-This is the ipset source tree. Follow these steps to install ipset:
+This is the ipset source tree. Follow the next steps to install ipset:
0. You need the source tree of your kernel (version >= 2.6.31)
- and it have to be configured, modules compiled. Please apply
- the netlink.patch against your kernel tree (with kernel <= 2.6.31.1
- please use the patch netlink.patch-2.6.31.1). Recompile and
- install the patched kernel.
+ and it have to be configured (with ip6tables support), modules compiled.
+ Please apply the netlink.patch against your kernel tree
+ (with kernel <= 2.6.31.1 please use the patch netlink.patch-2.6.31.1).
-1. Initialize the compiling environment for ipset
+ Recompile and install the patched kernel and its modules.
+
+ The ipset source code depends on the libmnl library so the library
+ must be installed.
+
+1. Initialize the compiling environment for ipset. The packages automake,
+ autoconf and libtool are required.
% ./autogen.sh
2. Run `./configure` and then compile the ipset binary and the kernel
modules.
- The ipset source code depends on the libmnl library.
-
Configure parameters can be used to to override the default path
to the kernel source tree (/lib/modules/`uname -r`/build),
the maximum number of sets (256), the default hash sizes (1024)
% make
% make modules
-3. Install the binary and the modules
+3. Install the binary and the kernel modules
# make install
# make modules_install
That's it!
-Read the ipset(8) and iptables(8) manpages on how to use ipset
-and its match and target from iptables.
+Read the ipset(8) and iptables(8), ip6tables(8) manpages on how to use
+ipset and its match and target from iptables.
#error "Linux kernel version too old: must be >= 2.6.31"
#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_match_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static bool
+set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
+#endif
{
const struct xt_set_info_match_v0 *info = par->matchinfo;
}
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_match_v0_checkentry(const struct xt_mtchk_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static int
+set_match_v0_checkentry(const struct xt_mtchk_param *par)
+#endif
{
struct xt_set_info_match_v0 *info = par->matchinfo;
ip_set_id_t index;
ip_set_nfnl_put(info->match_set.index);
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static unsigned int
set_target_v0(struct sk_buff *skb, const struct xt_target_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static unsigned int
+set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
+#endif
{
const struct xt_set_info_target_v0 *info = par->targinfo;
return XT_CONTINUE;
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_target_v0_checkentry(const struct xt_tgchk_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static int
+set_target_v0_checkentry(const struct xt_tgchk_param *par)
+#endif
{
struct xt_set_info_target_v0 *info = par->targinfo;
ip_set_id_t index;
/* Revision 1: current interface to netfilter/iptables */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_match(const struct sk_buff *skb, const struct xt_match_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static bool
+set_match(const struct sk_buff *skb, struct xt_action_param *par)
+#endif
{
const struct xt_set_info_match *info = par->matchinfo;
info->match_set.flags & IPSET_INV_MATCH);
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_match_checkentry(const struct xt_mtchk_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static int
+set_match_checkentry(const struct xt_mtchk_param *par)
+#endif
{
struct xt_set_info_match *info = par->matchinfo;
ip_set_id_t index;
ip_set_nfnl_put(info->match_set.index);
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static unsigned int
set_target(struct sk_buff *skb, const struct xt_target_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static unsigned int
+set_target(struct sk_buff *skb, const struct xt_action_param *par)
+#endif
{
const struct xt_set_info_target *info = par->targinfo;
return XT_CONTINUE;
}
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35)
static bool
set_target_checkentry(const struct xt_tgchk_param *par)
+#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
+static int
+set_target_checkentry(const struct xt_tgchk_param *par)
+#endif
{
const struct xt_set_info_target *info = par->targinfo;
ip_set_id_t index;
where the current list of the methods are
\fBbitmap\fR, \fBhash\fR, and \fBlist\fR and the possible data types
-are \fBip\fR, \fBmac\fR and \fBport\fR. The dimension of the set type
-is equal to the number of datat types in its type name.
+are \fBip\fR, \fBmac\fR and \fBport\fR. The dimension of a set
+is equal to the number of data types in its type name.
When adding, deleting or testing entries in a set, the same comma separated
data syntax must be used for the entry parameter of the commands, i.e
The \fBbitmap\fR and \fBlist\fR types use a fixed sized storage. The \fBhash\fR
types use a hash to store the elements. In order to avoid clashes in the hash,
-a limited number of chaining, and if that is exhausted, the doubling of the hash
-is performed. The hash size is limited by the maximal number of elements parameter of
-the hash.
+a limited number of chaining, and if that is exhausted, the doubling of the hash size
+is performed. The hash size is indirectly limited by the maximal number of elements
+parameter of the hash.
All set types support the optional
of maximum 65536 entries.
.PP
The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can
-be left out when adding/deleting/testing entries in the set. If
-we add an entry without the MAC address specified, when the first time the entry is
+be left out when adding/deleting/testing entries in the set. If we add an entry
+without the MAC address specified, then when the first time the entry is
matched by the kernel, it will automatically fill out the missing MAC address with the
source MAC address from the packet. If the entry was specified with a timeout value,
the timer starts off when the IP and MAC address pair is complete.
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
-\fIDEL\-ENTRY\fR := {\fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR }
+\fIDEL\-ENTRY\fR := { \fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR }
.PP
\fITEST\-ENTRY\fR := \fIport\fR
.PP
The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or
network addresses.
.PP
-\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ]
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR
.PP
.PP
Optional \fBcreate\fR options:
.TP
-\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
.SS hash:net
The \fBhash:net\fR set type uses a hash to store different sized IP network addresses.
.PP
-\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR[/\fIcidr\fR]
.PP
.PP
Optional \fBcreate\fR options:
.TP
-\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
.SS hash:ip,port
The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs.
.PP
-\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
.PP
.PP
Optional \fBcreate\fR options:
.TP
-\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number
and a second IP address triples.
.PP
-\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR
.PP
.PP
Optional \fBcreate\fR options:
.TP
-\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number
and IP network address triples.
.PP
-\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR[/\fIcidr\fR]
.PP
.PP
Optional \fBcreate\fR options:
.TP
-\fBfamily\fR { \fBinet\fR|\fBinet6\fR }
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
The protocol family of the IP addresses to be stored in the set. The default is
\fBinet\fR, i.e IPv4.
.TP
.PP
\fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
-\fIADD\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
+\fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ]
.PP
-\fIDEL\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
+\fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
.PP
-\fITEST\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ]
+\fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
.PP
Optional \fBcreate\fR options:
.TP
the target will try to add an entry to the first set to which it can be added.
The number of direction options of the match and target are important: sets which
require more parameters than specified are skipped, while sets with equal
-or less parameters are checked, elements added. For example if \fIa\fR and
+or less parameters are checked, elements added/deleted. For example if \fIa\fR and
\fIb\fR are \fBlist:set\fR type of sets then in the command
.IP
iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst
.PP
the match and target will skip any set in \fIa\fR and \fIb\fR
-which stores data triples, but will check all sets with single or double
-data storage in \fIa\fR
-set and add src to the first single or src,dst to the first double
-data storage set in \fIb\fR.
+which stores data triples, but will match all sets with single or double
+data storage in \fIa\fR set and stop matching at the first successful set,
+and add src to the first single or src,dst to the first double data storage set
+in \fIb\fR to which the entry can be added.
.PP
You can imagine a setlist type of set as an ordered union of
the set elements.
projects / ipset / commitdiff