libxt_set.man revision d637ead63658d741501974c381889b3857073308
1This module matches IP sets which can be defined by ipset(8). 2.TP 3[\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... 4where flags are the comma separated list of 5.BR "src" 6and/or 7.BR "dst" 8specifications and there can be no more than six of them. Hence the command 9.IP 10 iptables \-A FORWARD \-m set \-\-match\-set test src,dst 11.IP 12will match packets, for which (if the set type is ipportmap) the source 13address and destination port pair can be found in the specified set. If 14the set type of the specified set is single dimension (for example ipmap), 15then the command will match packets for which the source address can be 16found in the specified set. 17.TP 18\fB\-\-return\-\-nomatch\fP 19If the \fB\-\-return\-\-nomatch\fP option is specified and the set type 20supports the \fBnomatch\fP flag, then the matching is reversed: a match 21with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a 22match with a plain element returns \fBfalse\fP. 23.PP 24The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 25not clash with an option of other extensions. 26.PP 27Use of -m set requires that ipset kernel support is provided, which, for 28standard kernels, is the case since Linux 2.6.39. 29