1*a71a9546SAutomerger Merge WorkerThis module matches IP sets which can be defined by ipset(8). 2*a71a9546SAutomerger Merge Worker.TP 3*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... 4*a71a9546SAutomerger Merge Workerwhere flags are the comma separated list of 5*a71a9546SAutomerger Merge Worker.BR "src" 6*a71a9546SAutomerger Merge Workerand/or 7*a71a9546SAutomerger Merge Worker.BR "dst" 8*a71a9546SAutomerger Merge Workerspecifications and there can be no more than six of them. Hence the command 9*a71a9546SAutomerger Merge Worker.IP 10*a71a9546SAutomerger Merge Worker iptables \-A FORWARD \-m set \-\-match\-set test src,dst 11*a71a9546SAutomerger Merge Worker.IP 12*a71a9546SAutomerger Merge Workerwill match packets, for which (if the set type is ipportmap) the source 13*a71a9546SAutomerger Merge Workeraddress and destination port pair can be found in the specified set. If 14*a71a9546SAutomerger Merge Workerthe set type of the specified set is single dimension (for example ipmap), 15*a71a9546SAutomerger Merge Workerthen the command will match packets for which the source address can be 16*a71a9546SAutomerger Merge Workerfound in the specified set. 17*a71a9546SAutomerger Merge Worker.TP 18*a71a9546SAutomerger Merge Worker\fB\-\-return\-nomatch\fP 19*a71a9546SAutomerger Merge WorkerIf the \fB\-\-return\-nomatch\fP option is specified and the set type 20*a71a9546SAutomerger Merge Workersupports the \fBnomatch\fP flag, then the matching is reversed: a match 21*a71a9546SAutomerger Merge Workerwith an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a 22*a71a9546SAutomerger Merge Workermatch with a plain element returns \fBfalse\fP. 23*a71a9546SAutomerger Merge Worker.TP 24*a71a9546SAutomerger Merge Worker\fB!\fP \fB\-\-update\-counters\fP 25*a71a9546SAutomerger Merge WorkerIf the \fB\-\-update\-counters\fP flag is negated, then the packet and 26*a71a9546SAutomerger Merge Workerbyte counters of the matching element in the set won't be updated. Default 27*a71a9546SAutomerger Merge Workerthe packet and byte counters are updated. 28*a71a9546SAutomerger Merge Worker.TP 29*a71a9546SAutomerger Merge Worker\fB!\fP \fB\-\-update\-subcounters\fP 30*a71a9546SAutomerger Merge WorkerIf the \fB\-\-update\-subcounters\fP flag is negated, then the packet and 31*a71a9546SAutomerger Merge Workerbyte counters of the matching element in the member set of a list type of 32*a71a9546SAutomerger Merge Workerset won't be updated. Default the packet and byte counters are updated. 33*a71a9546SAutomerger Merge Worker.TP 34*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP 35*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 36*a71a9546SAutomerger Merge Workerpacket counter of the element matches the given value too. 37*a71a9546SAutomerger Merge Worker.TP 38*a71a9546SAutomerger Merge Worker\fB\-\-packets\-lt\fP \fIvalue\fP 39*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 40*a71a9546SAutomerger Merge Workerpacket counter of the element is less than the given value as well. 41*a71a9546SAutomerger Merge Worker.TP 42*a71a9546SAutomerger Merge Worker\fB\-\-packets\-gt\fP \fIvalue\fP 43*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 44*a71a9546SAutomerger Merge Workerpacket counter of the element is greater than the given value as well. 45*a71a9546SAutomerger Merge Worker.TP 46*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP 47*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 48*a71a9546SAutomerger Merge Workerbyte counter of the element matches the given value too. 49*a71a9546SAutomerger Merge Worker.TP 50*a71a9546SAutomerger Merge Worker\fB\-\-bytes\-lt\fP \fIvalue\fP 51*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 52*a71a9546SAutomerger Merge Workerbyte counter of the element is less than the given value as well. 53*a71a9546SAutomerger Merge Worker.TP 54*a71a9546SAutomerger Merge Worker\fB\-\-bytes\-gt\fP \fIvalue\fP 55*a71a9546SAutomerger Merge WorkerIf the packet is matched an element in the set, match only if the 56*a71a9546SAutomerger Merge Workerbyte counter of the element is greater than the given value as well. 57*a71a9546SAutomerger Merge Worker.PP 58*a71a9546SAutomerger Merge WorkerThe packet and byte counters related options and flags are ignored 59*a71a9546SAutomerger Merge Workerwhen the set was defined without counter support. 60*a71a9546SAutomerger Merge Worker.PP 61*a71a9546SAutomerger Merge WorkerThe option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 62*a71a9546SAutomerger Merge Workernot clash with an option of other extensions. 63*a71a9546SAutomerger Merge Worker.PP 64*a71a9546SAutomerger Merge WorkerUse of \-m set requires that ipset kernel support is provided, which, for 65*a71a9546SAutomerger Merge Workerstandard kernels, is the case since Linux 2.6.39. 66