|
Packit |
7b22a4 |
This module matches IP sets which can be defined by ipset(8).
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
|
|
Packit |
7b22a4 |
where flags are the comma separated list of
|
|
Packit |
7b22a4 |
.BR "src"
|
|
Packit |
7b22a4 |
and/or
|
|
Packit |
7b22a4 |
.BR "dst"
|
|
Packit |
7b22a4 |
specifications and there can be no more than six of them. Hence the command
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-A FORWARD \-m set \-\-match\-set test src,dst
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
will match packets, for which (if the set type is ipportmap) the source
|
|
Packit |
7b22a4 |
address and destination port pair can be found in the specified set. If
|
|
Packit |
7b22a4 |
the set type of the specified set is single dimension (for example ipmap),
|
|
Packit |
7b22a4 |
then the command will match packets for which the source address can be
|
|
Packit |
7b22a4 |
found in the specified set.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-return\-nomatch\fP
|
|
Packit |
7b22a4 |
If the \fB\-\-return\-nomatch\fP option is specified and the set type
|
|
Packit |
7b22a4 |
supports the \fBnomatch\fP flag, then the matching is reversed: a match
|
|
Packit |
7b22a4 |
with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
|
|
Packit |
7b22a4 |
match with a plain element returns \fBfalse\fP.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB!\fP \fB\-\-update\-counters\fP
|
|
Packit |
7b22a4 |
If the \fB\-\-update\-counters\fP flag is negated, then the packet and
|
|
Packit |
7b22a4 |
byte counters of the matching element in the set won't be updated. Default
|
|
Packit |
7b22a4 |
the packet and byte counters are updated.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB!\fP \fB\-\-update\-subcounters\fP
|
|
Packit |
7b22a4 |
If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
|
|
Packit |
7b22a4 |
byte counters of the matching element in the member set of a list type of
|
|
Packit |
7b22a4 |
set won't be updated. Default the packet and byte counters are updated.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
packet counter of the element matches the given value too.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-packets\-lt\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
packet counter of the element is less than the given value as well.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-packets\-gt\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
packet counter of the element is greater than the given value as well.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
byte counter of the element matches the given value too.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-bytes\-lt\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
byte counter of the element is less than the given value as well.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-bytes\-gt\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
If the packet is matched an element in the set, match only if the
|
|
Packit |
7b22a4 |
byte counter of the element is greater than the given value as well.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
The packet and byte counters related options and flags are ignored
|
|
Packit |
7b22a4 |
when the set was defined without counter support.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
|
|
Packit |
7b22a4 |
not clash with an option of other extensions.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Use of -m set requires that ipset kernel support is provided, which, for
|
|
Packit |
7b22a4 |
standard kernels, is the case since Linux 2.6.39.
|