ipset

Create an empty IP set which will contain IP addresses

$ ipset create [set_name] hash:ip

$ ipset destroy [set_name]

$ ipset add [set_name] [192.168.1.25]

$ ipset del [set_name] [192.168.1.25]

$ ipset save [set_name] > [path/to/ip_set]

ipset [options] command [command-specific arguments]

Common Command Patterns:
ipset create SETNAME TYPE [CREATE_OPTIONS]
ipset add SETNAME MEMBER [ADD_OPTIONS]
ipset del SETNAME MEMBER [DEL_OPTIONS]
ipset list [SETNAME]
ipset flush [SETNAME]
ipset destroy [SETNAME]
ipset save [SETNAME] > FILE
ipset restore < FILE

-V, --version
    Display the version information for the ipset utility.

-h, --help
    Show the general help message or detailed help for a specific command.

-q, --quiet
    Suppress verbose output messages, showing only critical errors or requested data.

-t, --test
    Run the command in test mode (dry run) without making actual changes to IP sets.

-r, --resolve
    Resolve hostnames to IP addresses when processing commands or displaying lists.

ipset is a utility to administer IP sets, which are kernel-level data structures storing IP addresses, network addresses, MAC addresses, port numbers, and other elements. These sets can be referenced by iptables or nftables firewall rules, allowing for efficient matching against large collections of addresses or networks without adding numerous individual rules. This significantly simplifies firewall management, reduces rule processing overhead, and improves performance, especially for dynamic blacklists or whitelists, often used in conjunction with intrusion detection systems or automated blocking tools. It's an integral part of the Netfilter project, providing a powerful and flexible way to group network objects.

IP sets are volatile by default, meaning they are lost upon system reboot. To persist sets across reboots, they must be explicitly saved (e.g., using ipset save) and then restored during system startup. While ipset manages the sets themselves, their actual application in firewall rules requires explicit integration with firewall tools like iptables or nftables; ipset does not enforce packet filtering rules directly.

ipset supports various types of sets, each optimized for different kinds of elements and matching behaviors:
hash:ip: Stores individual IP addresses.
hash:net: Stores network addresses (CIDR blocks).
hash:port: Stores port numbers.
hash:ip,port: Stores combinations of IP addresses and port numbers.
hash:ip,net: Stores combinations of IP and network addresses.
list:set: Stores other IP set names, allowing for hierarchical set structures.
There are also bitmap types for small, contiguous ranges (e.g., bitmap:ip, bitmap:port), offering even higher performance for specific scenarios.

The primary use of ipset is to integrate with Linux firewall rules for efficient packet matching. In iptables, sets are matched using the -m set module and --match-set option. For example, to drop traffic from a set named 'blacklist': iptables -A INPUT -m set --match-set blacklist src -j DROP. With nftables, sets are integrated more directly using the @setname syntax. This allows firewall rules to efficiently check if a packet's source or destination IP (or other attributes) belongs to a defined set, significantly reducing the complexity and processing time for large blocklists or whitelists.

ipset emerged as part of the Netfilter project, which provides the Linux kernel's firewall framework. Its development was driven by the need for a more efficient way to handle large collections of IP addresses or networks in firewall rules than directly listing them in iptables chains, which could lead to performance degradation. It has evolved alongside iptables and, more recently, nftables, providing a robust solution for managing dynamic sets of network elements.

iptables(8), nftables(8), netfilter(7), ip(8)