ipset

Create and manage IP address sets for firewall rules

TLDR

Create an empty IP set

$ ipset create [set_name] hash:ip

Add an IP address to a set

$ ipset add [set_name] [192.168.1.25]

Delete an IP address from a set

$ ipset del [set_name] [192.168.1.25]

Destroy an IP set

$ ipset destroy [set_name]

Save an IP set to file

$ ipset save [set_name] > [path/to/ip_set]

List all IP sets

$ ipset list

Test if an IP is in a set

$ ipset test [set_name] [192.168.1.25]

Restore IP sets from file

$ ipset restore < [path/to/ip_set]

ipset creates and manages IP sets, a framework for storing IP addresses, networks, ports, and combinations thereof. Sets can be referenced in iptables/nftables rules for efficient matching against large lists.Different set types support different entry formats: hash:ip for individual addresses, hash:net for CIDR ranges, hash:ip,port for address-port combinations. Sets use hash tables for O(1) lookup performance.

PARAMETERS

create NAME TYPE

Create a new IP set (types: hash:ip, hash:net, hash:ip,port, etc.)

add NAME ENTRY

Add entry to a set

del NAME ENTRY

Remove entry from a set

destroy NAME

Delete a set

list [NAME]

List set contents

save [NAME]

Output sets in restorable format

restore

Restore sets from saved output

test NAME ENTRY

Test if an entry is in a set

flush [NAME]

Clear all entries from a set

-exist

Ignore errors when adding already existing entries or deleting non-existing entries

-quiet

Suppress output

CAVEATS

Requires root privileges. Sets must be created before they can be referenced in firewall rules. Set contents are not persistent across reboots without explicit save/restore.

HISTORY

ipset was developed by Jozsef Kadlecsik to provide efficient set-based matching for the Linux firewall. It became part of the standard Linux networking toolkit and is widely used for implementing blocklists and allowlists.

ipset

Create and manage IP address sets for firewall rules

TLDR

SYNOPSIS

DESCRIPTION

PARAMETERS

CAVEATS

HISTORY

SEE ALSO