红帽全球峰会此内容没有您所选择的语言版本。
2.8.9.5.3. IP Set Types
- bitmap:ip
- Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the
netmaskoption is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to65536entries. The command to create thebitmap:ipset has the following format:ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-lengthnetmask prefix-length] [timeout valuetimeout value] [counters] [comment]Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Example 2.6. Create an IP Set for a Range of Addresses Using a Prefix Length
To create an IP set for a range of addresses using a prefix length, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:ip set type as follows:
ipset create my-range bitmap:ip range 192.168.33.0/28
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset add my-range 192.168.33.1
~]# ipset add my-range 192.168.33.1
Review the members of the list:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
To add a range of addresses:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset add my-range 192.168.33.2-192.168.33.4
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Example 2.7. Create an IP Set for a Range of Addresses Using a Netmask
To create an IP set for a range of address using a netmask, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:ip set type as follows:
ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24ipset add my-big-range 192.168.124.0
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
- bitmap:ip,mac
- Stores an IPv4 address and a MAC address as a pair. It can store up to
65536entries.ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value timeout value timeout value ] [counters] [comment]Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Example 2.8. Create an IP Set for a Range of IPv4 MAC Address Pairs
To create an IP set for a range of IPv4 MAC address pairs, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
It is not necessary to specify a MAC address when creating the set.
bitmap:ip,mac set type as follows:
ipset create my-range bitmap:ip,mac range 192.168.1.0/24
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC- bitmap:port
- Stores a range of ports. It can store up to
65536entries.ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
ipset create my-port-range bitmap:port range start_port-end_port [timeout value timeout value timeout value ] [counters] [comment]Copy to Clipboard Copied! Toggle word wrap Toggle overflow The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. Theprotoonly needs to be specified if a service name is used, and that name does not exist as a TCP service.
Example 2.9. Create an IP Set for a Range of Ports
To create an IP set for a range of ports, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
bitmap:port set type as follows:
ipset create my-permitted-port-range bitmap:port range 1024-49151
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151ipset add my-permitted-port-range 5060-5061
~]# ipset add my-permitted-port-range 5060-5061- hash:ip
- Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
ipset create my-addresses hash:ip [family[ inet | inet6 ]family[ inet | inet6 ]family[ inet | inet6 ]] [hashsize valuehashsize value] [maxelem value maxelem value maxelem value ] [netmask prefix-lengthnetmask prefix-length] [timeout value timeout value timeout value ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Theinetfamily is the default, iffamilyis omitted addresses will be interpreted as IPv4 addresses. Thehashsizevalue is the initial hash size to use and defaults to1024. Themaxelemvalue is the maximum number of elements which can be stored in the set, it defaults to65536.The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.
Example 2.10. Create an IP Set for IP Addresses
To create an IP set for IP addresses, make use of the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Once the set is created, entries can be added as follows:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
hash:ip set type as follows:
ipset create my-addresses hash:ip
~]# ipset create my-addresses hash:ipipset add my-addresses 10.10.10.0
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The following output shows the time counting down:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
The element will be removed from the set when the timeout period ends.
ipset add my-busy-addresses timeout 100
~]# ipset add my-busy-addresses timeout 100
See the
ipset(8) manual page for more examples.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}