| This module adds and/or deletes entries from IP sets which can be defined |
| by ipset(8). |
| .TP |
| \fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] |
| add the address(es)/port(s) of the packet to the set |
| .TP |
| \fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] |
| delete the address(es)/port(s) of the packet from the set |
| .TP |
| \fB\-\-map\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] |
| [\-\-map\-mark] [\-\-map\-prio] [\-\-map\-queue] |
| map packet properties (firewall mark, tc priority, hardware queue) |
| .IP |
| where \fIflag\fP(s) are |
| .BR "src" |
| and/or |
| .BR "dst" |
| specifications and there can be no more than six of them. |
| .TP |
| \fB\-\-timeout\fP \fIvalue\fP |
| when adding an entry, the timeout value to use instead of the default |
| one from the set definition |
| .TP |
| \fB\-\-exist\fP |
| when adding an entry if it already exists, reset the timeout value |
| to the specified one or to the default from the set definition |
| .TP |
| \fB\-\-map\-set\fP \fIset\-name\fP |
| the set-name should be created with --skbinfo option |
| \fB\-\-map\-mark\fP |
| map firewall mark to packet by lookup of value in the set |
| \fB\-\-map\-prio\fP |
| map traffic control priority to packet by lookup of value in the set |
| \fB\-\-map\-queue\fP |
| map hardware NIC queue to packet by lookup of value in the set |
| .IP |
| The |
| \fB\-\-map\-set\fP |
| option can be used from the mangle table only. The |
| \fB\-\-map\-prio\fP |
| and |
| \fB\-\-map\-queue\fP |
| flags can be used in the OUTPUT, FORWARD and POSTROUTING chains. |
| .PP |
| Use of \-j SET requires that ipset kernel support is provided, which, for |
| standard kernels, is the case since Linux 2.6.39. |