shorewall-ipsets5Configuration FilesipsetsSpecifying the name if an ipset in Shorewall configuration
files+ipsetname+ipsetname[flag,...]+[ipsetname,...]DescriptionNote: In the above syntax descriptions, the square brackets ("[]")
are to be taken literally rather than as meta-characters.In most places where a network address may be entered, an ipset may
be substituted. Set names must be prefixed by the character "+", must
start with a letter and may be composed of alphanumeric characters, "-"
and "_".Whether the set is matched against the packet source or destination
is determined by which column the set name appears (SOURCE or DEST). For
those set types that specify a tuple, two alternative syntaxes are
available:[number] - Indicates that 'src' or
'dst' should be repeated number times.
Example: myset[2].[flag,...] where
flag is or
. Example: myset[src,dst].In a SOURCE or SPORT column, the following pairs are
equivalent:+myset[2] and +myset[src,src]In a DEST or DPORT column, the following pairs are
equivalent:+myset[2] and +myset[dst,dst]Beginning with Shorewall 4.4.14, multiple source or destination
matches may be specified by enclosing the set names within +[...]. The set
names need not be prefixed with '+'. When such a list of sets is
specified, matching packets must match all of the listed sets.For information about set lists and exclusion, see shorewall-exclusion
(5).Beginning with Shorewall 4.5.16, you can increment one or more
nfacct objects each time a packet matches an ipset. You do that by listing
the objects separated by commas within parentheses.Example:+myset[src](myobject)In that example, when the source address of a packet matches the
myset ipset, the myobject nfacct counter will be incremented.Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
any) can be immediately be followed by a list of match options.These additional match options are not available in shorewall-tcfilters(5).Available options are:nomatchIf the set type supports the nomatch flag, then the matching
is reversed: a match with an element flagged with nomatch returns
true, while a match with a plain element returns false. This option
requires the 'Ipset Match nomatch' capability in your kernel and
ip[6]tables.no-update-countersThe packet and byte counters of the matching element in the
set won't be updated. By default, the packet and byte counters are
updated. This option and those that follow require the 'Ipset Match
counters' capability in your kernel and ip[6]tables.no-update-subcountersThe packet and byte counters of the matching element in the
member set of a list type of set won't be updated. Default the
packet and byte counters are updated.packets=valueIf the packet is matched an element in the set, match only if
the packet counter of the element matches the given
value also.packets<valueIf the packet is matched an element in the set, match only if
the packet counter of the element is less than the given
value as well.packets>valueIf the packet is matched an element in the set, match only if
the packet counter of the element is greater than the given
value as well.packets!=valueIf the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
value also.bytes=valueIf the packet is matched an element in the set, match only if
the byte counter of the element matches the given
value also.bytes<valueIf the packet is matched an element in the set, match only if
the byte counter of the element is less than the given
value as well.bytes>valueIf the packet is matched an element in the set, match only if
the byte counter of the element is greater than the given
value as well.bytes<>valueIf the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
value also.ExamplesIn the examples that follow, myset,
myset1 and myset2 are ipsets
and myObject is an NFacct object name.+myset+myset[src]+myset[2]+[myset1,myset2[dst]]+myset[src](myObject)+myset[src,nomatch,packets>100]+myset[nomatch,no-update-counters](myObject)FILES/etc/shorewall/accounting/etc/shorewall/blrules/etc/shorewall/hosts -- Note:
Multiple matches enclosed in +[...] may not be used in this file./etc/shorewall/maclist -- Note:
Multiple matches enclosed in +[...] may not be used in this file./etc/shorewall/masq/etc/shorewall/rules/etc/shorewall/secmarks/etc/shorewall/mangleSee ALSOshorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)