ipset是什么
IPset是Linux內核中的一個框架,可以由ipset實用程序管理。根據類型的不同,IP集可以以某種方式存儲IP地址、網絡、(TCP/UDP)端口號、MAC地址、接口名或它們的組合,這確保了在與集匹配條目時的閃電速度。
ipset能做什么
存儲多個IP地址或端口號,並與iptables的集合一次性匹配;
根據IP地址或端口動態更新iptables規則,而不會影響性能;
使用一個iptables規則表示復雜的基於IP地址和端口的規則集,並受益於IPset的速度
ipset類型有哪些
1)bitmap:ip
The bitmap:ip set type uses a memory range, where each bit represents one IP address and can store up to 65535 (B-class network) entries. You can store same size network addresses in this kind of sets as well and an IP address will be in the set if the network address it belongs to can be found in the set.
意思是:使用bitmap這種類型的存儲類型存儲ip,這些ip存儲在內存中,每一個位代表了一個ip地址,它可以存儲65535條記錄
2)bitmap:ip,mac
The bitmap:ip,mac set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A bitmap:ip,mac set type can store up to 65535 (B-class network) IP addresses with MAC
意思是:使用bitmap這種類型的存儲類型存儲ip和mac地址,這些信息存儲在內存中,每8字節代表一個ip和mac地址
3)bitmap:port
The bitmap:port set type uses a memory range, where each bit represents one TCP/UDP port. A bitmap:port type of set can store up to 65535 ports.
意思是:使用bitmap這種類型的存儲類型存儲端口,這些端口信息存儲在內存中,每一個位代表一個tcp或udp端口
4)hash:ip
The hash:ip set type uses a hash to store IP addresses where clashing is resolved by storing the clashing elements in an array and, as a last resort, by dynamically growing the hash. Same size network addresses can be stored in an hash:ip type of set as well.
意思是:使用hash這種類型的存儲類型存儲ip,通過將沖突元素存儲在數組中來解決沖突,最后通過動態增長hash來解決沖突;相同的大小的網絡地址也可以存儲在hash:ip類型的集合中
5)hash:net
The hash:net set type also uses a hash to store CIDR netblocks, which may be of different sizes. The same techique is used to avoid clashes as at the hash:ip set type
意思是:使用hash這種類型的存儲存儲CIDR的net,這個地方可能會有不同的大小,使用這個技術可以避免和hash:ip集合類型的沖突
6)hash:ip,port
The hash:ip,port is similar to hash:ip but you can store IP address and protocol-port pairs in it. TCP, SCTP, UDP, UDPLITE, ICMP and ICMPv6 are supported with port numbers/ICMP(v6) types and other protocol numbers without port information.
意思是:使用hash這種類型的存儲存儲ip和端口類似於hash:ip,但是你可以存儲ip和端口對在里面
7)hash:ip,port,ip
You can store IP address, port number, and IP address triples in an hash:ip,port,ip type of set.
意思是:你可以存儲ip地址、端口、ip三元組在集合中
8)hash:ip,port,net
You can store IP address, port number and network address triples in this kind of set.
意思是:你可以存儲ip地址、端口、網段三元組在集合中
9)hash:net,port
The set type supports to store network address and port number pairs.
意思是:你可以存儲網段、端口對
10)hash:net,iface
In this kind of set one can store network address and interface name pairs.
意思是:你可以存儲網段、接口對
11)list:set
In a list:set kind of set you can store other sets; it is like an ordered union of different sets.
在一個列表中:集合種類集合你可以存儲其他集合;這就像不同集合的有序聯合。