Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

2.8.9.5.3. IP Set Types

bitmap:ip
Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the netmask option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to 65536 entries. The command to create the bitmap:ip set has the following format:
ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]

Example 2.6. Create an IP Set for a Range of Addresses Using a Prefix Length

To create an IP set for a range of addresses using a prefix length, make use of the bitmap:ip set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.33.1
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15 
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addresses:
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15 
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4

Example 2.7. Create an IP Set for a Range of Addresses Using a Netmask

To create an IP set for a range of address using a netmask, make use of the bitmap:ip set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24 
Size in memory: 84
References: 0
Members:
192.168.124.0
192.168.125.0
bitmap:ip,mac
Stores an IPv4 address and a MAC address as a pair. It can store up to 65536 entries.
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]

Example 2.8. Create an IP Set for a Range of IPv4 MAC Address Pairs

To create an IP set for a range of IPv4 MAC address pairs, make use of the bitmap:ip,mac set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not necessary to specify a MAC address when creating the set.
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
bitmap:port
Stores a range of ports. It can store up to 65536 entries.
ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. The proto only needs to be specified if a service name is used, and that name does not exist as a TCP service.

Example 2.9. Create an IP Set for a Range of Ports

To create an IP set for a range of ports, make use of the bitmap:port set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
hash:ip
Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
The inet family is the default, if family is omitted addresses will be interpreted as IPv4 addresses. The hashsize value is the initial hash size to use and defaults to 1024. The maxelem value is the maximum number of elements which can be stored in the set, it defaults to 65536.
The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.

Example 2.10. Create an IP Set for IP Addresses

To create an IP set for IP addresses, make use of the hash:ip set type as follows:
~]# ipset create my-addresses hash:ip
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
~]# ipset add my-busy-addresses timeout 100
The following output shows the time counting down:
[root@rhel6 ~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
[root@rhel6 ~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
The element will be removed from the set when the timeout period ends.
See the ipset(8) manual page for more examples.