| Patrick McHardy | cdff308 | 2009-08-24 14:18:27 +0200 | [diff] [blame] | 1 | This module matches IP sets which can be defined by ipset(8). |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 2 | .TP |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 3 | [\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... |
| 4 | where flags are the comma separated list of |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 5 | .BR "src" |
| 6 | and/or |
| 7 | .BR "dst" |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 8 | specifications and there can be no more than six of them. Hence the command |
| 9 | .IP |
| 10 | iptables \-A FORWARD \-m set \-\-match\-set test src,dst |
| 11 | .IP |
| 12 | will match packets, for which (if the set type is ipportmap) the source |
| 13 | address and destination port pair can be found in the specified set. If |
| 14 | the set type of the specified set is single dimension (for example ipmap), |
| 15 | then the command will match packets for which the source address can be |
| 16 | found in the specified set. |
| Jozsef Kadlecsik | d637ead | 2012-09-21 20:42:15 +0200 | [diff] [blame] | 17 | .TP |
| Jozsef Kadlecsik | 34844da | 2013-05-01 00:56:35 +0200 | [diff] [blame] | 18 | \fB\-\-return\-nomatch\fP |
| 19 | If the \fB\-\-return\-nomatch\fP option is specified and the set type |
| Jozsef Kadlecsik | d637ead | 2012-09-21 20:42:15 +0200 | [diff] [blame] | 20 | supports the \fBnomatch\fP flag, then the matching is reversed: a match |
| 21 | with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a |
| 22 | match with a plain element returns \fBfalse\fP. |
| Jozsef Kadlecsik | 34844da | 2013-05-01 00:56:35 +0200 | [diff] [blame] | 23 | .TP |
| 24 | \fB!\fP \fB\-\-update\-counters\fP |
| 25 | If the \fB\-\-update\-counters\fP flag is negated, then the packet and |
| 26 | byte counters of the matching element in the set won't be updated. Default |
| 27 | the packet and byte counters are updated. |
| 28 | .TP |
| 29 | \fB!\fP \fB\-\-update\-subcounters\fP |
| 30 | If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and |
| 31 | byte counters of the matching element in the member set of a list type of |
| 32 | set won't be updated. Default the packet and byte counters are updated. |
| 33 | .TP |
| 34 | [\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP |
| 35 | If the packet is matched an element in the set, match only if the |
| 36 | packet counter of the element matches the given value too. |
| 37 | .TP |
| 38 | \fB\-\-packets\-lt\fP \fIvalue\fP |
| 39 | If the packet is matched an element in the set, match only if the |
| 40 | packet counter of the element is less than the given value as well. |
| 41 | .TP |
| 42 | \fB\-\-packets\-gt\fP \fIvalue\fP |
| 43 | If the packet is matched an element in the set, match only if the |
| 44 | packet counter of the element is greater than the given value as well. |
| 45 | .TP |
| Mart Frauenlob | a0e224b | 2014-01-04 16:57:46 +0100 | [diff] [blame] | 46 | [\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP |
| Jozsef Kadlecsik | 34844da | 2013-05-01 00:56:35 +0200 | [diff] [blame] | 47 | If the packet is matched an element in the set, match only if the |
| 48 | byte counter of the element matches the given value too. |
| 49 | .TP |
| 50 | \fB\-\-bytes\-lt\fP \fIvalue\fP |
| 51 | If the packet is matched an element in the set, match only if the |
| 52 | byte counter of the element is less than the given value as well. |
| 53 | .TP |
| 54 | \fB\-\-bytes\-gt\fP \fIvalue\fP |
| 55 | If the packet is matched an element in the set, match only if the |
| 56 | byte counter of the element is greater than the given value as well. |
| 57 | .PP |
| 58 | The packet and byte counters related options and flags are ignored |
| 59 | when the set was defined without counter support. |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 60 | .PP |
| Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 61 | The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 62 | not clash with an option of other extensions. |
| Jan Engelhardt | cd46b14 | 2010-01-19 18:47:43 +0100 | [diff] [blame] | 63 | .PP |
| Jan Engelhardt | 085b233 | 2011-08-20 18:26:34 +0200 | [diff] [blame] | 64 | Use of -m set requires that ipset kernel support is provided, which, for |
| 65 | standard kernels, is the case since Linux 2.6.39. |