Red Hat Summit2.8.9.5.3. IP Set Types
- bitmap:ip
- Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the
netmaskoption is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to65536entries. The command to create thebitmap:ipset has the following format:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
Example 2.6. Create an IP Set for a Range of Addresses Using a Prefix Length
To create an IP set for a range of addresses using a prefix length, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:ip set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset add my-range 192.168.33.1
~]# ipset add my-range 192.168.33.1
Review the members of the list:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset list my-range Name: my-range Type: bitmap:ip Header: range 192.168.33.0-192.168.33.15 Size in memory: 84 References: 0 Members: 192.168.33.1
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addresses:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset add my-range 192.168.33.2-192.168.33.4
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset list my-range Name: my-range Type: bitmap:ip Header: range 192.168.33.0-192.168.33.15 Size in memory: 84 References: 0 Members: 192.168.33.1 192.168.33.2 192.168.33.3 192.168.33.4
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4Example 2.7. Create an IP Set for a Range of Addresses Using a Netmask
To create an IP set for a range of address using a netmask, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:ip set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24~]# ipset add my-big-range 192.168.124.0
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset add my-big-range 192.168.125.150 ~]# ipset list my-big-range Name: my-big-range Type: bitmap:ip Header: range 192.168.124.0-192.168.126.255 netmask 24 Size in memory: 84 References: 0 Members: 192.168.124.0 192.168.125.0
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24
Size in memory: 84
References: 0
Members:
192.168.124.0
192.168.125.0- bitmap:ip,mac
- Stores an IPv4 address and a MAC address as a pair. It can store up to
65536entries.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
Example 2.8. Create an IP Set for a Range of IPv4 MAC Address Pairs
To create an IP set for a range of IPv4 MAC address pairs, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
It is not necessary to specify a MAC address when creating the set.
bitmap:ip,mac set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC- bitmap:port
- Stores a range of ports. It can store up to
65536entries.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. Theprotoonly needs to be specified if a service name is used, and that name does not exist as a TCP service.
Example 2.9. Create an IP Set for a Range of Ports
To create an IP set for a range of ports, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:port set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151~]# ipset add my-permitted-port-range 5060-5061
~]# ipset add my-permitted-port-range 5060-5061- hash:ip
- Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]Theinetfamily is the default, iffamilyis omitted addresses will be interpreted as IPv4 addresses. Thehashsizevalue is the initial hash size to use and defaults to1024. Themaxelemvalue is the maximum number of elements which can be stored in the set, it defaults to65536.The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.
Example 2.10. Create an IP Set for IP Addresses
To create an IP set for IP addresses, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
hash:ip set type as follows:
~]# ipset create my-addresses hash:ip
~]# ipset create my-addresses hash:ip~]# ipset add my-addresses 10.10.10.0
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The following output shows the time counting down:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The element will be removed from the set when the timeout period ends.
~]# ipset add my-busy-addresses timeout 100
~]# ipset add my-busy-addresses timeout 100ipset add my-busy-addresses 192.168.60.0 timeout 100 ipset list my-busy-addresses ipset list my-busy-addresses
[root@rhel6 ~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
See the
ipset(8) manual page for more examples.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}