| Patrick McHardy | cdff308 | 2009-08-24 14:18:27 +0200 | [diff] [blame] | 1 | This module matches IP sets which can be defined by ipset(8). |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 2 | .TP |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 3 | [\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... |
| 4 | where flags are the comma separated list of |
| Joszef Kadlecsik | b9a4938 | 2004-12-01 09:11:33 +0000 | [diff] [blame] | 5 | .BR "src" |
| 6 | and/or |
| 7 | .BR "dst" |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 8 | specifications and there can be no more than six of them. Hence the command |
| 9 | .IP |
| 10 | iptables \-A FORWARD \-m set \-\-match\-set test src,dst |
| 11 | .IP |
| 12 | will match packets, for which (if the set type is ipportmap) the source |
| 13 | address and destination port pair can be found in the specified set. If |
| 14 | the set type of the specified set is single dimension (for example ipmap), |
| 15 | then the command will match packets for which the source address can be |
| 16 | found in the specified set. |
| 17 | .PP |
| Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 18 | The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does |
| Jozsef Kadlecsik | 2d28001 | 2009-06-11 12:27:09 +0200 | [diff] [blame] | 19 | not clash with an option of other extensions. |
| Jan Engelhardt | cd46b14 | 2010-01-19 18:47:43 +0100 | [diff] [blame] | 20 | .PP |
| 21 | Use of -m set requires that ipset kernel support is provided. As standard |
| 22 | kernels do not ship this currently, the ipset or Xtables-addons package needs |
| 23 | to be installed. |