IP set home >
 Features >
 Download & Install >
 Tips & Examples >
 ipset(8) >
 iptables(8) >
 ChangeLog >

 

IP set features

Set types

IP sets support the following type of sets:

  • ipmap
    The ipmap set type uses a memory range, where each bit represents one IP address and can store up to 65535 (B-class network) entries. You can store same size network addresses in an ipset as well and an IP address will be in the set if the network address it belongs to can be found in the set.
  • macipmap
    The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store up to 65535 (B-class network) IP addresses with MAC.
  • portmap
    The portmap set type uses a memory range, where each bit represents one port. A portmap type of set can store up to 65535 ports.
  • iphash
    The iphash set type uses a hash to store IP addresses where clashing is resolved by double-hashing and, as a last resort, by dynamically growing the hash. Same size network addresses can be stored in an iphash as well.
  • nethash
    The nethash set type also uses a hash to store CIDR netblocks, which may be of different sizes. The same techique is used to avoid clashes as at the iphash set type.
  • iptree
    The iptree set type uses a tree to store IP addresses, optionally with timeout values.

Bindings

IP sets allows you to bind an entry in a set to another set, which forms a relationship between the set element and the set it is bound to. The sets may have a default binding, which is valid for every set element for which there is no binding defined at all.

The bindings have no special meaning at the set level. However, you can benefit from them when using the set match of iptables. The set match will follow the bindings and will return a true (matched) value only if the packet parameters match all bindings it found.

Let's see an example: 

# ipmap set storing the IP addresses of two machines
ipset -N servers ipmap --network 192.168.0.0/16
ipset -A servers 192.168.0.1
ipset -A servers 192.168.0.2
# portmap set storing the allowed ports for 192.168.0.2
ipset -N ports portmap --from 1 --to 1024
ipset -A ports 21
ipset -A ports 22
ipset -A ports 25
# Binding, which attaches ports to 192.168.0.2
ipset -B servers 192.168.0.2 -b ports

# iptables rule using the set match
...
iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT
iptables -A FORWARD -j DROP
Now according to the iptables rules, sets and binding, the firewall will allow trough packets destined to any port on 192.168.0.1, while for 192.168.0.2 only the ports 21, 22 and 25 will be reachable.

set match and SET target of iptables

IP sets can be used via the set match and SET target in iptables rules. You can match the packets against sets by the set match and can add or delete entries from/to a set by the SET target. Both extensions follow bindings up to six levels. Please note, there is no need for an entry to be added to a set in order that there be a binding defined for it. In the arguments of the extensions, the tokens src and dst can be used to specify which IP address or port to use from the packet to match the given set.

All the documentation on this site is released under the GNU/GPL license terms.