1 This module matches IP sets which can be defined by ipset(8). 2 .TP 3 [\fB!\fP] \fB\-\-match\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP]... 4 where flags are the comma separated list of 5 .BR "src" 6 and/or 7 .BR "dst" 8 specifications and there can be no more than six of them. Hence the command 9 .IP 10 iptables \-A FORWARD \-m set \-\-match\-set test src,dst 11 .IP 12 will match packets, for which (if the set type is ipportmap) the source 13 address and destination port pair can be found in the specified set. If 14 the set type of the specified set is single dimension (for example ipmap), 15 then the command will match packets for which the source address can be 16 found in the specified set. 17 .TP 18 \fB\-\-return\-nomatch\fP 19 If the \fB\-\-return\-nomatch\fP option is specified and the set type 20 supports the \fBnomatch\fP flag, then the matching is reversed: a match 21 with an element flagged with \fBnomatch\fP returns \fBtrue\fP, while a 22 match with a plain element returns \fBfalse\fP. 23 .TP 24 \fB!\fP \fB\-\-update\-counters\fP 25 If the \fB\-\-update\-counters\fP flag is negated, then the packet and 26 byte counters of the matching element in the set won't be updated. Default 27 the packet and byte counters are updated. 28 .TP 29 \fB!\fP \fB\-\-update\-subcounters\fP 30 If the \fB\-\-update\-subcounters\fP flag is negated, then the packet and 31 byte counters of the matching element in the member set of a list type of 32 set won't be updated. Default the packet and byte counters are updated. 33 .TP 34 [\fB!\fP] \fB\-\-packets\-eq\fP \fIvalue\fP 35 If the packet is matched an element in the set, match only if the 36 packet counter of the element matches the given value too. 37 .TP 38 \fB\-\-packets\-lt\fP \fIvalue\fP 39 If the packet is matched an element in the set, match only if the 40 packet counter of the element is less than the given value as well. 41 .TP 42 \fB\-\-packets\-gt\fP \fIvalue\fP 43 If the packet is matched an element in the set, match only if the 44 packet counter of the element is greater than the given value as well. 45 .TP 46 [\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP 47 If the packet is matched an element in the set, match only if the 48 byte counter of the element matches the given value too. 49 .TP 50 \fB\-\-bytes\-lt\fP \fIvalue\fP 51 If the packet is matched an element in the set, match only if the 52 byte counter of the element is less than the given value as well. 53 .TP 54 \fB\-\-bytes\-gt\fP \fIvalue\fP 55 If the packet is matched an element in the set, match only if the 56 byte counter of the element is greater than the given value as well. 57 .PP 58 The packet and byte counters related options and flags are ignored 59 when the set was defined without counter support. 60 .PP 61 The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 62 not clash with an option of other extensions. 63 .PP 64 Use of -m set requires that ipset kernel support is provided, which, for 65 standard kernels, is the case since Linux 2.6.39. 66
