| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 1 | This modules macthes IP sets which can be defined by ipset(8). |
| 2 | .TP |
| 3 | .BR "--set " "setname flag[,flag...]" |
| 4 | where flags are |
| 5 | .BR "src" |
| 6 | and/or |
| 7 | .BR "dst" |
| 8 | and there can be no more than six of them. Hence the command |
| 9 | .nf |
| 10 | iptables -A FORWARD -m set --set test src,dst |
| 11 | .fi |
| 12 | will match packets, for which (depending on the type of the set) the source |
| 13 | address or port number of the packet can be found in the specified set. If |
| 14 | there is a binding belonging to the mached set element or there is a default |
| 15 | binding for the given set, then the rule will match the packet only if |
| 16 | additionally (depending on the type of the set) the destination address or |
| 17 | port number of the packet can be found in the set according to the binding. |