| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | This modules macthes IP sets which can be defined by ipset(8). |
| 2 | .TP |
| 3 | [\fB!\fP] \fB\-\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... |
| 4 | where flags are |
| 5 | .BR "src" |
| 6 | and/or |
| 7 | .BR "dst" |
| 8 | and there can be no more than six of them. Hence the command |
| 9 | .nf |
| 10 | iptables \-A FORWARD \-m set \-\-set test src,dst |
| 11 | .fi |
| 12 | will match packets, for which (depending on the type of the set) the source |
| 13 | address or port number of the packet can be found in the specified set. If |
| 14 | there is a binding belonging to the mached set element or there is a default |
| 15 | binding for the given set, then the rule will match the packet only if |
| 16 | additionally (depending on the type of the set) the destination address or |
| 17 | port number of the packet can be found in the set according to the binding. |