{"id":4383,"date":"2022-12-20T17:49:07","date_gmt":"2022-12-20T20:49:07","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallipsets-man5\/"},"modified":"2022-12-20T17:49:07","modified_gmt":"2022-12-20T20:49:07","slug":"shorewallipsets-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallipsets-man5\/","title":{"rendered":"SHOREWALL−IPSETS (man5)"},"content":{"rendered":"

SHOREWALL\u2212IPSETS<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLES<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

ipsets \u2212 Specifying the name if an ipset in Shorewall configuration files<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n\n\n
<\/td>\n\n

+<\/b>ipsetname<\/i><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

+<\/b>ipsetname<\/i>[<\/b>flag<\/i>,…]<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

+[ipsetname,…]<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

Note: In the above syntax descriptions, the square brackets (“[]”) are to be taken literally rather than as meta\u2212characters.<\/p>\n

In most places where a network address may be entered, an ipset may be substituted. Set names must be prefixed by the character “+”, must start with a letter and may be composed of alphanumeric characters, “\u2212” and “_”.<\/p>\n

Whether the set is matched against the packet source or destination is determined by which column the set name appears (SOURCE or DEST). For those set types that specify a tuple, two alternative syntaxes are available:<\/p>\n

[number<\/i>] \u2212 Indicates that ‘src’ or
‘dst’ should be repeated number<\/i> times.
Example: myset[2].
[flag<\/i>,…] where
flag<\/i> is src<\/b> or
dst<\/b>. Example: myset[src,dst].<\/p>\n

In a SOURCE or SPORT column, the following pairs are equivalent:<\/p>\n

\u2022 +myset[2] and +myset[src,src]<\/p>\n

In a DEST or DPORT column, the following pairs are equivalent:<\/p>\n

\u2022 +myset[2] and +myset[dst,dst]<\/p>\n

Beginning with Shorewall 4.4.14, multiple source or destination matches may be specified by enclosing the set names within +[…]. The set names need not be prefixed with ‘+’. When such a list of sets is specified, matching packets must match all of the listed sets.<\/p>\n

For information about set lists and exclusion, see shorewall\u2212exclusion<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

Beginning with Shorewall 4.5.16, you can increment one or more nfacct objects each time a packet matches an ipset. You do that by listing the objects separated by commas within parentheses.<\/font><\/p>\n

Example:<\/font><\/p>\n

+myset[src](myobject)<\/font><\/p>\n

In that example, when the source address of a packet matches the myset<\/b> ipset, the myobject<\/b> nfacct counter will be incremented.<\/font><\/p>\n

Beginning with Shorewall 4.6.0, an ipset name (and src\/dst list, if any) can be immediately be followed by a list of match options.<\/font><\/p>\n

Important<\/big><\/b>
These additional match options are not available in<\/font> shorewall\u2212tcfilters(5)<\/font><\/b> [2]<\/font><\/small> .<\/font><\/p>\n

Available options are:<\/font><\/p>\n

nomatch<\/font><\/p>\n

If the set type supports the nomatch flag, then the matching is reversed: a match with an element flagged with nomatch returns true, while a match with a plain element returns false. This option requires the ‘Ipset Match nomatch’ capability in your kernel and ip[6]tables.<\/font><\/p>\n

no\u2212update\u2212counters<\/font><\/p>\n

The packet and byte counters of the matching element in the set won’t be updated. By default, the packet and byte counters are updated. This option and those that follow require the ‘Ipset Match counters’ capability in your kernel and ip[6]tables.<\/font><\/p>\n

no\u2212update\u2212subcounters<\/font><\/p>\n

The packet and byte counters of the matching element in the member set of a list type of set won’t be updated. Default the packet and byte counters are updated.<\/font><\/p>\n

packets=value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the packet counter of the element matches the given value<\/i> also.<\/font><\/p>\n

packets<value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the packet counter of the element is less than the given value<\/i> as well.<\/font><\/p>\n

packets>value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the packet counter of the element is greater than the given value<\/i> as well.<\/font><\/p>\n

packets!=value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the packet counter of the element does not match the given value<\/i> also.<\/font><\/p>\n

bytes=value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the byte counter of the element matches the given value<\/i> also.<\/font><\/p>\n

bytes<value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the byte counter of the element is less than the given value<\/i> as well.<\/font><\/p>\n

bytes>value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the byte counter of the element is greater than the given value<\/i> as well.<\/font><\/p>\n

bytes<>value<\/i><\/font><\/p>\n

If the packet is matched an element in the set, match only if the byte counter of the element does not match the given value<\/i> also.<\/font><\/p>\n

EXAMPLES <\/a> <\/h2>\n

In the examples that follow, myset, myset1 and myset2 are ipsets and myObject is an NFacct object name.<\/font><\/p>\n

+myset<\/font><\/p>\n

+myset[src]<\/font><\/p>\n

+myset[2]<\/font><\/p>\n

+[myset1,myset2[dst]]<\/font><\/p>\n

+myset[src](myObject)<\/font><\/p>\n

+myset[src,nomatch,packets>100]<\/font><\/p>\n

+myset[nomatch,no\u2212update\u2212counters](myObject)<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/accounting<\/font><\/p>\n

\/etc\/shorewall6\/accounting<\/font><\/p>\n

\/etc\/shorewall\/blrules<\/font><\/p>\n

\/etc\/shorewall6\/blrules<\/font><\/p>\n

\/etc\/shorewall\/hosts \u2212\u2212 Note:<\/b> Multiple matches enclosed in +[…] may not be used in this file.<\/font><\/p>\n

\/etc\/shorewall6\/hosts \u2212\u2212 Note:<\/b> Multiple matches enclosed in +[…] may not be used in this file.<\/font><\/p>\n

\/etc\/shorewall\/maclist \u2212\u2212 Note:<\/b> Multiple matches enclosed in +[…] may not be used in this file.<\/font><\/p>\n

\/etc\/shorewall6\/maclist \u2212\u2212 Note:<\/b> Multiple matches enclosed in +[…] may not be used in this file.<\/font><\/p>\n

\/etc\/shorewall\/rules<\/font><\/p>\n

\/etc\/shorewall6\/rules<\/font><\/p>\n

\/etc\/shorewall\/secmarks<\/font><\/p>\n

\/etc\/shorewall6\/secmarks<\/font><\/p>\n

\/etc\/shorewall\/mangle<\/font><\/p>\n

\/etc\/shorewall6\/mangle<\/font><\/p>\n

\/etc\/shorewall\/snat<\/font><\/p>\n

\/etc\/shorewall6\/snat<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-tcfilters(5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-tcfilters.html<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

ipsets \u2212 Specifying the name if an ipset in Shorewall configuration files <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1390],"class_list":["post-4383","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-ipsets"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4383"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4383\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}