address triples. The port number is interpreted together with a protocol (default TCP) and
       zero protocol number cannot be used.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,ip

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port,ip

       TEST-ENTRY := ipaddr,[proto:]port,ip

       For the first ipaddr and [proto:]port parts of the elements see the  descriptions  at  the
       hash:ip,port set type.

       Optional create options:

       family { inet | inet6 }
              The  protocol  family  of  the IP addresses to be stored in the set. The default is
              inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be  a  power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       The hash:ip,port,ip type of sets require three src/dst parameters of the set match and SET
       target kernel modules.

       Examples:

              ipset create foo hash:ip,port,ip

              ipset add foo 192.168.1.1,80,10.0.0.1

              ipset test foo 192.168.1.1,udp:53,10.0.0.1

   hash:ip,port,net
       The  hash:ip,port,net set type uses a hash to store IP address, port number and IP network
       address triples. The port number is interpreted together with a protocol (default TCP) and
       zero  protocol  number  cannot  be  used.  Network address with zero prefix size cannot be
       stored either.

       CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [  maxelem  value  ]  [
       timeout value ]

       ADD-ENTRY := ipaddr,[proto:]port,netaddr

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := ipaddr,[proto:]port,netaddr

       TEST-ENTRY := ipaddr,[proto:]port,netaddr

       where netaddr := ip[/cidr]

       For  the  ipaddr  and  [proto:]port  parts  of  the  elements  see the descriptions at the
       hash:ip,port set type. For the netaddr part of the elements see  the  description  at  the
       hash:net set type.

       Optional create options:

       family { inet | inet6 }
              The  protocol  family  of  the IP addresses to be stored in the set. The default is
              inet, i.e IPv4.

       hashsize value
              The initial hash size for the set, default is 1024. The hash size must be  a  power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       From the set netfilter match point of view the searching for a match always  starts   from
       the  smallest   size   of netblock (most specific cidr) to the largest one (least specific
       cidr) added to the set.  When  adding/deleting triples to the set  by  the  SET  netfilter
       target,  it   will   be added/deleted by the most specific cidr which can be found in  the
       set, or by the host cidr value if the set is empty.

       The lookup time grows linearly with the number of the different cidr values added  to  the
       set.

       The  hash:ip,port,net  type  of sets require three src/dst parameters of the set match and
       SET target kernel modules.

       Examples:

              ipset create foo hash:ip,port,net

              ipset add foo 192.168.1,80,10.0.0/24

              ipset add foo 192.168.2,25,10.1.0.0/16

              ipset test foo 192.168.1,80.10.0.0/24

   hash:net,iface
       The hash:net,iface set type uses a hash to store different sized IP  network  address  and
       interface name pairs. Network address with zero prefix size is not accepted.

       CREATE-OPTIONS  :=  [  family  { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [
       timeout value ]

       ADD-ENTRY := netaddr,[physdev:]iface

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := netaddr,[physdev:]iface

       TEST-ENTRY := netaddr,[physdev:]iface

       where netaddr := ip[/cidr]

       Optional create options:

       family { inet | inet6 }
              The protocol family of the IP addresses to be stored in the  set.  The  default  is
              inet, i.e IPv4.

       hashsize value
              The  initial  hash size for the set, default is 1024. The hash size must be a power
              of two, the kernel automatically rounds up non power of two hash sizes to the first
              correct value.

       maxelem value
              The maximal number of elements which can be stored in the set, default 65536.

       For the netaddr part of the elements see the description at the hash:net set type.

       When  adding/deleting/testing entries, if the cidr prefix parameter is not specified, then
       the host prefix value is assumed. When  adding/deleting  entries,  the  exact  element  is
       added/deleted  and  overlapping  elements  are  not  checked  by the kernel.  When testing
       entries, if a host address is tested, then the kernel tries to match the host  address  in
       the networks added to the set and reports the result accordingly.

       From the set netfilter match point of view the searching for a  match always  starts  from
       the smallest  size  of netblock (most specific prefix) to the largest one (least  specific
       prefix)  added  to  the  set.   When   adding/deleting IP addresses  to the set by the SET
       netfilter target, it  will  be added/deleted by the most  specific  prefix  which  can  be
       found in  the set, or by the host prefix value if the set is empty.

       The  second direction parameter of the set match and SET target modules corresponds to the
       incoming/outgoing interface : src to the incoming, while dst to  the  outgoing.  When  the
       interface  is flagged with physdev:, the interface is interpreted as the incoming/outgoing
       bridge port.

       The lookup time grows linearly with the number of the different prefix values added to the
       set.

       The  internal  restriction  of the hash:net,iface set type is that the same network prefix
       cannot be stored with more than 64 different interfaces in a single set.

       Examples:

              ipset create foo hash:net,iface

              ipset add foo 192.168.0/24,eth0

              ipset add foo 10.1.0.0/16,eth1

              ipset test foo 192.168.0/24,eth0

   list:set
       The list:set type uses a simple list in which you can store set names.

       CREATE-OPTIONS := [ size value ] [ timeout value ]

       ADD-ENTRY := setname [ { before | after } setname ]

       ADD-OPTIONS := [ timeout value ]

       DEL-ENTRY := setname [ { before | after } setname ]

       TEST-ENTRY := setname [ { before | after } setname ]

       Optional create options:

       size value
              The size of the list, the default is 8.

       By the ipset commad you  can add, delete and test set names in a list:set type of set.

       By the set match or SET target of netfilter you can test, add or  delete  entries  in  the
       sets added to the list:set type of set. The match will try to find a matching entry in the
       sets and the target will try to add an entry to the first set to which it  can  be  added.
       The  number of direction options of the match and target are important: sets which require
       more parameters than specified are skipped, while sets with equal or less  parameters  are
       checked,  elements added/deleted. For example if a and b are list:set type of sets then in
       the command

              iptables -m set --match-set a src,dst -j SET --add-set b src,dst

       the match and target will skip any set in a and b which  stores  data  triples,  but  will
       match  all sets with single or double data storage in a set and stop matching at the first
       successful set, and add src to the first single  or  src,dst  to  the  first  double  data
       storage  set  in b to which the entry can be added. You can imagine a list:set type of set
       as an ordered union of the set elements.

       Please note: by the ipset commad you can add, delete and test the setnames in  a  list:set
       type of set, and not the presence of a set's member (such as an IP address).

GENERAL RESTRICTIONS

       Zero  valued  set entries cannot be used with hash methods. Zero protocol value with ports
       cannot be used.

COMMENTS

       If you want to store same size subnets from a given network (say  /24  blocks  from  a  /8
       network), use the bitmap:ip set type.  If you want to store random same size networks (say
       random /24 blocks), use the hash:ip set type. If you have got random  size  of  netblocks,
       use hash:net.

       Backward compatibility is maintained and old ipset syntax is still supported.

       The  iptree  and  iptreemap  set  types  are  removed:  if  you  refer  to  them, they are
       automatically replaced by hash:ip type of sets.

DIAGNOSTICS

       Various error messages are printed to standard error.  The exit  code  is  0  for  correct
       functioning.

BUGS

       Bugs? No, just funny features. :-) OK, just kidding...

SEE ALSO

       iptables(8), ip6tables(8)

AUTHORS

       Jozsef  Kadlecsik wrote ipset, which is based on ippool by Joakim Axelsson, Patrick Schaaf
       and Martin Josefsson.
       Sven Wegener wrote the iptreemap type.

LAST REMARK

       I stand on the shoulders of giants.