| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 1 | This modules macthes IP sets which can be defined by ipset(8). |
| 2 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 3 | [\fB!\fP] \fB\-\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 4 | where flags are |
| 5 | .BR "src" |
| 6 | and/or |
| 7 | .BR "dst" |
| 8 | and there can be no more than six of them. Hence the command |
| 9 | .nf |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 10 | iptables \-A FORWARD \-m set \-\-set test src,dst |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 11 | .fi |
| 12 | will match packets, for which (depending on the type of the set) the source |
| 13 | address or port number of the packet can be found in the specified set. If |
| 14 | there is a binding belonging to the mached set element or there is a default |
| 15 | binding for the given set, then the rule will match the packet only if |
| 16 | additionally (depending on the type of the set) the destination address or |
| 17 | port number of the packet can be found in the set according to the binding. |