2.8.9.5.2. ipset Commands
The format of the ipset command is as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Where command is one of:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Allowed options are:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset [options] command [command-options]
ipset [options] command [command-options]
create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | -
create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | -
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted | -name | -terse
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted | -name | -terse
The
create
command is used to create a new data structure to store a set of IP data. The add
command adds new data to the set, the data added is referred to as an element of the set.
The
-exist
option suppresses error message if the element already exists, and it has a special role in updating a time out value. To change a time out, use the ipset add
command and specify all the data for the element again, changing only the time out value as required, and using the -exist
option.
The
test
option is for testing if the element already exists within a set.
The format of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The set-name is a suitable name chosen by the user, the type-name is the name of the data structure used to store the data comprising the set. The format of the type-name is as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The allowed methods for storing data are:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The allowed data types are:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
When adding, deleting, or testing entries in a set, the same comma separated data syntax must be used for the data that makes up one entry, or element, in the set. For example:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
create
command is as follows: ipset create set-name type-name [create-options]
ipset create set-name type-name [create-options]
method:datatype[,datatype[,datatype]]
method:datatype[,datatype[,datatype]]
bitmap | hash | list
bitmap | hash | list
ip | net | mac | port | iface
ip | net | mac | port | iface
ipset add set-name ipaddr,portnum,ipaddr
ipset add set-name ipaddr,portnum,ipaddr
Note
A set cannot contain
IPv4
and IPv6
addresses at the same time. When a set is created it is bound to a family, inet
for IPv4
or inet6
for IPv6
, and the default is inet
.
Example 2.3. Create an IP Set
To create an IP set consisting of a source IP address, a port, and destination IP address, issue a command as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset create my-set hash:ip,port,ip
~]# ipset create my-set hash:ip,port,ip
ipset add my-set 192.168.1.2,80,192.168.2.2 ipset add my-set 192.168.1.2,443,192.168.2.2
~]# ipset add my-set 192.168.1.2,80,192.168.2.2
~]# ipset add my-set 192.168.1.2,443,192.168.2.2
The set types have the following optional parameters in common. They must be specified when the set is created in order for them to be used:
timeout
— The value given with thecreate
command will be the default value for the set created. If a value is given with theadd
command, it will be the initial non-default value for the element.
Example 2.4. List an IP Set
To list the contents of a specific IP Set,
my-set
, issue a command as follows:
Omit the set name to list all sets.
Example 2.5. Test the Elements of an IP Set
Listing the contents of large sets is time consuming. You can test for the existence of an element as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset test my-set 192.168.1.2,80,192.168.2.2
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.