2.8.9.5.3. IP Set Types


bitmap:ip
Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the netmask option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to 65536 entries. The command to create the bitmap:ip set has the following format:
ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
Copy to Clipboard Toggle word wrap

Example 2.6. Create an IP Set for a Range of Addresses Using a Prefix Length

To create an IP set for a range of addresses using a prefix length, make use of the bitmap:ip set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Copy to Clipboard Toggle word wrap
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.33.1
Copy to Clipboard Toggle word wrap
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15 
Size in memory: 84
References: 0
Members:
192.168.33.1
Copy to Clipboard Toggle word wrap
To add a range of addresses:
~]# ipset add my-range 192.168.33.2-192.168.33.4
Copy to Clipboard Toggle word wrap
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15 
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4
Copy to Clipboard Toggle word wrap

Example 2.7. Create an IP Set for a Range of Addresses Using a Netmask

To create an IP set for a range of address using a netmask, make use of the bitmap:ip set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Copy to Clipboard Toggle word wrap
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
Copy to Clipboard Toggle word wrap
If you attempt to add an address, the range containing that address will be added:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24 
Size in memory: 84
References: 0
Members:
192.168.124.0
192.168.125.0
Copy to Clipboard Toggle word wrap
bitmap:ip,mac
Stores an IPv4 address and a MAC address as a pair. It can store up to 65536 entries.
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
Copy to Clipboard Toggle word wrap

Example 2.8. Create an IP Set for a Range of IPv4 MAC Address Pairs

To create an IP set for a range of IPv4 MAC address pairs, make use of the bitmap:ip,mac set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
Copy to Clipboard Toggle word wrap
It is not necessary to specify a MAC address when creating the set.
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
Copy to Clipboard Toggle word wrap
bitmap:port
Stores a range of ports. It can store up to 65536 entries.
ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
Copy to Clipboard Toggle word wrap
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. The proto only needs to be specified if a service name is used, and that name does not exist as a TCP service.

Example 2.9. Create an IP Set for a Range of Ports

To create an IP set for a range of ports, make use of the bitmap:port set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Copy to Clipboard Toggle word wrap
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
Copy to Clipboard Toggle word wrap
hash:ip
Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
Copy to Clipboard Toggle word wrap
The inet family is the default, if family is omitted addresses will be interpreted as IPv4 addresses. The hashsize value is the initial hash size to use and defaults to 1024. The maxelem value is the maximum number of elements which can be stored in the set, it defaults to 65536.
The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.

Example 2.10. Create an IP Set for IP Addresses

To create an IP set for IP addresses, make use of the hash:ip set type as follows:
~]# ipset create my-addresses hash:ip
Copy to Clipboard Toggle word wrap
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
Copy to Clipboard Toggle word wrap
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
Copy to Clipboard Toggle word wrap
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
~]# ipset add my-busy-addresses timeout 100
Copy to Clipboard Toggle word wrap
The following output shows the time counting down:
[root@rhel6 ~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
Copy to Clipboard Toggle word wrap
The element will be removed from the set when the timeout period ends.
See the ipset(8) manual page for more examples.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat