| 12345678910111213141516171819202122232425262728 |
- This module matches IP sets which can be defined by ipset(8).
- .TP
- [\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]...
- where flags are the comma separated list of
- .BR "src"
- and/or
- .BR "dst"
- specifications and there can be no more than six of them. Hence the command
- .IP
- iptables \-A FORWARD \-m set \-\-match\-set test src,dst
- .IP
- will match packets, for which (if the set type is ipportmap) the source
- address and destination port pair can be found in the specified set. If
- the set type of the specified set is single dimension (for example ipmap),
- then the command will match packets for which the source address can be
- found in the specified set.
- .TP
- \fB\-\-return\-\-nomatch\fP
- If the \fB\-\-return\-\-nomatch\fP option is specified and the set type
- supports the \fBnomatch\fP flag, then the matching is reversed: a match
- with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a
- match with a plain element returns \fBfalse\fP.
- .PP
- The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does
- not clash with an option of other extensions.
- .PP
- Use of -m set requires that ipset kernel support is provided, which, for
- standard kernels, is the case since Linux 2.6.39.
|
