Name

ipsets — Specifying the name if an ipset in Shorewall configuration files

Synopsis

+ipsetname

+ipsetname[flag,...]

+[ipsetname,...]

Description

Note: In the above syntax descriptions, the square brackets ("[]") are to be taken literally rather than as meta-characters.

In most places where a network address may be entered, an ipset may be substituted. Set names must be prefixed by the character "+", must start with a letter and may be composed of alphanumeric characters, "-" and "_".

Whether the set is matched against the packet source or destination is determined by which column the set name appears (SOURCE or DEST). For those set types that specify a tuple, two alternative syntaxes are available:

[number] - Indicates that 'src' or 'dst' should be repeated number times. Example: myset[2].
[flag,...] where flag is src or dst. Example: myset[src,dst].

In a SOURCE or SOURCE PORT(S) column, the following pairs are equivalent:

  • +myset[2] and +myset[src,src]

In a DEST or DEST PORT(S) column, the following pairs are equivalent:

  • +myset[2] and +myset[dst,dst]

Beginning with Shorewall 4.4.14, multiple source or destination matches may be specified by enclosing the set names within +[...]. The set names need not be prefixed with '+'. When such a list of sets is specified, matching packets must match all of the listed sets.

For information about set lists and exclusion, see shorewall-exclusion (5).

Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing the objects separated by commas within parentheses.

Example:

+myset[src](myobject)

In that example, when the source address of a packet matches the myset ipset, the myobject nfacct counter will be incremented.

Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if any) can be immediately be followed by a list of match options. Available options are:

nomatch

If the set type supports the nomatch flag, then the matching is reversed: a match with an element flagged with nomatch returns true, while a match with a plain element returns false. This option requires the 'Ipset Match nomatch' capability in your kernel and ip[6]tables.

no-update-counters

The packet and byte counters of the matching element in the set won't be updated. By default, the packet and byte counters are updated. This option and those that follow require the 'Ipset Match counters' capability in your kernel and ip[6]tables.

no-update-subcounters

The packet and byte counters of the matching element in the member set of a list type of set won't be updated. Default the packet and byte counters are updated.

packets=value

If the packet is matched an element in the set, match only if the packet counter of the element matches the given value also.

packets<value

If the packet is matched an element in the set, match only if the packet counter of the element is less than the given value as well.

packets>value

If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given value as well.

packets!=value

If the packet is matched an element in the set, match only if the packet counter of the element does not match the given value also.

bytes=value

If the packet is matched an element in the set, match only if the byte counter of the element matches the given value also.

bytes<value

If the packet is matched an element in the set, match only if the byte counter of the element is less than the given value as well.

bytes>value

If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given value as well.

bytes<>value

If the packet is matched an element in the set, match only if the byte counter of the element does not match the given value also.

Examples

In the examples that follow, myset, myset1 and myset2 are ipsets and myObject is an NFacct object name.

+myset

+myset[src]

+myset[2]

+[myset1,myset2[dst]]

+myset[src](myObject)

+myset[src,nomatch,packets>100]

+myset[nomatch,no-update-counters](myObject)

FILES

/etc/shorewall/accounting

/etc/shorewall/blrules

/etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may not be used in this file.

/etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may not be used in this file.

/etc/shorewall/masq

/etc/shorewall/rules

/etc/shorewall/secmarks

/etc/shorewall/mangle

See ALSO

shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation


Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page