此内容没有您所选择的语言版本。
2.8.9.5.3. IP Set Types
- bitmap:ip
- Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the
netmask
option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to65536
entries. The command to create thebitmap:ip
set has the following format:ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
Example 2.6. Create an IP Set for a Range of Addresses Using a Prefix Length
To create an IP set for a range of addresses using a prefix length, make use of the
bitmap:ip
set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.33.1
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addresses:
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4
Example 2.7. Create an IP Set for a Range of Addresses Using a Netmask
To create an IP set for a range of address using a netmask, make use of the
bitmap:ip
set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
~]#ipset add my-big-range 192.168.125.150
~]#ipset list my-big-range
Name: my-big-range Type: bitmap:ip Header: range 192.168.124.0-192.168.126.255 netmask 24 Size in memory: 84 References: 0 Members: 192.168.124.0 192.168.125.0
- bitmap:ip,mac
- Stores an IPv4 address and a MAC address as a pair. It can store up to
65536
entries.ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
Example 2.8. Create an IP Set for a Range of IPv4 MAC Address Pairs
To create an IP set for a range of IPv4 MAC address pairs, make use of the
bitmap:ip,mac
set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not necessary to specify a MAC address when creating the set.
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
- bitmap:port
- Stores a range of ports. It can store up to
65536
entries.ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. Theproto
only needs to be specified if a service name is used, and that name does not exist as a TCP service.
Example 2.9. Create an IP Set for a Range of Ports
To create an IP set for a range of ports, make use of the
bitmap:port
set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
- hash:ip
- Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
Theinet
family is the default, iffamily
is omitted addresses will be interpreted as IPv4 addresses. Thehashsize
value is the initial hash size to use and defaults to1024
. Themaxelem
value is the maximum number of elements which can be stored in the set, it defaults to65536
.The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.
Example 2.10. Create an IP Set for IP Addresses
To create an IP set for IP addresses, make use of the
hash:ip
set type as follows:
~]# ipset create my-addresses hash:ip
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
~]# ipset add my-busy-addresses timeout 100
The following output shows the time counting down:
[root@rhel6 ~]# ipset add my-busy-addresses 192.168.60.0 timeout 100 [root@rhel6 ~]# ipset list my-busy-addresses Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 90 [root@rhel6 ~]# ipset list my-busy-addresses Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 83The element will be removed from the set when the timeout period ends.
See the
ipset(8)
manual page for more examples.