.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-.TH "IPSET" "8" "Apr 4, 2013" "Jozsef Kadlecsik" ""
+.TH "IPSET" "8" "Sep 23, 2014" "Jozsef Kadlecsik" ""
.SH "NAME"
ipset \(em administration tool for IP sets
.SH "SYNOPSIS"
.IP
ipset \-exist add test 192.168.0.1 timeout 600
.PP
-.SS hashsize
-This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets.
-It defines the initial hash size for the set, default is 1024. The hash size must be a power
-of two, the kernel automatically rounds up non power of two hash sizes to the first
-correct value.
-Example:
-.IP
-ipset create test hash:ip hashsize 1536
-.PP
-.SS maxelem
-This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets.
-It does define the maximal number of elements which can be stored in the set, default 65536.
-Example:
-.IP
-ipset create test hash:ip maxelem 2048.
-.PP
-.SS family { inet | inet6 }
-This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets
-except for hash:mac.
-It defines the protocol family of the IP addresses to be stored in the set. The default is
-\fBinet\fR, i.e IPv4.
-For the \fBinet\fR family one can add or delete multiple entries by specifying
-a range or a network of IPv4 addresses in the IP address part of the entry:
-.PP
-\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP
-\fInetaddr\fR := { \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
-.PP
-Example:
-.IP
-ipset create test hash:ip family inet6
-.PP
-.SS nomatch
-The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*)
-support the optional \fBnomatch\fR
-option when adding entries. When matching elements in the set, entries marked
-as \fBnomatch\fR are skipped as if those were not added to the set, which makes
-possible to build up sets with exceptions. See the example at hash type
-\fBhash:net\fR below.
-
-When elements are tested by \fBipset\fR, the \fBnomatch\fR
-flags are taken into account. If one wants to test the existence of an element
-marked with \fBnomatch\fR in a set, then the flag must be specified too.
.SS "counters, packets, bytes"
All set types support the optional \fBcounters\fR
option when creating a set. If the option is specified then the set is created
.IP
the above would appear as: "allow access to SMB share on \\\\fileserv\\"
.PP
-.SS forceadd
-All hash set types support the optional \fBforceadd\fR parameter when creating a set.
-When sets created with this option become full the next addition to the set may
-succeed and evict a random entry from the set.
-.IP
-ipset create foo hash:ip forceadd
-.PP
.SS "skbinfo, skbmark, skbprio, skbqueue"
All set types support the optional \fBskbinfo\fR extension. This extension allow to
store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to
.IP
ipset add foo skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10
.PP
+.SS hashsize
+This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets.
+It defines the initial hash size for the set, default is 1024. The hash size must be a power
+of two, the kernel automatically rounds up non power of two hash sizes to the first
+correct value.
+Example:
+.IP
+ipset create test hash:ip hashsize 1536
+.PP
+.SS maxelem
+This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets.
+It does define the maximal number of elements which can be stored in the set, default 65536.
+Example:
+.IP
+ipset create test hash:ip maxelem 2048.
+.PP
+.SS family { inet | inet6 }
+This parameter is valid for the \fBcreate\fR command of all \fBhash\fR type sets
+except for hash:mac.
+It defines the protocol family of the IP addresses to be stored in the set. The default is
+\fBinet\fR, i.e IPv4.
+For the \fBinet\fR family one can add or delete multiple entries by specifying
+a range or a network of IPv4 addresses in the IP address part of the entry:
+.PP
+\fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
+.PP
+\fInetaddr\fR := { \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR }
+.PP
+Example:
+.IP
+ipset create test hash:ip family inet6
+.PP
+.SS nomatch
+The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*)
+support the optional \fBnomatch\fR
+option when adding entries. When matching elements in the set, entries marked
+as \fBnomatch\fR are skipped as if those were not added to the set, which makes
+possible to build up sets with exceptions. See the example at hash type
+\fBhash:net\fR below.
+
+When elements are tested by \fBipset\fR, the \fBnomatch\fR
+flags are taken into account. If one wants to test the existence of an element
+marked with \fBnomatch\fR in a set, then the flag must be specified too.
+.SS forceadd
+All hash set types support the optional \fBforceadd\fR parameter when creating a set.
+When sets created with this option become full the next addition to the set may
+succeed and evict a random entry from the set.
+.IP
+ipset create foo hash:ip forceadd
+.PP
.SH "SET TYPES"
.SS bitmap:ip
The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host