libxt_set.man 2.79 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
This module matches IP sets which can be defined by ipset(8).
.TP
[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
where flags are the comma separated list of
.BR "src"
and/or
.BR "dst" 
specifications and there can be no more than six of them. Hence the command
.IP
 iptables \-A FORWARD \-m set \-\-match\-set test src,dst
.IP
will match packets, for which (if the set type is ipportmap) the source
address and destination port pair can be found in the specified set. If
the set type of the specified set is single dimension (for example ipmap),
then the command will match packets for which the source address can be
found in the specified set. 
.TP
\fB\-\-return\-nomatch\fP
If the \fB\-\-return\-nomatch\fP option is specified and the set type
supports the \fBnomatch\fP flag, then the matching is reversed: a match
with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
match with a plain element returns \fBfalse\fP.
.TP
\fB!\fP \fB\-\-update\-counters\fP
If the \fB\-\-update\-counters\fP flag is negated, then the packet and
byte counters of the matching element in the set won't be updated. Default
the packet and byte counters are updated.
.TP
\fB!\fP \fB\-\-update\-subcounters\fP
If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and
byte counters of the matching element in the member set of a list type of
set won't be updated. Default the packet and byte counters are updated.
.TP
[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
packet counter of the element matches the given value too.
.TP
\fB\-\-packets\-lt\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
packet counter of the element is less than the given value as well.
.TP
\fB\-\-packets\-gt\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
packet counter of the element is greater than the given value as well.
.TP
[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
byte counter of the element matches the given value too.
.TP
\fB\-\-bytes\-lt\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
byte counter of the element is less than the given value as well.
.TP
\fB\-\-bytes\-gt\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
byte counter of the element is greater than the given value as well.
.PP
The packet and byte counters related options and flags are ignored
when the set was defined without counter support.
.PP
The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 
not clash with an option of other extensions.
.PP
Use of -m set requires that ipset kernel support is provided, which, for
standard kernels, is the case since Linux 2.6.39.