SHOREWALL-IPSETS(5) | Configuration Files | SHOREWALL-IPSETS(5) |
NAME¶
ipsets - Specifying the name if an ipset in Shorewall configuration filesSYNOPSIS¶
+ipsetname
+ipsetname[flag,...]
+[ipsetname,...]
DESCRIPTION¶
Note: In the above syntax descriptions, the square brackets ("[]") are to be taken literally rather than as meta-characters. In most places where a network address may be entered, an ipset may be substituted. Set names must be prefixed by the character "+", must start with a letter and may be composed of alphanumeric characters, "-" and "_". Whether the set is matched against the packet source or destination is determined by which column the set name appears (SOURCE or DEST). For those set types that specify a tuple, two alternative syntaxes are available:[number] - Indicates that 'src' or
'dst' should be repeated number times.
Example: myset[2].
'dst' should be repeated number times.
Example: myset[2].
[flag,...] where
flag is src or
dst. Example: myset[src,dst].
In a SOURCE or SOURCE PORT(S) column, the following pairs are equivalent:
flag is src or
dst. Example: myset[src,dst].
•+myset[2] and +myset[src,src]
In a DEST or DEST PORT(S) column, the following pairs are equivalent:
•+myset[2] and +myset[dst,dst]
Beginning with Shorewall 4.4.14, multiple source or destination matches may be
specified by enclosing the set names within +[...]. The set names need not be
prefixed with '+'. When such a list of sets is specified, matching packets
must match all of the listed sets.
For information about set lists and exclusion, see shorewall-exclusion[1]
(5).
Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects
each time a packet matches an ipset. You do that by listing the objects
separated by commas within parentheses.
Example:
+myset[src](myobject)
In that example, when the source address of a packet matches the myset
ipset, the myobject nfacct counter will be incremented.
Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if any) can be
immediately be followed by a list of match options.
Available options are:
nomatch
If the set type supports the nomatch flag, then the
matching is reversed: a match with an element flagged with nomatch returns
true, while a match with a plain element returns false. This option requires
the 'Ipset Match nomatch' capability in your kernel and ip[6]tables.
no-update-counters
The packet and byte counters of the matching element in
the set won't be updated. By default, the packet and byte counters are
updated. This option and those that follow require the 'Ipset Match counters'
capability in your kernel and ip[6]tables.
no-update-subcounters
The packet and byte counters of the matching element in
the member set of a list type of set won't be updated. Default the packet and
byte counters are updated.
packets= value
If the packet is matched an element in the set, match
only if the packet counter of the element matches the given value
also.
packets< value
If the packet is matched an element in the set, match
only if the packet counter of the element is less than the given value
as well.
packets> value
If the packet is matched an element in the set, match
only if the packet counter of the element is greater than the given
value as well.
packets!= value
If the packet is matched an element in the set, match
only if the packet counter of the element does not match the given
value also.
bytes= value
If the packet is matched an element in the set, match
only if the byte counter of the element matches the given value
also.
bytes< value
If the packet is matched an element in the set, match
only if the byte counter of the element is less than the given value as
well.
bytes> value
If the packet is matched an element in the set, match
only if the byte counter of the element is greater than the given value
as well.
bytes<> value
If the packet is matched an element in the set, match
only if the byte counter of the element does not match the given value
also.
EXAMPLES¶
In the examples that follow, myset, myset1 and myset2 are ipsets and myObject is an NFacct object name. +myset +myset[src] +myset[2] +[myset1,myset2[dst]] +myset[src](myObject) +myset[src,nomatch,packets>100] +myset[nomatch,no-update-counters](myObject)FILES¶
/etc/shorewall/accounting /etc/shorewall/blrules /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may not be used in this file. /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may not be used in this file. /etc/shorewall/masq /etc/shorewall/rules /etc/shorewall/secmarks /etc/shorewall/mangleSEE ALSO¶
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES¶
- 1.
- shorewall-exclusion
10/19/2014 | Configuration Files |