This module matches IP sets which can be defined by ipset(8).

.TP

[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...

where flags are the comma separated list of

.BR "src"

and/or

.BR "dst" 

specifications and there can be no more than six of them. Hence the command

.IP

 iptables \-A FORWARD \-m set \-\-match\-set test src,dst

.IP

will match packets, for which (if the set type is ipportmap) the source

address and destination port pair can be found in the specified set. If

the set type of the specified set is single dimension (for example ipmap),

then the command will match packets for which the source address can be

found in the specified set. 

.TP

\fB\-\-return\-nomatch\fP

If the \fB\-\-return\-nomatch\fP option is specified and the set type

supports the \fBnomatch\fP flag, then the matching is reversed: a match

with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a

match with a plain element returns \fBfalse\fP.

.TP

\fB!\fP \fB\-\-update\-counters\fP

If the \fB\-\-update\-counters\fP flag is negated, then the packet and

byte counters of the matching element in the set won't be updated. Default

the packet and byte counters are updated.

.TP

\fB!\fP \fB\-\-update\-subcounters\fP

If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and

byte counters of the matching element in the member set of a list type of

set won't be updated. Default the packet and byte counters are updated.

.TP

[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

packet counter of the element matches the given value too.

.TP

\fB\-\-packets\-lt\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

packet counter of the element is less than the given value as well.

.TP

\fB\-\-packets\-gt\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

packet counter of the element is greater than the given value as well.

.TP

[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

byte counter of the element matches the given value too.

.TP

\fB\-\-bytes\-lt\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

byte counter of the element is less than the given value as well.

.TP

\fB\-\-bytes\-gt\fP \fIvalue\fP

If the packet is matched an element in the set, match only if the

byte counter of the element is greater than the given value as well.

.PP

The packet and byte counters related options and flags are ignored

when the set was defined without counter support.

.PP

The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 

not clash with an option of other extensions.

.PP

Use of -m set requires that ipset kernel support is provided, which, for

standard kernels, is the case since Linux 2.6.39.