ipset_hash_ipportnet.c \
ipset_hash_net.c \
ipset_hash_netnet.c \
+ ipset_hash_netportnet.c \
ipset_hash_netport.c \
ipset_hash_netiface.c \
ipset_list_set.c
--- /dev/null
+/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <libipset/data.h> /* IPSET_OPT_* */
+#include <libipset/parse.h> /* parser functions */
+#include <libipset/print.h> /* printing functions */
+#include <libipset/ui.h> /* ipset_port_usage */
+#include <libipset/types.h> /* prototypes */
+
+/* Parse commandline arguments */
+static const struct ipset_arg hash_netportnet_create_args0[] = {
+ { .name = { "family", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_FAMILY,
+ .parse = ipset_parse_family, .print = ipset_print_family,
+ },
+ /* Alias: family inet */
+ { .name = { "-4", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_FAMILY,
+ .parse = ipset_parse_family,
+ },
+ /* Alias: family inet6 */
+ { .name = { "-6", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_FAMILY,
+ .parse = ipset_parse_family,
+ },
+ { .name = { "hashsize", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_HASHSIZE,
+ .parse = ipset_parse_uint32, .print = ipset_print_number,
+ },
+ { .name = { "maxelem", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_MAXELEM,
+ .parse = ipset_parse_uint32, .print = ipset_print_number,
+ },
+ { .name = { "timeout", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT,
+ .parse = ipset_parse_timeout, .print = ipset_print_number,
+ },
+ { .name = { "counters", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_COUNTERS,
+ .parse = ipset_parse_flag, .print = ipset_print_flag,
+ },
+ { .name = { "comment", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_CREATE_COMMENT,
+ .parse = ipset_parse_flag, .print = ipset_print_flag,
+ },
+ { },
+};
+
+static const struct ipset_arg hash_netportnet_add_args0[] = {
+ { .name = { "timeout", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT,
+ .parse = ipset_parse_timeout, .print = ipset_print_number,
+ },
+ { .name = { "nomatch", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_NOMATCH,
+ .parse = ipset_parse_flag, .print = ipset_print_flag,
+ },
+ { .name = { "packets", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_PACKETS,
+ .parse = ipset_parse_uint64, .print = ipset_print_number,
+ },
+ { .name = { "bytes", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_BYTES,
+ .parse = ipset_parse_uint64, .print = ipset_print_number,
+ },
+ { .name = { "comment", NULL },
+ .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_ADT_COMMENT,
+ .parse = ipset_parse_comment, .print = ipset_print_comment,
+ },
+ { },
+};
+
+static const struct ipset_arg hash_netportnet_test_args0[] = {
+ { .name = { "nomatch", NULL },
+ .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_NOMATCH,
+ .parse = ipset_parse_flag, .print = ipset_print_flag,
+ },
+ { },
+};
+
+static const char hash_netportnet_usage0[] =
+"create SETNAME hash:net,port,net\n"
+" [family inet|inet6]\n"
+" [hashsize VALUE] [maxelem VALUE]\n"
+" [timeout VALUE] [counters] [comment]\n"
+"add SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR] [timeout VALUE] [nomatch]\n"
+" [packets VALUE] [bytes VALUE] [comment \"string\"]\n"
+"del SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR]\n"
+"test SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR]\n\n"
+"where depending on the INET family\n"
+" IP are valid IPv4 or IPv6 addresses (or hostnames),\n"
+" CIDR is a valid IPv4 or IPv6 CIDR prefix.\n"
+" Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n"
+" in both IP components are supported for IPv4.\n"
+" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n"
+" port range is supported both for IPv4 and IPv6.\n";
+
+static struct ipset_type ipset_hash_netportnet0 = {
+ .name = "hash:net,port,net",
+ .alias = { "netportnethash", NULL },
+ .revision = 0,
+ .family = NFPROTO_IPSET_IPV46,
+ .dimension = IPSET_DIM_THREE,
+ .elem = {
+ [IPSET_DIM_ONE - 1] = {
+ .parse = ipset_parse_ip4_net6,
+ .print = ipset_print_ip,
+ .opt = IPSET_OPT_IP
+ },
+ [IPSET_DIM_TWO - 1] = {
+ .parse = ipset_parse_proto_port,
+ .print = ipset_print_proto_port,
+ .opt = IPSET_OPT_PORT
+ },
+ [IPSET_DIM_THREE - 1] = {
+ .parse = ipset_parse_ip4_net6,
+ .print = ipset_print_ip,
+ .opt = IPSET_OPT_IP2
+ },
+ },
+ .args = {
+ [IPSET_CREATE] = hash_netportnet_create_args0,
+ [IPSET_ADD] = hash_netportnet_add_args0,
+ [IPSET_TEST] = hash_netportnet_test_args0,
+ },
+ .mandatory = {
+ [IPSET_CREATE] = 0,
+ [IPSET_ADD] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2),
+ [IPSET_DEL] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2),
+ [IPSET_TEST] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2),
+ },
+ .full = {
+ [IPSET_CREATE] = IPSET_FLAG(IPSET_OPT_HASHSIZE)
+ | IPSET_FLAG(IPSET_OPT_MAXELEM)
+ | IPSET_FLAG(IPSET_OPT_TIMEOUT)
+ | IPSET_FLAG(IPSET_OPT_COUNTERS)
+ | IPSET_FLAG(IPSET_OPT_CREATE_COMMENT),
+ [IPSET_ADD] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_CIDR)
+ | IPSET_FLAG(IPSET_OPT_IP_TO)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2)
+ | IPSET_FLAG(IPSET_OPT_CIDR2)
+ | IPSET_FLAG(IPSET_OPT_IP2_TO)
+ | IPSET_FLAG(IPSET_OPT_TIMEOUT)
+ | IPSET_FLAG(IPSET_OPT_NOMATCH)
+ | IPSET_FLAG(IPSET_OPT_PACKETS)
+ | IPSET_FLAG(IPSET_OPT_BYTES)
+ | IPSET_FLAG(IPSET_OPT_ADT_COMMENT),
+ [IPSET_DEL] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_CIDR)
+ | IPSET_FLAG(IPSET_OPT_IP_TO)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2)
+ | IPSET_FLAG(IPSET_OPT_CIDR2)
+ | IPSET_FLAG(IPSET_OPT_IP2_TO),
+ [IPSET_TEST] = IPSET_FLAG(IPSET_OPT_IP)
+ | IPSET_FLAG(IPSET_OPT_CIDR)
+ | IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PROTO)
+ | IPSET_FLAG(IPSET_OPT_IP2)
+ | IPSET_FLAG(IPSET_OPT_CIDR2)
+ | IPSET_FLAG(IPSET_OPT_NOMATCH),
+ },
+
+ .usage = hash_netportnet_usage0,
+ .usagefn = ipset_port_usage,
+ .description = "initial revision",
+};
+
+void _init(void);
+void _init(void)
+{
+ ipset_type_add(&ipset_hash_netportnet0);
+}
ipset \(em administration tool for IP sets
.SH "SYNOPSIS"
\fBipset\fR [ \fIOPTIONS\fR ] \fICOMMAND\fR [ \fICOMMAND\-OPTIONS\fR ]
-.PP
+.PP
COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR }
-.PP
+.PP
\fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR }
-.PP
+.PP
\fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ]
-.PP
+.PP
\fBipset\fR \fBadd\fR \fISETNAME\fR \fIADD\-ENTRY\fR [ \fIADD\-OPTIONS\fR ]
-.PP
+.PP
\fBipset\fR \fBdel\fR \fISETNAME\fR \fIDEL\-ENTRY\fR [ \fIDEL\-OPTIONS\fR ]
-.PP
+.PP
\fBipset\fR \fBtest\fR \fISETNAME\fR \fITEST\-ENTRY\fR [ \fITEST\-OPTIONS\fR ]
-.PP
+.PP
\fBipset\fR \fBdestroy\fR [ \fISETNAME\fR ]
-.PP
+.PP
\fBipset\fR \fBlist\fR [ \fISETNAME\fR ]
-.PP
+.PP
\fBipset\fR \fBsave\fR [ \fISETNAME\fR ]
-.PP
+.PP
\fBipset\fR \fBrestore\fR
-.PP
+.PP
\fBipset\fR \fBflush\fR [ \fISETNAME\fR ]
-.PP
+.PP
\fBipset\fR \fBrename\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
-.PP
+.PP
\fBipset\fR \fBswap\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR
-.PP
+.PP
\fBipset\fR \fBhelp\fR [ \fITYPENAME\fR ]
-.PP
+.PP
\fBipset\fR \fBversion\fR
-.PP
+.PP
\fBipset\fR \fB\-\fR
.SH "DESCRIPTION"
\fBipset\fR
kernel. Depending on the type of the set, an IP set may store IP(v4/v6)
addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address
and port number pairs, etc. See the set type definitions below.
-.PP
+.PP
\fBIptables\fR
matches and targets referring to sets create references, which
protect the given sets in the kernel. A set cannot be destroyed
data syntax must be used for the entry parameter of the commands, i.e
.IP
ipset add foo ipaddr,portnum,ipaddr
-.PP
+.PP
If host names or service names with dash in the name are used instead of IP
addresses or service numbers, then the host name or service name must be enclosed
in square brackets. Example:
.IP
ipset add foo [test\-hostname],[ftp\-data]
-.PP
+.PP
In the case of host names the DNS resolver is called internally
by \fBipset\fR but if it returns multiple IP addresses, only the
first one is used.
ipset add test 192.168.0.1 timeout 60
.IP
ipset \-exist add test 192.168.0.1 timeout 600
-.PP
+.PP
.SS nomatch
The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*)
support the optional \fBnomatch\fR
ipset create foo hash:ip counters
.IP
ipset add foo 192.168.1.1 packets 42 bytes 1024
-.PP
+.PP
.SS comment
All set types support the optional \fBcomment\fR extension.
Enabling this extension on an ipset enables you to annotate an ipset entry with
The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host
(default) or IPv4 network addresses. A \fBbitmap:ip\fR type of set can store up
to 65536 entries.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR }
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR }
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIip\fR
-.PP
+.PP
Mandatory \fBcreate\fR options:
.TP
\fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR
Create the set from the specified inclusive address range expressed in an
IPv4 address range or network. The size of the range (in entries) cannot exceed
the limit of maximum 65536 elements.
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBnetmask\fP \fIcidr\fP
between 1\-32.
An IP address will be in the set if the network address, which is resulted by
masking the address with the specified netmask, can be found in the set.
-.PP
+.PP
The \fBbitmap:ip\fR type supports adding or deleting multiple entries in one
command.
-.PP
+.PP
Examples:
.IP
ipset create foo bitmap:ip range 192.168.0.0/16
ipset test foo 192.168.1.1
.SS bitmap:ip,mac
The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC address pairs. A \fBbitmap:ip,mac\fR type of set can store up to 65536 entries.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR]
-.PP
+.PP
Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set:
.TP
\fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR
Create the set from the specified inclusive address range expressed in an
IPv4 address range or network. The size of the range cannot exceed the limit
of maximum 65536 entries.
-.PP
+.PP
The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can
be left out when adding/deleting/testing entries in the set. If we add an entry
without the MAC address specified, then when the first time the entry is
matched by the kernel, it will automatically fill out the missing MAC address with the
source MAC address from the packet. If the entry was specified with a timeout value,
the timer starts off when the IP and MAC address pair is complete.
-.PP
+.PP
The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of
the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second
one must be \fBsrc\fR to match, add or delete entries, because the \fBset\fR
match and \fBSET\fR target have access to the source MAC address only.
-.PP
+.PP
Examples:
.IP
ipset create foo bitmap:ip,mac range 192.168.0.0/16
.SS bitmap:port
The \fBbitmap:port\fR set type uses a memory range to store port numbers
and such a set can store up to 65536 ports.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromport\fP\-\fItoport [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
-.PP
+.PP
\fITEST\-ENTRY\fR := \fI[proto:]port\fR
-.PP
+.PP
Mandatory options to use when creating a \fBbitmap:port\fR type of set:
.TP
\fBrange\fP \fI[proto:]fromport\fP\-\fItoport\fR
Create the set from the specified inclusive port range.
-.PP
+.PP
The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret
the stored numbers as TCP or UDP port numbers.
-.PP
+.PP
\fBproto\fR only needs to be specified if a service name is used,
and that name does not exist as a TCP service.
.PP
The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or
network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR
type of set.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIipaddr\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIipaddr\fR
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set
if the network address, which is resulted by masking the address with the netmask,
can be found in the set.
-.PP
+.PP
For the \fBinet\fR family one can add or delete multiple entries by specifying
a range or a network:
-.PP
+.PP
\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP
+.PP
Examples:
.IP
ipset create foo hash:ip netmask 30
.SS hash:net
The \fBhash:net\fR set type uses a hash to store different sized IP network addresses.
Network address with zero prefix size cannot be stored in this type of sets.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fInetaddr\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fInetaddr\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fInetaddr\fR
-.PP
+.PP
where
\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
For the \fBinet\fR family one can add or delete multiple entries by specifying
a range, which is converted internally to network(s) equal to the range:
-.PP
+.PP
\fInetaddr\fR := { \fIip\fR[/\fIcidr\fR] | \fIfromaddr\fR\-\fItoaddr\fR }
-.PP
+.PP
When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
then the host prefix value is assumed. When adding/deleting entries, the exact
element is added/deleted and overlapping elements are not checked by the kernel.
When testing entries, if a host address is tested, then the kernel tries to match
the host address in the networks added to the set and reports the result accordingly.
-.PP
+.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
prefix) to the largest one (least specific prefix) added to the set.
When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target,
it will be added/deleted by the most specific prefix which can be found in the
set, or by the host prefix value if the set is empty.
-.PP
+.PP
The lookup time grows linearly with the number of the different prefix
values added to the set.
-.PP
+.PP
Example:
.IP
ipset create foo hash:net
ipset add foo 192.168.0/24
.IP
ipset add foo 192.168.0/30 nomatch
-.PP
+.PP
When matching the elements in the set above, all IP addresses will match
from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except
the ones from 192.168.0/30.
The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs.
The port number is interpreted together with a protocol (default TCP) and zero
protocol number cannot be used.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
For the \fBinet\fR family one can add or delete multiple entries by specifying
a range or a network of IPv4 addresses in the IP address part of the entry:
-.PP
+.PP
\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP
+.PP
The
[\fIproto\fR:]\fIport\fR
part of the elements may be expressed in the following forms, where the range
\fIproto\fR:0
All other protocols, as an identifier from /etc/protocols or number. The pseudo
port number must be zero.
-.PP
+.PP
The \fBhash:ip,port\fR type of sets require
two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR
target kernel modules.
-.PP
+.PP
Examples:
.IP
ipset create foo hash:ip,port
address and port pairs. The port number is interpreted together with a protocol
(default TCP) and zero protocol number cannot be used. Network
address with zero prefix size is not accepted either.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR
-.PP
+.PP
where
\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
For the \fInetaddr\fR part of the elements
see the description at the \fBhash:net\fR set type. For the
[\fIproto\fR:]\fIport\fR
part of the elements see the description at the
\fBhash:ip,port\fR set type.
-.PP
+.PP
When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
then the host prefix value is assumed. When adding/deleting entries, the exact
element is added/deleted and overlapping elements are not checked by the kernel.
When testing entries, if a host address is tested, then the kernel tries to match
the host address in the networks added to the set and reports the result accordingly.
-.PP
+.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
prefix) to the largest one (least specific prefix) added to the set.
addresses to the set by the \fBSET\fR netfilter target, it will be
added/deleted by the most specific prefix which can be found in the
set, or by the host prefix value if the set is empty.
-.PP
+.PP
The lookup time grows linearly with the number of the different prefix
values added to the set.
-.PP
+.PP
Examples:
.IP
ipset create foo hash:net,port
The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number
and a second IP address triples. The port number is interpreted together with a
protocol (default TCP) and zero protocol number cannot be used.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR
-.PP
+.PP
For the first \fIipaddr\fR and
[\fIproto\fR:]\fIport\fR
parts of the elements see the descriptions at the
\fBhash:ip,port\fR set type.
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
The \fBhash:ip,port,ip\fR type of sets require
three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR
target kernel modules.
-.PP
+.PP
Examples:
.IP
ipset create foo hash:ip,port,ip
and IP network address triples. The port number is interpreted together with a
protocol (default TCP) and zero protocol number cannot be used. Network
address with zero prefix size cannot be stored either.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
-.PP
+.PP
where
\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP
+.PP
For the \fIipaddr\fR and
[\fIproto\fR:]\fIport\fR
parts of the elements see the descriptions at the
\fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements
see the description at the \fBhash:net\fR set type.
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
cidr) to the largest one (least specific cidr) added to the set.
to the set by the \fBSET\fR netfilter target, it will be
added/deleted by the most specific cidr which can be found in the
set, or by the host cidr value if the set is empty.
-.PP
+.PP
The lookup time grows linearly with the number of the different \fIcidr\fR
values added to the set.
-.PP
+.PP
The \fBhash:ip,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
the \fBset\fR match and \fBSET\fR target kernel modules.
-.PP
+.PP
Examples:
.IP
ipset create foo hash:ip,port,net
ipset add foo 192.168.2,25,10.1.0.0/16
.IP
ipset test foo 192.168.1,80.10.0.0/24
+.SS hash:net,port,net
+The \fBhash:net,port,net\fR set type behaves similarly to hash:ip,port,net but accepts a
+cidr value for both the first and last parameter. Either subnet is permitted to be a /0
+should you wish to match port between all destinations.
+.PP
+\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
+.PP
+\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
+.PP
+\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR
+.PP
+where
+\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
+.PP
+For the [\fIproto\fR:]\fIport\fR
+part of the elements see the description at the
+\fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements
+see the description at the \fBhash:net\fR set type.
+.PP
+Optional \fBcreate\fR options:
+.TP
+\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
+The protocol family of the IP addresses to be stored in the set. The default is
+\fBinet\fR, i.e IPv4.
+.TP
+\fBhashsize\fR \fIvalue\fR
+The initial hash size for the set, default is 1024. The hash size must be a power
+of two, the kernel automatically rounds up non power of two hash sizes to the first
+correct value.
+.TP
+\fBmaxelem\fR \fIvalue\fR
+The maximal number of elements which can be stored in the set, default 65536.
+.PP
+From the \fBset\fR netfilter match point of view the searching for a match
+always starts from the smallest size of netblock (most specific
+cidr) to the largest one (least specific cidr) added to the set.
+When adding/deleting triples
+to the set by the \fBSET\fR netfilter target, it will be
+added/deleted by the most specific cidr which can be found in the
+set, or by the host cidr value if the set is empty. The first subnet has
+precedence when performing the most-specific lookup, just as for hash:net,net
+.PP
+The lookup time grows linearly with the number of the different \fIcidr\fR
+values added to the set and by the number of secondary \fIcidr\fR values per
+primary.
+.PP
+The \fBhash:net,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of
+the \fBset\fR match and \fBSET\fR target kernel modules.
+.PP
+Examples:
+.IP
+ipset create foo hash:net,port,net
+.IP
+ipset add foo 192.168.1.0/24,0,10.0.0/24
+.IP
+ipset add foo 192.168.2.0/24,25,10.1.0.0/16
+.IP
+ipset test foo 192.168.1.1,80,10.0.0.1
.SS hash:net,iface
The \fBhash:net,iface\fR set type uses a hash to store different sized IP network
address and interface name pairs.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP
+.PP
\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR
-.PP
+.PP
where
\fInetaddr\fR := \fIip\fR[/\fIcidr\fR]
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBfamily\fR { \fBinet\fR | \fBinet6\fR }
.TP
\fBmaxelem\fR \fIvalue\fR
The maximal number of elements which can be stored in the set, default 65536.
-.PP
+.PP
For the \fInetaddr\fR part of the elements
see the description at the \fBhash:net\fR set type.
-.PP
+.PP
When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
then the host prefix value is assumed. When adding/deleting entries, the exact
element is added/deleted and overlapping elements are not checked by the kernel.
When testing entries, if a host address is tested, then the kernel tries to match
the host address in the networks added to the set and reports the result accordingly.
-.PP
+.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
prefix) to the largest one (least specific prefix) added to the set.
addresses to the set by the \fBSET\fR netfilter target, it will be
added/deleted by the most specific prefix which can be found in the
set, or by the host prefix value if the set is empty.
-.PP
+.PP
The second direction parameter of the \fBset\fR match and
\fBSET\fR target modules corresponds to the incoming/outgoing interface:
\fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while
\fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When
the interface is flagged with \fBphysdev:\fR, the interface is interpreted
as the incoming/outgoing bridge port.
-.PP
+.PP
The lookup time grows linearly with the number of the different prefix
values added to the set.
-.PP
+.PP
The internal restriction of the \fBhash:net,iface\fR set type is that
the same network prefix cannot be stored with more than 64 different interfaces
in a single set.
-.PP
+.PP
Examples:
.IP
ipset create foo hash:net,iface
.SS list:set
The \fBlist:set\fR type uses a simple list in which you can store
set names.
-.PP
+.PP
\fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ]
-.PP
+.PP
\fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP
+.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ]
-.PP
+.PP
\fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP
+.PP
\fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ]
-.PP
+.PP
Optional \fBcreate\fR options:
.TP
\fBsize\fR \fIvalue\fR
The size of the list, the default is 8.
-.PP
+.PP
By the \fBipset\fR command you can add, delete and test set names in a
\fBlist:set\fR type of set.
-.PP
+.PP
By the \fBset\fR match or \fBSET\fR target of netfilter
you can test, add or delete entries in the sets added to the \fBlist:set\fR
type of set. The match will try to find a matching entry in the sets and
\fIb\fR are \fBlist:set\fR type of sets then in the command
.IP
iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst
-.PP
+.PP
the match and target will skip any set in \fIa\fR and \fIb\fR
which stores data triples, but will match all sets with single or double
data storage in \fIa\fR set and stop matching at the first successful set,
and add src to the first single or src,dst to the first double data storage set
in \fIb\fR to which the entry can be added. You can imagine a \fBlist:set\fR
type of set as an ordered union of the set elements.
-.PP
+.PP
Please note: by the \fBipset\fR command you can add, delete and \fBtest\fR
the setnames in a \fBlist:set\fR type of set, and \fBnot\fR the presence of
a set's member (such as an IP address).
If you want to store random same size networks (say random /24 blocks),
use the \fBhash:ip\fR set type. If you have got random size of netblocks,
use \fBhash:net\fR.
-.PP
+.PP
Backward compatibility is maintained and old \fBipset\fR syntax is still supported.
-.PP
+.PP
The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them,
they are automatically replaced by \fBhash:ip\fR type of sets.
.SH "DIAGNOSTICS"
--- /dev/null
+# Create a set with timeout
+0 ipset create test hash:net,port,net timeout 5
+# Add partly zero valued element
+0 ipset add test 2.0.0.1/24,0,192.168.0.0/24
+# Test partly zero valued element
+0 ipset test test 2.0.0.1/24,0,192.168.0.0/24
+# Delete partly zero valued element
+0 ipset del test 2.0.0.1/24,0,192.168.0.0/24
+# Add first random value
+0 ipset add test 2.0.0.1/24,5,192.168.0.0/24
+# Add second random value
+0 ipset add test 2.1.0.0/24,128,10.0.0.0/16
+# Test first random value
+0 ipset test test 2.0.0.1,5,192.168.0.1
+# Test second random value
+0 ipset test test 2.1.0.0,128,10.0.1.1
+# Test value not added to the set
+1 ipset test test 2.5.0.1,4,10.0.0.1
+# Delete value not added to the set
+1 ipset del test 2.0.0.1/8,6,10.0.0.0/16
+# Test value before first random value
+1 ipset test test 2.0.0.0/25,5,192.168.0.0/24
+# Test value after second random value
+1 ipset test test 2.4.0.1,128,10.0.0.100
+# Try to add value before first random value
+0 ipset add test 2.0.0.0/24,5,192.168.0.0/25
+# Try to add value after second random value
+0 ipset add test 2.1.0.1,128,10.0.0.0/17
+# List set
+0 ipset list test | grep -v Revision: | sed 's/timeout ./timeout x/' > .foo0 && ./sort.sh .foo0
+# Check listing
+0 diff -u -I 'Size in memory.*' .foo hash:net,port,net.t.list0
+# Sleep 5s so that elements can time out
+0 sleep 5
+# List set
+0 n=`ipset save test|wc -l` && test $n -eq 1
+# Flush test set
+0 ipset flush test
+# Delete set
+0 ipset destroy test
+# Create set to add a range
+0 ipset new test hash:net,port,net hashsize 64
+# Add a range
+0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.1/24
+# Check that correct number of elements are added
+0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 3
+# Destroy set
+0 ipset -X test
+# Create set to add a range and with range notation in the network
+0 ipset new test hash:net,port,net hashsize 64
+# Add a range which forces a resizing
+0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.0-192.168.2.255
+# Check that correct number of elements are added
+0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 6
+# Destroy set
+0 ipset -X test
+# Create test set with timeout support
+0 ipset create test hash:net,port,net timeout 30
+# Add a non-matching IP address entry
+0 ipset -A test 2.2.2.2,80,1.1.1.1 nomatch
+# Add an overlapping matching small net
+0 ipset -A test 2.2.2.2,80,1.1.1.0/30
+# Add an overlapping non-matching larger net
+0 ipset -A test 2.2.2.2,80,1.1.1.0/28 nomatch
+# Add an even larger matching net
+0 ipset -A test 2.2.2.2,80,1.1.1.0/26
+# Check non-matching IP
+1 ipset -T test 2.2.2.2,80,1.1.1.1
+# Check matching IP from non-matchin small net
+0 ipset -T test 2.2.2.2,80,1.1.1.3
+# Check non-matching IP from larger net
+1 ipset -T test 2.2.2.2,80,1.1.1.4
+# Check matching IP from even larger net
+0 ipset -T test 2.2.2.2,80,1.1.1.16
+# Update non-matching IP to matching one
+0 ipset -! -A test 2.2.2.2,80,1.1.1.1
+# Delete overlapping small net
+0 ipset -D test 2.2.2.2,80,1.1.1.0/30
+# Check matching IP
+0 ipset -T test 2.2.2.2,80,1.1.1.1
+# Add overlapping small net
+0 ipset -A test 2.2.2.2,80,1.1.1.0/30
+# Update matching IP as a non-matching one, with shorter timeout
+0 ipset -! -A test 2.2.2.2,80,1.1.1.1 nomatch timeout 2
+# Check non-matching IP
+1 ipset -T test 2.2.2.2,80,1.1.1.1
+# Sleep 3s so that element can time out
+0 sleep 3
+# Check non-matching IP
+0 ipset -T test 2.2.2.2,80,1.1.1.1
+# Check matching IP
+0 ipset -T test 2.2.2.2,80,1.1.1.3
+# Delete test set
+0 ipset destroy test
+# Create set
+0 ipset create test hash:net,port,net
+# Add a single element
+0 ipset add test 10.0.0.1,tcp:80,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 2
+# Delete the single element
+0 ipset del test 10.0.0.1,tcp:80,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 1
+# Add an IP range
+0 ipset add test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 6
+# Delete the IP range
+0 ipset del test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 1
+# Add a port range
+0 ipset add test 10.0.0.1,tcp:80-89,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 11
+# Delete the port range
+0 ipset del test 10.0.0.1,tcp:80-89,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 1
+# Add an IP and port range
+0 ipset add test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 51
+# Delete the IP and port range
+0 ipset del test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24
+# Check number of elements
+0 n=`ipset save test|wc -l` && test $n -eq 1
+# Destroy set
+0 ipset -X test
+# Timeout: Check that resizing keeps timeout values
+0 ./resizet.sh -4 netportnet
+# Nomatch: Check that resizing keeps the nomatch flag
+0 ./resizen.sh -4 netportnet
+# Counters: create set
+0 ipset n test hash:net,port,net counters
+# Counters: add element with packet, byte counters
+0 ipset a test 2.0.0.1,80,192.168.199.200 packets 5 bytes 3456
+# Counters: check element
+0 ipset t test 2.0.0.1,80,192.168.199.200
+# Counters: check counters
+0 ./check_counters test 2.0.0.1 5 3456
+# Counters: delete element
+0 ipset d test 2.0.0.1,80,192.168.199.200
+# Counters: test deleted element
+1 ipset t test 2.0.0.1,80,192.168.199.200
+# Counters: add element with packet, byte counters
+0 ipset a test 2.0.0.20,453,10.0.0.1 packets 12 bytes 9876
+# Counters: check counters
+0 ./check_counters test 2.0.0.20 12 9876
+# Counters: update counters
+0 ipset -! a test 2.0.0.20,453,10.0.0.1 packets 13 bytes 12479
+# Counters: check counters
+0 ./check_counters test 2.0.0.20 13 12479
+# Counters: destroy set
+0 ipset x test
+# Counters and timeout: create set
+0 ipset n test hash:net,port,net counters timeout 600
+# Counters and timeout: add element with packet, byte counters
+0 ipset a test 2.0.0.1,80,192.168.199.200 packets 5 bytes 3456
+# Counters and timeout: check element
+0 ipset t test 2.0.0.1,80,192.168.199.200
+# Counters and timeout: check counters
+0 ./check_extensions test 2.0.0.1 600 5 3456
+# Counters and timeout: delete element
+0 ipset d test 2.0.0.1,80,192.168.199.200
+# Counters and timeout: test deleted element
+1 ipset t test 2.0.0.1,80,192.168.199.200
+# Counters and timeout: add element with packet, byte counters
+0 ipset a test 2.0.0.20,453,10.0.0.1 packets 12 bytes 9876
+# Counters and timeout: check counters
+0 ./check_extensions test 2.0.0.20 600 12 9876
+# Counters and timeout: update counters
+0 ipset -! a test 2.0.0.20,453,10.0.0.1 packets 13 bytes 12479
+# Counters and timeout: check counters
+0 ./check_extensions test 2.0.0.20 600 13 12479
+# Counters and timeout: update timeout
+0 ipset -! a test 2.0.0.20,453,10.0.0.1 timeout 700
+# Counters and timeout: check counters
+0 ./check_extensions test 2.0.0.20 700 13 12479
+# Counters and timeout: destroy set
+0 ipset x test
+# eof
--- /dev/null
+Name: test
+Type: hash:net,port,net
+Header: family inet hashsize 1024 maxelem 65536 timeout x
+Size in memory: 17672
+References: 0
+Members:
+2.0.0.0/24,tcp:5,192.168.0.0/24 timeout x
+2.0.0.0/24,tcp:5,192.168.0.0/25 timeout x
+2.1.0.0/24,tcp:128,10.0.0.0/16 timeout x
+2.1.0.1,tcp:128,10.0.0.0/17 timeout x
--- /dev/null
+# Range: Create a set
+0 ipset -N test netportnethash -6
+# Range: Add zero valued element
+1 ipset -A test 2:0:0::1/24,0,0:0:0::0/0
+# Range: Test zero valued element
+1 ipset -T test 2:0:0::1/24,0,0:0:0::0/0
+# Range: Delete zero valued element
+1 ipset -D test 2:0:0::1,0,0:0:0::0/0
+# Range: Add almost zero valued element
+0 ipset -A test 2:0:0::1,0,0:0:0::0/24
+# Range: Test almost zero valued element
+0 ipset -T test 2:0:0::1,0,0:0:0::0/24
+# Range: Delete almost zero valued element
+0 ipset -D test 2:0:0::1,0,0:0:0::0/24
+# Range: Add first random value
+0 ipset -A test 2:0:0::1,5,1:1:1::1/24
+# Range: Add second random value
+0 ipset -A test 2:1:0::0,128,2:2:2::2/12
+# Range: Test first random value
+0 ipset -T test 2:0:0::1,5,1:1:1::2
+# Range: Test second random value
+0 ipset -T test 2:1:0::0,128,2:2:2::0
+# Range: Test value not added to the set
+1 ipset -T test 2:0:0::1,5,2:1:1::255
+# Range: Test value not added to the set
+1 ipset -T test 2:0:0::1,6,1:1:1::1
+# Range: Test value not added to the set
+1 ipset -T test 2:0:0::2,6,1:1:1::1
+# Range: Test value before first random value
+1 ipset -T test 2:0:0::0,5,1:1:1::1
+# Range: Test value after second random value
+1 ipset -T test 2:1:0::1,128,2:2:2::2
+# Range: Try to add value before first random value
+0 ipset -A test 2:0:0::0,5,1:1:1::1/24
+# Range: Try to add value after second random value
+0 ipset -A test 2:1:0::1,128,2:2:2::2/12
+# Range: List set
+0 ipset -L test | grep -v Revision: > .foo0 && ./sort.sh .foo0
+# Range: Check listing
+0 diff -u -I 'Size in memory.*' .foo hash:net6,port,net6.t.list0
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
+0 ipset -X test
+# Create set to add a range
+0 ipset new test hash:net,port,net -6 hashsize 64
+# Add a range which forces a resizing
+0 ipset add test 1::1,tcp:80-1105,2::2/12
+# Check that correct number of elements are added
+0 n=`ipset list test|grep 1::1|wc -l` && test $n -eq 1026
+# Destroy set
+0 ipset -X test
+# Create test set with timeout support
+0 ipset create test hash:net,port,net family inet6 timeout 30
+# Add a non-matching IP address entry
+0 ipset -A test 2:2:2::2,80,1:1:1::1 nomatch
+# Add an overlapping matching small net
+0 ipset -A test 2:2:2::2,80,1:1:1::/124
+# Add an overlapping non-matching larger net
+0 ipset -A test 2:2:2::2,80,1:1:1::/120 nomatch
+# Add an even larger matching net
+0 ipset -A test 2:2:2::2,80,1:1:1::/116
+# Check non-matching IP
+1 ipset -T test 2:2:2::2,80,1:1:1::1
+# Check matching IP from non-matchin small net
+0 ipset -T test 2:2:2::2,80,1:1:1::F
+# Check non-matching IP from larger net
+1 ipset -T test 2:2:2::2,80,1:1:1::10
+# Check matching IP from even larger net
+0 ipset -T test 2:2:2::2,80,1:1:1::100
+# Update non-matching IP to matching one
+0 ipset -! -A test 2:2:2::2,80,1:1:1::1
+# Delete overlapping small net
+0 ipset -D test 2:2:2::2,80,1:1:1::/124
+# Check matching IP
+0 ipset -T test 2:2:2::2,80,1:1:1::1
+# Add overlapping small net
+0 ipset -A test 2:2:2::2,80,1:1:1::/124
+# Update matching IP as a non-matching one, with shorter timeout
+0 ipset -! -A test 2:2:2::2,80,1:1:1::1 nomatch timeout 2
+# Check non-matching IP
+1 ipset -T test 2:2:2::2,80,1:1:1::1
+# Sleep 3s so that element can time out
+0 sleep 3
+# Check non-matching IP
+0 ipset -T test 2:2:2::2,80,1:1:1::1
+# Check matching IP
+0 ipset -T test 2:2:2::2,80,1:1:1::F
+# Delete test set
+0 ipset destroy test
+# Timeout: Check that resizing keeps timeout values
+0 ./resizet.sh -6 netportnet
+# Nomatch: Check that resizing keeps the nomatch flag
+0 ./resizen.sh -6 netportnet
+# Counters: create set
+0 ipset n test hash:net,port,net -6 counters
+# Counters: add element with packet, byte counters
+0 ipset a test 2:0:0::1,80,2002:24:ff::1/64 packets 5 bytes 3456
+# Counters: check element
+0 ipset t test 2:0:0::1,80,2002:24:ff::1/64
+# Counters: check counters
+0 ./check_counters test 2::1 5 3456
+# Counters: delete element
+0 ipset d test 2:0:0::1,80,2002:24:ff::1/64
+# Counters: test deleted element
+1 ipset t test 2:0:0::1,80,2002:24:ff::1/64
+# Counters: add element with packet, byte counters
+0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54 packets 12 bytes 9876
+# Counters: check counters
+0 ./check_counters test 2::20 12 9876
+# Counters: update counters
+0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 packets 13 bytes 12479
+# Counters: check counters
+0 ./check_counters test 2::20 13 12479
+# Counters: destroy set
+0 ipset x test
+# Counters and timeout: create set
+0 ipset n test hash:net,port,net -6 counters timeout 600
+# Counters and timeout: add element with packet, byte counters
+0 ipset a test 2:0:0::1,80,2002:24:ff::1/64 packets 5 bytes 3456
+# Counters and timeout: check element
+0 ipset t test 2:0:0::1,80,2002:24:ff::1/64
+# Counters and timeout: check counters
+0 ./check_extensions test 2::1 600 5 3456
+# Counters and timeout: delete element
+0 ipset d test 2:0:0::1,80,2002:24:ff::1/64
+# Counters and timeout: test deleted element
+1 ipset t test 2:0:0::1,80,2002:24:ff::1/64
+# Counters and timeout: add element with packet, byte counters
+0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54 packets 12 bytes 9876
+# Counters and timeout: check counters
+0 ./check_extensions test 2::20 600 12 9876
+# Counters and timeout: update counters
+0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 packets 13 bytes 12479
+# Counters and timeout: check counters
+0 ./check_extensions test 2::20 600 13 12479
+# Counters and timeout: update timeout
+0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 timeout 700
+# Counters and timeout: check counters
+0 ./check_extensions test 2::20 700 13 12479
+# Counters and timeout: destroy set
+0 ipset x test
+# eof
--- /dev/null
+Name: test
+Type: hash:net,port,net
+Header: family inet6 hashsize 1024 maxelem 65536
+Size in memory: 18824
+References: 0
+Members:
+2:1::,tcp:128,::/12
+2:1::1,tcp:128,::/12
+2::,tcp:5,1::/24
+2::1,tcp:5,1::/24
done
done
;;
+ netportnet)
+ $ipset n test hash:net,port,net $1 hashsize 64
+ for x in `seq 0 16`; do
+ for y in `seq 0 255`; do
+ $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch
+ done
+ done
+ for x in `seq 0 16`; do
+ for y in `seq 0 255`; do
+ $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null
+ done
+ done
+ ;;
net)
$ipset n test hash:net $1 hashsize 64
for x in `seq 0 16`; do
done
done
;;
+ netportnet)
+ $ipset n test hash:net,port,net $1 hashsize 64 timeout 100
+ for x in `seq 0 16`; do
+ for y in `seq 0 128`; do
+ $ipset a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net
+ done
+ done
+ ;;
net)
$ipset n test hash:net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
tests="$tests ipportiphash hash:ip,port,ip hash:ip6,port,ip6"
tests="$tests nethash hash:net hash:net6 hash:net,port hash:net6,port"
tests="$tests hash:ip,port,net hash:ip6,port,net6 hash:net,net hash:net6,net6"
+tests="$tests hash:net,port,net hash:net6,port,net6"
tests="$tests hash:net,iface.t"
tests="$tests comment setlist restore"
# tests="$tests iptree iptreemap"
for x in ip_set_list_set ip_set_hash_netiface ip_set_hash_ipportnet \
ip_set_hash_netport ip_set_hash_net ip_set_hash_ipportip \
ip_set_hash_ipport ip_set_hash_ip ip_set_hash_netnet \
+ ip_set_hash_netportnet \
ip_set_bitmap_port ip_set_bitmap_ipmac \
ip_set_bitmap_ip xt_set ip_set; do
rmmod $x