What are firewalld ipset options and entries and what do they achieve?

Reading this I feel confused. It does not explain what options do or what entries achieve.

It says that most attributes are mandatory for options but only lists 2 attributes. Are there more?

For entries, what are they? What goes in them? And what do options and entries achieve? Why is the value provided as 1.2.3.4 etc?

It lets you group a bunch of ips/ports/mac addresses together into a single set.

For example, lets say you wanted to blacklist a big group of IPs or MAC addresses, you can create an IPSET that contains them called “blacklist” and then just refer to “blacklist” in your firewall rule.

Things like IP addresses, MAC addresses, ports, etc. The full list of what you can place there can be found by running firewall-cmd --get-ipset-types.

That is an example IP address

1 Like

So it sounds like there is some validation between IP set type selected and the entry contents? Like, if I choose hash:ip, then I can only put an IP address into an entry?

Yes, it needs to know what the values in the entries field represent.

I am still confused.
I hoped to glean more information about IP sets from this manual but it does not say anything about entry format. So it is not clear how any kind of entry can be added or what will end up being written to the IP set XML file.

It says: --add-entry=entry but what can an entry be?

So, we covered some IP set types. It is somewhat clear what hash:ip or hash:mac do or how to enter them as part of commands. But what do other types do and what is their format?

hash:ip,mark
hash:ip,port,net
hash:net hash:net,iface
hash:net,net
hash:net,port
hash:net,port,net

The format is laid out in more detail here.

Please note that there are some types listed there that are not supported by firewalld.

  • net - network
  • iface - interface
  • port - port
  • mac - mac address
  • ip - ip address
  • mark - packet mark(if you don’t know what this is, don’t worry about it. It isn’t something you are likely to use.)

For example, this is what a net,iface hash might look like:
10.10.0/24,eth0