{ "content": [ { "type": "text", "text": "# ipset(8) (man)\n\n**Summary:** ipset — administration tool for IP sets\n\n**Synopsis:** ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]\nCOMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename |\nswap | help | version | - }\nOPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name |\n\n## Flags\n\n| Flag | Long | Arg | Description |\n|------|------|-----|-------------|\n| -o | — | — | Select the output format to the list command. |\n| -q | — | — | Suppress any output to stdout and stderr. ipset will still exit with error if it can‐ not continue. |\n| -r | — | — | When listing sets, enforce name lookup. The program will try to display the IP entries resolved to host names which requ |\n| -s | — | — | Sorted output. When listing or saving sets, the entries are listed sorted. |\n| -n | — | — | List just the names of the existing sets, i.e. suppress listing of set headers and members. |\n| -t | — | — | List the set names and headers, i.e. suppress listing of set members. |\n| -f | — | — | Specify a filename to print into instead of stdout (list or save commands) or read from instead of stdin (restore comman |\n\n## See Also\n\n- iptables(8)\n- ip6tables(8)\n- iptables-extensions(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (6 lines) — 4 subsections\n - -terse -file (14 lines)\n - ipset restore (8 lines)\n - ipset version (1 lines)\n - ipset - (1 lines)\n- **DESCRIPTION** (9 lines)\n- **OPTIONS** (45 lines) — 9 subsections\n - restore (20 lines)\n - version (14 lines)\n - -o -output (2 lines)\n - -q -quiet (3 lines)\n - -r -resolve (3 lines)\n - -s -sorted (2 lines)\n - -n -name (3 lines)\n - -t -terse (2 lines)\n - -f -file (3 lines)\n- **INTRODUCTION** (30 lines)\n- **GENERIC CREATE AND ADD OPTIONS** (1 lines) — 11 subsections\n - timeout (19 lines)\n - counters, packets, bytes (10 lines)\n - comment (21 lines)\n - skbinfo, skbmark, skbprio, skbqueue (11 lines)\n - hashsize (6 lines)\n - maxelem (5 lines)\n - bucketsize (8 lines)\n - family { inet | inet6 } (13 lines)\n - nomatch (9 lines)\n - forceadd (6 lines)\n - wildcard (4 lines)\n- **SET TYPES** (1 lines) — 16 subsections\n - bitmap:ip (40 lines)\n - bitmap:ip,mac (42 lines)\n - bitmap:port (36 lines)\n - hash:ip (30 lines)\n - hash:mac (25 lines)\n - hash:ip,mac (25 lines)\n - hash:net (47 lines)\n - hash:net,net (52 lines)\n - hash:ip,port (56 lines)\n - hash:net,port (46 lines)\n - hash:ip,port,ip (30 lines)\n - hash:ip,port,net (44 lines)\n - hash:ip,mark (36 lines)\n - hash:net,port,net (44 lines)\n - hash:net,iface (52 lines)\n - list:set (39 lines)\n- **GENERAL RESTRICTIONS** (3 lines)\n- **COMMENTS** (18 lines)\n- **DIAGNOSTICS** (3 lines)\n- **BUGS** (2 lines)\n- **SEE ALSO** (2 lines)\n- **AUTHORS** (4 lines)\n- **LAST REMARK** (1 lines) — 1 subsections\n - I stand on the shoulders of giants. (1 lines)\n\n## Full Content\n\n### NAME\n\nipset — administration tool for IP sets\n\n### SYNOPSIS\n\nipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]\n\nCOMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename |\nswap | help | version | - }\n\nOPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name |\n\n#### -terse -file\n\nipset create SETNAME TYPENAME [ CREATE-OPTIONS ]\n\nipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]\n\nipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]\n\nipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]\n\nipset destroy [ SETNAME ]\n\nipset list [ SETNAME ]\n\nipset save [ SETNAME ]\n\n#### ipset restore\n\nipset flush [ SETNAME ]\n\nipset rename SETNAME-FROM SETNAME-TO\n\nipset swap SETNAME-FROM SETNAME-TO\n\nipset help [ TYPENAME ]\n\n#### ipset version\n\n#### ipset -\n\n### DESCRIPTION\n\nipset is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depend‐\ning on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers,\nIP and MAC address pairs, IP address and port number pairs, etc. See the set type definitions\nbelow.\n\nIptables matches and targets referring to sets create references, which protect the given\nsets in the kernel. A set cannot be destroyed while there is a single reference pointing to\nit.\n\n### OPTIONS\n\nThe options that are recognized by ipset can be divided into several different groups.\n\nCOMMANDS\nThese options specify the desired action to perform. Only one of them can be specified on\nthe command line unless otherwise specified below. For all the long versions of the command\nnames, you need to use only enough letters to ensure that ipset can differentiate it from all\nother commands. The ipset parser follows the order here when looking for the shortest match\nin the long command names.\n\nn, create SETNAME TYPENAME [ CREATE-OPTIONS ]\nCreate a set identified with setname and specified type. The type may require type\nspecific options. If the -exist option is specified, ipset ignores the error otherwise\nraised when the same set (setname and create parameters are identical) already exists.\n\nadd SETNAME ADD-ENTRY [ ADD-OPTIONS ]\nAdd a given entry to the set. If the -exist option is specified, ipset ignores if the\nentry already added to the set.\n\ndel SETNAME DEL-ENTRY [ DEL-OPTIONS ]\nDelete an entry from a set. If the -exist option is specified and the entry is not in\nthe set (maybe already expired), then the command is ignored.\n\ntest SETNAME TEST-ENTRY [ TEST-OPTIONS ]\nTest whether an entry is in a set or not. Exit status number is zero if the tested en‐\ntry is in the set and nonzero if it is missing from the set.\n\nx, destroy [ SETNAME ]\nDestroy the specified set or all the sets if none is given.\n\nIf the set has got reference(s), nothing is done and no set destroyed.\n\nlist [ SETNAME ] [ OPTIONS ]\nList the header data and the entries for the specified set, or for all sets if none is\ngiven. The -resolve option can be used to force name lookups (which may be slow). When\nthe -sorted option is given, the entries are listed/saved sorted (which may be slow).\nThe option -output can be used to control the format of the listing: plain, save or\nxml. (The default is plain.) If the option -name is specified, just the names of the\nexisting sets are listed. If the option -terse is specified, just the set names and\nheaders are listed. The output is printed to stdout, the option -file can be used to\nspecify a filename instead of stdout.\n\nsave [ SETNAME ]\nSave the given set, or all sets if none is given to stdout in a format that restore\ncan read. The option -file can be used to specify a filename instead of stdout.\n\n#### restore\n\nRestore a saved session generated by save. The saved session can be fed from stdin or\nthe option -file can be used to specify a filename instead of stdin.\n\nPlease note, existing sets and elements are not erased by restore unless specified so\nin the restore file. All commands are allowed in restore mode except list, help, ver‐‐\nsion, interactive mode and restore itself.\n\nflush [ SETNAME ]\nFlush all entries from the specified set or flush all sets if none is given.\n\ne, rename SETNAME-FROM SETNAME-TO\nRename a set. Set identified by SETNAME-TO must not exist.\n\nw, swap SETNAME-FROM SETNAME-TO\nSwap the content of two sets, or in another words, exchange the name of two sets. The\nreferred sets must exist and compatible type of sets can be swapped only.\n\nhelp [ TYPENAME ]\nPrint help and set type specific help if TYPENAME is specified.\n\n#### version\n\nPrint program version.\n\n- If a dash is specified as command, then ipset enters a simple interactive mode and the\ncommands are read from the standard input. The interactive mode can be finished by\nentering the pseudo-command quit.\n\nOTHER OPTIONS\nThe following additional options can be specified. The long option names cannot be abbrevi‐\nated.\n\n-!, -exist\nIgnore errors when exactly the same set is to be created or already added entry is\nadded or missing entry is deleted.\n\n#### -o -output\n\nSelect the output format to the list command.\n\n#### -q -quiet\n\nSuppress any output to stdout and stderr. ipset will still exit with error if it can‐\nnot continue.\n\n#### -r -resolve\n\nWhen listing sets, enforce name lookup. The program will try to display the IP entries\nresolved to host names which requires slow DNS lookups.\n\n#### -s -sorted\n\nSorted output. When listing or saving sets, the entries are listed sorted.\n\n#### -n -name\n\nList just the names of the existing sets, i.e. suppress listing of set headers and\nmembers.\n\n#### -t -terse\n\nList the set names and headers, i.e. suppress listing of set members.\n\n#### -f -file\n\nSpecify a filename to print into instead of stdout (list or save commands) or read\nfrom instead of stdin (restore command).\n\n### INTRODUCTION\n\nA set type comprises of the storage method by which the data is stored and the data type(s)\nwhich are stored in the set. Therefore the TYPENAME parameter of the create command follows\nthe syntax\n\nTYPENAME := method:datatype[,datatype[,datatype]]\n\nwhere the current list of the methods are bitmap, hash, and list and the possible data types\nare ip, net, mac, port and iface. The dimension of a set is equal to the number of data\ntypes in its type name.\n\nWhen adding, deleting or testing entries in a set, the same comma separated data syntax must\nbe used for the entry parameter of the commands, i.e\n\nipset add foo ipaddr,portnum,ipaddr\n\nIf host names or service names with dash in the name are used instead of IP addresses or ser‐\nvice numbers, then the host name or service name must be enclosed in square brackets. Exam‐\nple:\n\nipset add foo [test-hostname],[ftp-data]\n\nIn the case of host names the DNS resolver is called internally by ipset but if it returns\nmultiple IP addresses, only the first one is used.\n\nThe bitmap and list types use a fixed sized storage. The hash types use a hash to store the\nelements. In order to avoid clashes in the hash, a limited number of chaining, and if that is\nexhausted, the doubling of the hash size is performed when adding entries by the ipset com‐\nmand. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed\nand the set won't be duplicated, even if the new entry cannot be added to the set.\n\n### GENERIC CREATE AND ADD OPTIONS\n\n#### timeout\n\nAll set types supports the optional timeout parameter when creating a set and adding entries.\nThe value of the timeout parameter for the create command means the default timeout value (in\nseconds) for new entries. If a set is created with timeout support, then the same timeout op‐\ntion can be used to specify non-default timeout values when adding entries. Zero timeout\nvalue means the entry is added permanent to the set. The timeout value of already added ele‐\nments can be changed by re-adding the element using the -exist option. The largest possible\ntimeout value is 2147483 (in seconds). Example:\n\nipset create test hash:ip timeout 300\n\nipset add test 192.168.0.1 timeout 60\n\nipset -exist add test 192.168.0.1 timeout 600\n\nWhen listing the set, the number of entries printed in the header might be larger than the\nlisted number of entries for sets with the timeout extensions: the number of entries in the\nset is updated when elements added/deleted to the set and periodically when the garbage col‐\nlector evicts the timed out entries.\n\n#### counters, packets, bytes\n\nAll set types support the optional counters option when creating a set. If the option is\nspecified then the set is created with packet and byte counters per element support. The\npacket and byte counters are initialized to zero when the elements are (re-)added to the set,\nunless the packet and byte counter values are explicitly specified by the packets and bytes\noptions. An example when an element is added to a set with non-zero counter values:\n\nipset create foo hash:ip counters\n\nipset add foo 192.168.1.1 packets 42 bytes 1024\n\n#### comment\n\nAll set types support the optional comment extension. Enabling this extension on an ipset\nenables you to annotate an ipset entry with an arbitrary string. This string is completely\nignored by both the kernel and ipset itself and is purely for providing a convenient means to\ndocument the reason for an entry's existence. Comments must not contain any quotation marks\nand the usual escape character (\\) has no meaning. For example, the following shell command\nis illegal:\n\nipset add foo 1.1.1.1 comment \"this comment is \\\"bad\\\"\"\n\nIn the above, your shell will of course escape the quotation marks and ipset will see the\nquote marks in the argument for the comment, which will result in a parse error. If you are\nwriting your own system, you should avoid creating comments containing a quotation mark if\nyou do not want to break \"ipset save\" and \"ipset restore\", nonetheless, the kernel will not\nstop you from doing so. The following is perfectly acceptable:\n\nipset create foo hash:ip comment\n\nipset add foo 192.168.1.1/24 comment \"allow access to SMB share on \\\\\\\\fileserv\\\\\"\n\nthe above would appear as: \"allow access to SMB share on \\\\fileserv\\\"\n\n#### skbinfo, skbmark, skbprio, skbqueue\n\nAll set types support the optional skbinfo extension. This extension allows you to store the\nmetainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets\nby usage of SET netfilter target with --map-set option. skbmark option format: MARK or\nMARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is speci‐\nfied mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major\nand minor numbers are hex without 0x prefix. skbqueue option is just decimal number.\n\nipset create foo hash:ip skbinfo\n\nipset add foo 192.168.0.1 skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10\n\n#### hashsize\n\nThis parameter is valid for the create command of all hash type sets. It defines the initial\nhash size for the set, default is 1024. The hash size must be a power of two, the kernel au‐\ntomatically rounds up non power of two hash sizes to the first correct value. Example:\n\nipset create test hash:ip hashsize 1536\n\n#### maxelem\n\nThis parameter is valid for the create command of all hash type sets. It defines the maximal\nnumber of elements which can be stored in the set, default 65536. Example:\n\nipset create test hash:ip maxelem 2048\n\n#### bucketsize\n\nThis parameter is valid for the create command of all hash type sets. It specifies the maxi‐\nmal number of elements which can be stored in a hash bucket. Possible values are any even\nnumber between 2-14 and the default is 14. Setting the value lower forces ipset to create\nlarger hashes which consumes more memory but gives more speed at matching in the set. Exam‐\nple:\n\nipset create test hash:ip bucketsize 2\n\n#### family { inet | inet6 }\n\nThis parameter is valid for the create command of all hash type sets except for hash:mac. It\ndefines the protocol family of the IP addresses to be stored in the set. The default is inet,\ni.e IPv4. For the inet family one can add or delete multiple entries by specifying a range\nor a network of IPv4 addresses in the IP address part of the entry:\n\nipaddr := { ip | fromaddr-toaddr | ip/cidr }\n\nnetaddr := { fromaddr-toaddr | ip/cidr }\n\nExample:\n\nipset create test hash:ip family inet6\n\n#### nomatch\n\nThe hash set types which can store net type of data (i.e. hash:*net*) support the optional\nnomatch option when adding entries. When matching elements in the set, entries marked as no‐‐\nmatch are skipped as if those were not added to the set, which makes possible to build up\nsets with exceptions. See the example at hash type hash:net below.\n\nWhen elements are tested by ipset, the nomatch flags are taken into account. If one wants to\ntest the existence of an element marked with nomatch in a set, then the flag must be speci‐\nfied too.\n\n#### forceadd\n\nAll hash set types support the optional forceadd parameter when creating a set. When sets\ncreated with this option become full the next addition to the set may succeed and evict a\nrandom entry from the set.\n\nipset create foo hash:ip forceadd\n\n#### wildcard\n\nThis flag is valid when adding elements to a hash:net,iface set. If the flag is set, then\nprefix matching is used when comparing with this element. For example, an element containing\nthe interface name \"eth\" will match any name with that prefix.\n\n### SET TYPES\n\n#### bitmap:ip\n\nThe bitmap:ip set type uses a memory range to store either IPv4 host (default) or IPv4 net‐\nwork addresses. A bitmap:ip type of set can store up to 65536 entries.\n\nCREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout value ] [ counters ] [\ncomment ] [ skbinfo ]\n\nADD-ENTRY := { ip | fromip-toip | ip/cidr }\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := { ip | fromip-toip | ip/cidr }\n\nTEST-ENTRY := ip\n\nMandatory create options:\n\nrange fromip-toip|ip/cidr\nCreate the set from the specified inclusive address range expressed in an IPv4 address\nrange or network. The size of the range (in entries) cannot exceed the limit of maxi‐\nmum 65536 elements.\n\nOptional create options:\n\nnetmask cidr\nWhen the optional netmask parameter specified, network addresses will be stored in the\nset instead of IP host addresses. The cidr prefix value must be between 1-32. An IP\naddress will be in the set if the network address, which is resulted by masking the\naddress with the specified netmask, can be found in the set.\n\nThe bitmap:ip type supports adding or deleting multiple entries in one command.\n\nExamples:\n\nipset create foo bitmap:ip range 192.168.0.0/16\n\nipset add foo 192.168.1/24\n\nipset test foo 192.168.1.1\n\n#### bitmap:ip,mac\n\nThe bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC address pairs. A bit‐‐\nmap:ip,mac type of set can store up to 65536 entries.\n\nCREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ] [ counters ] [ comment ] [\nskbinfo ]\n\nADD-ENTRY := ip[,macaddr]\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ip[,macaddr]\n\nTEST-ENTRY := ip[,macaddr]\n\nMandatory options to use when creating a bitmap:ip,mac type of set:\n\nrange fromip-toip|ip/cidr\nCreate the set from the specified inclusive address range expressed in an IPv4 address\nrange or network. The size of the range cannot exceed the limit of maximum 65536 en‐\ntries.\n\nThe bitmap:ip,mac type is exceptional in the sense that the MAC part can be left out when\nadding/deleting/testing entries in the set. If we add an entry without the MAC address speci‐\nfied, then when the first time the entry is matched by the kernel, it will automatically fill\nout the missing MAC address with the MAC address from the packet. The source MAC address is\nused if the entry matched due to a src parameter of the set match, and the destination MAC\naddress is used if available and the entry matched due to a dst parameter. If the entry was\nspecified with a timeout value, the timer starts off when the IP and MAC address pair is com‐\nplete.\n\nThe bitmap:ip,mac type of sets require two src/dst parameters of the set match and SET target\nnetfilter kernel modules. For matches on destination MAC addresses, see COMMENTS below.\n\nExamples:\n\nipset create foo bitmap:ip,mac range 192.168.0.0/16\n\nipset add foo 192.168.1.1,12:34:56:78:9A:BC\n\nipset test foo 192.168.1.1\n\n#### bitmap:port\n\nThe bitmap:port set type uses a memory range to store port numbers and such a set can store\nup to 65536 ports.\n\nCREATE-OPTIONS := range fromport-toport [ timeout value ] [ counters ] [ comment ] [ skbinfo\n]\n\nADD-ENTRY := { [proto:]port | [proto:]fromport-toport }\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := { [proto:]port | [proto:]fromport-toport }\n\nTEST-ENTRY := [proto:]port\n\nMandatory options to use when creating a bitmap:port type of set:\n\nrange [proto:]fromport-toport\nCreate the set from the specified inclusive port range.\n\nThe set match and SET target netfilter kernel modules interpret the stored numbers as TCP or\nUDP port numbers.\n\nproto only needs to be specified if a service name is used and that name does not exist as a\nTCP service. The protocol is never stored in the set, just the port number of the service.\n\nExamples:\n\nipset create foo bitmap:port range 0-1024\n\nipset add foo 80\n\nipset test foo 80\n\nipset del foo udp:[macon-udp]-[tn-tl-w2]\n\n#### hash:ip\n\nThe hash:ip set type uses a hash to store IP host addresses (default) or network addresses.\nZero valued IP address cannot be stored in a hash:ip type of set.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr\n\nTEST-ENTRY := ipaddr\n\nOptional create options:\n\nnetmask cidr\nWhen the optional netmask parameter specified, network addresses will be stored in the\nset instead of IP host addresses. The cidr prefix value must be between 1-32 for IPv4\nand between 1-128 for IPv6. An IP address will be in the set if the network address,\nwhich is resulted by masking the address with the netmask, can be found in the set.\nExamples:\n\nipset create foo hash:ip netmask 30\n\nipset add foo 192.168.1.0/24\n\nipset test foo 192.168.1.2\n\n#### hash:mac\n\nThe hash:mac set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be\nstored in a hash:mac type of set. For matches on destination MAC addresses, see COMMENTS be‐\nlow.\n\nCREATE-OPTIONS := [ hashsize value ] [ maxelem value ] [ bucketsize value ] [ timeout value ]\n[ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := macaddr\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := macaddr\n\nTEST-ENTRY := macaddr\n\nExamples:\n\nipset create foo hash:mac\n\nipset add foo 01:02:03:04:05:06\n\nipset test foo 01:02:03:04:05:06\n\n#### hash:ip,mac\n\nThe hash:ip,mac set type uses a hash to store IP and a MAC address pairs. Zero valued MAC ad‐\ndresses cannot be stored in a hash:ip,mac type of set. For matches on destination MAC ad‐\ndresses, see COMMENTS below.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr,macaddr\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr,macaddr\n\nTEST-ENTRY := ipaddr,macaddr\n\nExamples:\n\nipset create foo hash:ip,mac\n\nipset add foo 1.1.1.1,01:02:03:04:05:06\n\nipset test foo 1.1.1.1,01:02:03:04:05:06\n\n#### hash:net\n\nThe hash:net set type uses a hash to store different sized IP network addresses. Network ad‐\ndress with zero prefix size cannot be stored in this type of sets.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := netaddr\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := netaddr\n\nTEST-ENTRY := netaddr\n\nwhere netaddr := ip[/cidr]\n\nWhen adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the\nhost prefix value is assumed. When adding/deleting entries, the exact element is\nadded/deleted and overlapping elements are not checked by the kernel. When testing entries,\nif a host address is tested, then the kernel tries to match the host address in the networks\nadded to the set and reports the result accordingly.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific prefix) to the largest one (least specific\nprefix) added to the set. When adding/deleting IP addresses to the set by the SET netfil‐\nter target, it will be added/deleted by the most specific prefix which can be found in the\nset, or by the host prefix value if the set is empty.\n\nThe lookup time grows linearly with the number of the different prefix values added to the\nset.\n\nExample:\n\nipset create foo hash:net\n\nipset add foo 192.168.0.0/24\n\nipset add foo 10.1.0.0/16\n\nipset add foo 192.168.0/24\n\nipset add foo 192.168.0/30 nomatch\n\nWhen matching the elements in the set above, all IP addresses will match from the networks\n192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except the ones from 192.168.0/30.\n\n#### hash:net,net\n\nThe hash:net,net set type uses a hash to store pairs of different sized IP network addresses.\nBear in mind that the first parameter has precedence over the second, so a nomatch entry\ncould be potentially be ineffective if a more specific first parameter existed with a suit‐\nable second parameter. Network address with zero prefix size cannot be stored in this type\nof set.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := netaddr,netaddr\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := netaddr,netaddr\n\nTEST-ENTRY := netaddr,netaddr\n\nwhere netaddr := ip[/cidr]\n\nWhen adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the\nhost prefix value is assumed. When adding/deleting entries, the exact element is\nadded/deleted and overlapping elements are not checked by the kernel. When testing entries,\nif a host address is tested, then the kernel tries to match the host address in the networks\nadded to the set and reports the result accordingly.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific prefix) to the largest one (least specific\nprefix) with the first param having precedence. When adding/deleting IP addresses to the\nset by the SET netfilter target, it will be added/deleted by the most specific prefix\nwhich can be found in the set, or by the host prefix value if the set is empty.\n\nThe lookup time grows linearly with the number of the different prefix values added to the\nfirst parameter of the set. The number of secondary prefixes further increases this as the\nlist of secondary prefixes is traversed per primary prefix.\n\nExample:\n\nipset create foo hash:net,net\n\nipset add foo 192.168.0.0/24,10.0.1.0/24\n\nipset add foo 10.1.0.0/16,10.255.0.0/24\n\nipset add foo 192.168.0/24,192.168.54.0-192.168.54.255\n\nipset add foo 192.168.0/30,192.168.64/30 nomatch\n\nWhen matching the elements in the set above, all IP addresses will match from the networks\n192.168.0.0/24<->10.0.1.0/24, 10.1.0.0/16<->10.255.0.0/24 and 192.168.0/24<->192.168.54.0/24\nexcept the ones from 192.168.0/30<->192.168.64/30.\n\n#### hash:ip,port\n\nThe hash:ip,port set type uses a hash to store IP address and port number pairs. The port\nnumber is interpreted together with a protocol (default TCP) and zero protocol number cannot\nbe used.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr,[proto:]port\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr,[proto:]port\n\nTEST-ENTRY := ipaddr,[proto:]port\n\nThe [proto:]port part of the elements may be expressed in the following forms, where the\nrange variations are valid when adding or deleting entries:\n\nportname[-portname]\nTCP port or range of ports expressed in TCP portname identifiers from /etc/services\n\nportnumber[-portnumber]\nTCP port or range of ports expressed in TCP port numbers\n\ntcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber]\nTCP, SCTP, UDP or UDPLITE port or port range expressed in port name(s) or port num‐\nber(s)\n\nicmp:codename|type/code\nICMP codename or type/code. The supported ICMP codename identifiers can always be\nlisted by the help command.\n\nicmpv6:codename|type/code\nICMPv6 codename or type/code. The supported ICMPv6 codename identifiers can always be\nlisted by the help command.\n\nproto:0\nAll other protocols, as an identifier from /etc/protocols or number. The pseudo port\nnumber must be zero.\n\nThe hash:ip,port type of sets require two src/dst parameters of the set match and SET target\nkernel modules.\n\nExamples:\n\nipset create foo hash:ip,port\n\nipset add foo 192.168.1.0/24,80-82\n\nipset add foo 192.168.1.1,udp:53\n\nipset add foo 192.168.1.1,vrrp:0\n\nipset test foo 192.168.1.1,80\n\n#### hash:net,port\n\nThe hash:net,port set type uses a hash to store different sized IP network address and port\npairs. The port number is interpreted together with a protocol (default TCP) and zero proto‐\ncol number cannot be used. Network address with zero prefix size is not accepted either.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := netaddr,[proto:]port\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := netaddr,[proto:]port\n\nTEST-ENTRY := netaddr,[proto:]port\n\nwhere netaddr := ip[/cidr]\n\nFor the netaddr part of the elements see the description at the hash:net set type. For the\n[proto:]port part of the elements see the description at the hash:ip,port set type.\n\nWhen adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the\nhost prefix value is assumed. When adding/deleting entries, the exact element is\nadded/deleted and overlapping elements are not checked by the kernel. When testing entries,\nif a host address is tested, then the kernel tries to match the host address in the networks\nadded to the set and reports the result accordingly.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific prefix) to the largest one (least specific\nprefix) added to the set. When adding/deleting IP addresses to the set by the SET netfil‐\nter target, it will be added/deleted by the most specific prefix which can be found in the\nset, or by the host prefix value if the set is empty.\n\nThe lookup time grows linearly with the number of the different prefix values added to the\nset.\n\nExamples:\n\nipset create foo hash:net,port\n\nipset add foo 192.168.0/24,25\n\nipset add foo 10.1.0.0/16,80\n\nipset test foo 192.168.0/24,25\n\n#### hash:ip,port,ip\n\nThe hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP ad‐\ndress triples. The port number is interpreted together with a protocol (default TCP) and zero\nprotocol number cannot be used.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr,[proto:]port,ip\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr,[proto:]port,ip\n\nTEST-ENTRY := ipaddr,[proto:]port,ip\n\nFor the first ipaddr and [proto:]port parts of the elements see the descriptions at the\nhash:ip,port set type.\n\nThe hash:ip,port,ip type of sets require three src/dst parameters of the set match and SET\ntarget kernel modules.\n\nExamples:\n\nipset create foo hash:ip,port,ip\n\nipset add foo 192.168.1.1,80,10.0.0.1\n\nipset test foo 192.168.1.1,udp:53,10.0.0.1\n\n#### hash:ip,port,net\n\nThe hash:ip,port,net set type uses a hash to store IP address, port number and IP network ad‐\ndress triples. The port number is interpreted together with a protocol (default TCP) and zero\nprotocol number cannot be used. Network address with zero prefix size cannot be stored ei‐\nther.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr,[proto:]port,netaddr\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr,[proto:]port,netaddr\n\nTEST-ENTRY := ipaddr,[proto:]port,netaddr\n\nwhere netaddr := ip[/cidr]\n\nFor the ipaddr and [proto:]port parts of the elements see the descriptions at the\nhash:ip,port set type. For the netaddr part of the elements see the description at the\nhash:net set type.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific cidr) to the largest one (least specific cidr)\nadded to the set. When adding/deleting triples to the set by the SET netfilter target, it\nwill be added/deleted by the most specific cidr which can be found in the set, or by the\nhost cidr value if the set is empty.\n\nThe lookup time grows linearly with the number of the different cidr values added to the set.\n\nThe hash:ip,port,net type of sets require three src/dst parameters of the set match and SET\ntarget kernel modules.\n\nExamples:\n\nipset create foo hash:ip,port,net\n\nipset add foo 192.168.1,80,10.0.0/24\n\nipset add foo 192.168.2,25,10.1.0.0/16\n\nipset test foo 192.168.1,80.10.0.0/24\n\n#### hash:ip,mark\n\nThe hash:ip,mark set type uses a hash to store IP address and packet mark pairs.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ markmask value ] [ hashsize value ] [ maxelem\nvalue ] [ bucketsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := ipaddr,mark\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := ipaddr,mark\n\nTEST-ENTRY := ipaddr,mark\n\nOptional create options:\n\nmarkmask value\nAllows you to set bits you are interested in the packet mark. This values is then used\nto perform bitwise AND operation for every mark added. markmask can be any value be‐\ntween 1 and 4294967295, by default all 32 bits are set.\n\nThe mark can be any value between 0 and 4294967295.\n\nThe hash:ip,mark type of sets require two src/dst parameters of the set match and SET target\nkernel modules.\n\nExamples:\n\nipset create foo hash:ip,mark\n\nipset add foo 192.168.1.0/24,555\n\nipset add foo 192.168.1.1,0x63\n\nipset add foo 192.168.1.1,111236\n\n#### hash:net,port,net\n\nThe hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value\nfor both the first and last parameter. Either subnet is permitted to be a /0 should you wish\nto match port between all destinations.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := netaddr,[proto:]port,netaddr\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := netaddr,[proto:]port,netaddr\n\nTEST-ENTRY := netaddr,[proto:]port,netaddr\n\nwhere netaddr := ip[/cidr]\n\nFor the [proto:]port part of the elements see the description at the hash:ip,port set type.\nFor the netaddr part of the elements see the description at the hash:net set type.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific cidr) to the largest one (least specific cidr)\nadded to the set. When adding/deleting triples to the set by the SET netfilter target, it\nwill be added/deleted by the most specific cidr which can be found in the set, or by the\nhost cidr value if the set is empty. The first subnet has precedence when performing the\nmost-specific lookup, just as for hash:net,net\n\nThe lookup time grows linearly with the number of the different cidr values added to the set\nand by the number of secondary cidr values per primary.\n\nThe hash:net,port,net type of sets require three src/dst parameters of the set match and SET\ntarget kernel modules.\n\nExamples:\n\nipset create foo hash:net,port,net\n\nipset add foo 192.168.1.0/24,0,10.0.0/24\n\nipset add foo 192.168.2.0/24,25,10.1.0.0/16\n\nipset test foo 192.168.1.1,80,10.0.0.1\n\n#### hash:net,iface\n\nThe hash:net,iface set type uses a hash to store different sized IP network address and in‐\nterface name pairs.\n\nCREATE-OPTIONS := [ family { inet | inet6 } ] [ hashsize value ] [ maxelem value ] [ bucket‐‐\nsize value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := netaddr,[physdev:]iface\n\nADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment\nstring ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] [ wildcard ]\n\nDEL-ENTRY := netaddr,[physdev:]iface\n\nTEST-ENTRY := netaddr,[physdev:]iface\n\nwhere netaddr := ip[/cidr]\n\nFor the netaddr part of the elements see the description at the hash:net set type.\n\nWhen adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the\nhost prefix value is assumed. When adding/deleting entries, the exact element is\nadded/deleted and overlapping elements are not checked by the kernel. When testing entries,\nif a host address is tested, then the kernel tries to match the host address in the networks\nadded to the set and reports the result accordingly.\n\nFrom the set netfilter match point of view the searching for a match always starts from\nthe smallest size of netblock (most specific prefix) to the largest one (least specific\nprefix) added to the set. When adding/deleting IP addresses to the set by the SET netfil‐\nter target, it will be added/deleted by the most specific prefix which can be found in the\nset, or by the host prefix value if the set is empty.\n\nThe second direction parameter of the set match and SET target modules corresponds to the in‐\ncoming/outgoing interface: src to the incoming one (similar to the -i flag of iptables),\nwhile dst to the outgoing one (similar to the -o flag of iptables). When the interface is\nflagged with physdev:, the interface is interpreted as the incoming/outgoing bridge port.\n\nThe lookup time grows linearly with the number of the different prefix values added to the\nset.\n\nThe internal restriction of the hash:net,iface set type is that the same network prefix can‐\nnot be stored with more than 64 different interfaces in a single set.\n\nExamples:\n\nipset create foo hash:net,iface\n\nipset add foo 192.168.0/24,eth0\n\nipset add foo 10.1.0.0/16,eth1\n\nipset test foo 192.168.0/24,eth0\n\n#### list:set\n\nThe list:set type uses a simple list in which you can store set names.\n\nCREATE-OPTIONS := [ size value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]\n\nADD-ENTRY := setname [ { before | after } setname ]\n\nADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skb‐‐\nmark value ] [ skbprio value ] [ skbqueue value ]\n\nDEL-ENTRY := setname [ { before | after } setname ]\n\nTEST-ENTRY := setname [ { before | after } setname ]\n\nOptional create options:\n\nsize value\nThe size of the list, the default is 8. The parameter is ignored since ipset version\n6.24.\n\nBy the ipset command you can add, delete and test set names in a list:set type of set.\n\nBy the set match or SET target of netfilter you can test, add or delete entries in the sets\nadded to the list:set type of set. The match will try to find a matching entry in the sets\nand the target will try to add an entry to the first set to which it can be added. The num‐\nber of direction options of the match and target are important: sets which require more pa‐\nrameters than specified are skipped, while sets with equal or less parameters are checked,\nelements added/deleted. For example if a and b are list:set type of sets then in the command\n\niptables -m set --match-set a src,dst -j SET --add-set b src,dst\n\nthe match and target will skip any set in a and b which stores data triples, but will match\nall sets with single or double data storage in a set and stop matching at the first success‐\nful set, and add src to the first single or src,dst to the first double data storage set in b\nto which the entry can be added. You can imagine a list:set type of set as an ordered union\nof the set elements.\n\nPlease note: by the ipset command you can add, delete and test the setnames in a list:set\ntype of set, and not the presence of a set's member (such as an IP address).\n\n### GENERAL RESTRICTIONS\n\nZero valued set entries cannot be used with hash methods. Zero protocol value with ports can‐\nnot be used.\n\n### COMMENTS\n\nIf you want to store same size subnets from a given network (say /24 blocks from a /8 net‐\nwork), use the bitmap:ip set type. If you want to store random same size networks (say ran‐\ndom /24 blocks), use the hash:ip set type. If you have got random size of netblocks, use\nhash:net.\n\nMatching on destination MAC addresses using the dst parameter of the set match netfilter ker‐\nnel modules will only work if the destination MAC address is available in the packet at the\ngiven processing stage, that is, it only applies for incoming packets in the PREROUTING, IN‐‐\nPUT and FORWARD chains, against the MAC address as originally found in the received packet\n(typically, one of the MAC addresses of the local host). This is not the destination MAC ad‐\ndress a destination IP address resolves to, after routing. If the MAC address is not avail‐\nable (e.g. in the OUTPUT chain), the packet will simply not match.\n\nBackward compatibility is maintained and old ipset syntax is still supported.\n\nThe iptree and iptreemap set types are removed: if you refer to them, they are automatically\nreplaced by hash:ip type of sets.\n\n### DIAGNOSTICS\n\nVarious error messages are printed to standard error. The exit code is 0 for correct func‐\ntioning.\n\n### BUGS\n\nBugs? No, just funny features. :-) OK, just kidding...\n\n### SEE ALSO\n\niptables(8), ip6tables(8) iptables-extensions(8)\n\n### AUTHORS\n\nJozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axelsson, Patrick Schaaf and\nMartin Josefsson.\nSven Wegener wrote the iptreemap type.\n\n### LAST REMARK\n\n#### I stand on the shoulders of giants.\n\nJozsef Kadlecsik Jun 25, 2015 IPSET(8)\n\n" } ], "structuredContent": { "command": "ipset", "section": "8", "mode": "man", "summary": "ipset — administration tool for IP sets", "synopsis": "ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]\nCOMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename |\nswap | help | version | - }\nOPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name |", "flags": [ { "flag": "-o", "long": null, "arg": null, "description": "Select the output format to the list command." }, { "flag": "-q", "long": null, "arg": null, "description": "Suppress any output to stdout and stderr. ipset will still exit with error if it can‐ not continue." }, { "flag": "-r", "long": null, "arg": null, "description": "When listing sets, enforce name lookup. The program will try to display the IP entries resolved to host names which requires slow DNS lookups." }, { "flag": "-s", "long": null, "arg": null, "description": "Sorted output. When listing or saving sets, the entries are listed sorted." }, { "flag": "-n", "long": null, "arg": null, "description": "List just the names of the existing sets, i.e. suppress listing of set headers and members." }, { "flag": "-t", "long": null, "arg": null, "description": "List the set names and headers, i.e. suppress listing of set members." }, { "flag": "-f", "long": null, "arg": null, "description": "Specify a filename to print into instead of stdout (list or save commands) or read from instead of stdin (restore command)." } ], "examples": [], "see_also": [ { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" }, { "name": "ip6tables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip6tables/8/json" }, { "name": "iptables-extensions", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables-extensions/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 6, "subsections": [ { "name": "-terse -file", "lines": 14 }, { "name": "ipset restore", "lines": 8 }, { "name": "ipset version", "lines": 1 }, { "name": "ipset -", "lines": 1 } ] }, { "name": "DESCRIPTION", "lines": 9, "subsections": [] }, { "name": "OPTIONS", "lines": 45, "subsections": [ { "name": "restore", "lines": 20 }, { "name": "version", "lines": 14 }, { "name": "-o -output", "lines": 2, "flag": "-o" }, { "name": "-q -quiet", "lines": 3, "flag": "-q" }, { "name": "-r -resolve", "lines": 3, "flag": "-r" }, { "name": "-s -sorted", "lines": 2, "flag": "-s" }, { "name": "-n -name", "lines": 3, "flag": "-n" }, { "name": "-t -terse", "lines": 2, "flag": "-t" }, { "name": "-f -file", "lines": 3, "flag": "-f" } ] }, { "name": "INTRODUCTION", "lines": 30, "subsections": [] }, { "name": "GENERIC CREATE AND ADD OPTIONS", "lines": 1, "subsections": [ { "name": "timeout", "lines": 19 }, { "name": "counters, packets, bytes", "lines": 10 }, { "name": "comment", "lines": 21 }, { "name": "skbinfo, skbmark, skbprio, skbqueue", "lines": 11 }, { "name": "hashsize", "lines": 6 }, { "name": "maxelem", "lines": 5 }, { "name": "bucketsize", "lines": 8 }, { "name": "family { inet | inet6 }", "lines": 13 }, { "name": "nomatch", "lines": 9 }, { "name": "forceadd", "lines": 6 }, { "name": "wildcard", "lines": 4 } ] }, { "name": "SET TYPES", "lines": 1, "subsections": [ { "name": "bitmap:ip", "lines": 40 }, { "name": "bitmap:ip,mac", "lines": 42 }, { "name": "bitmap:port", "lines": 36 }, { "name": "hash:ip", "lines": 30 }, { "name": "hash:mac", "lines": 25 }, { "name": "hash:ip,mac", "lines": 25 }, { "name": "hash:net", "lines": 47 }, { "name": "hash:net,net", "lines": 52 }, { "name": "hash:ip,port", "lines": 56 }, { "name": "hash:net,port", "lines": 46 }, { "name": "hash:ip,port,ip", "lines": 30 }, { "name": "hash:ip,port,net", "lines": 44 }, { "name": "hash:ip,mark", "lines": 36 }, { "name": "hash:net,port,net", "lines": 44 }, { "name": "hash:net,iface", "lines": 52 }, { "name": "list:set", "lines": 39 } ] }, { "name": "GENERAL RESTRICTIONS", "lines": 3, "subsections": [] }, { "name": "COMMENTS", "lines": 18, "subsections": [] }, { "name": "DIAGNOSTICS", "lines": 3, "subsections": [] }, { "name": "BUGS", "lines": 2, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHORS", "lines": 4, "subsections": [] }, { "name": "LAST REMARK", "lines": 1, "subsections": [ { "name": "I stand on the shoulders of giants.", "lines": 1 } ] } ] } }