IPSETD-NG ipset driver manual

IPSETD-NG ipset driver is part of the package IPSET-NG and operates only in the server part IPSETD-NG. This driver based on libraries libipset and libiptc. This is the main driver of the system and is recommended for use. The remaining drivers are less functional and create a greater load on the system. If you have the kernel supports ipset function - use it.

Known issues original ipset software

  • Using the combined type, there is no way to verify the presence or absence of IP addresses in the unification of the table. So is not possible to directly add or remove an address using the link on the unification of the table.
  • Created by default table size 65536 elements. The maximum size it seems to me, is determined empirically and depends on the system and version netfilter.
  • If you add IP addresses specified TIMEOUT but without the support of the creation table TIMEOUT setting, IP address is not added to the table

AutoTable mode

AutoTable will help solve many problems associated with the merger of many tables. In practice, the work in this mode correctly identified as the work of the table cluster.
In this mode, the client accesses to check IP addresses directly to the master table of type list:type and includes the rest of the table lists of types hash:ip, hash:net, bitmap:ip. When a client request is automatically queries all the tables from a given group to the first match. Enable this mode, you can specify in the configuration file in the section [drv-ipset] parameters whitelist and/or blacklist - set master table group name.

When using this mode is not recommended:

  • use numbers in names of tables, they will be entered automatically in the preparation or updating the index linked tables
  • add tables manually after you run the program, but if necessary, after the creation of the tables give the command server to reread their current state.

Send command to the server to re-read and update data related tables in two ways:

send a SIGUSR2 signal to the IPSETD-NG server:

kill -SIGUSR2 `pidof ipsetd-ng`

Any time execute re-read and update tables is monitor mode: press [t] in server console, or is MONITOR-NG programm, go to Server menu and select Reload sub tables

AutoTable mode supports the following features:

  • automatic selection of the table when adding or removing IP addresses. The user-side program client must specify only the 'base name' of the table where you want to enter the IP address. Warning, the table has a 'base name' must be created on the server and is included in the master table having type list:set
  • when you delete IP addresses, if you specify the master table, IP address will be removed from all related tables
  • when you add IP addresses, if you specify the master table, IP address is added to the table addtmptable, created automatically at startup if it does not exist
  • check IP addresses in all related tables group before the first match
  • when the maximum size of the table automatically creates a new table, ties her to the leading group table its type list:set, when creating a table, the number is automatically incremented and assigned to the parameters of the preceding table
  • check table compatible timeout and type name hash:* parameters is add IP addresses or table item to ipset table
  • if a request to add the IP address specified table does not exists, it will be created and added to the master table, when adding tables used access rules in the configuration file, section tblaccess and section server: field checkaccess
  • when deleting a table, they are also removed from the master table, and the entitlement of the configuration file, section tblaccess
  • prohibited remote destroy or flush the master tables, regardless of the permitted level of access to the configuration
  • Internet protocol version 4 and 6 for ipset/iptables operation compatible
  • Automatic netmask and network prefix function
  • Automatic IPV4 to IPV6 IP address converter

A good example is the cleaning of the temporary table before exiting the program, it is necessary to add the following parameters to the configuration file:


        // in sections onstop:
        [onstop]

        // erase real table name 'addtmptable0'.
        flush = addtmptable0

        // or destroy real table name 'addtmptable0'.
        destroy = addtmptable0


Make these changes you can at any time to clean up the temporary table with external commands:


        // in sections onreload:
        [onreload]

        // erase real table name 'addtmptable0'.
        flush = addtmptable0


If you want to be able to clear the temporary table with external commands, use the following command line:

kill -SIGHUP `pidof ipsetd-ng`

For a real clean temporary table may use monitor mode it can be done by entering the key [r], or MONITOR-NG program, go to Server menu and click to field Reload table.

Example scheme for constructing ipset tables in AutoTable mode:


    // Master table 'blacklist' 
    $ ipset -L blacklist
           Name: blacklist
           Type: list:set
           Revision: 0
           Header: size 200
           Size in memory: 460
           References: 1
           Members:
                  // Members to master table 'blacklist'
                  blackhttp0
                  blackip40
                  blackip60
                  blacklog0
                  blacknet0
                  blackproxy0

                  // Members to master real name table 'blackhttp0' 
                  Name: blackhttp0
                  Type: hash:ip
                  Revision: 0
                  Header: family inet hashsize 4096 maxelem 4294967295
                  Size in memory: 89116
                  References: 1
                  Members:
                                // Members any IP data
                                2.1.2.167
                                7.1.1.64

                  // Members to master real name table 'blackip40' 
                  Name: blackip40
                  Type: hash:ip
                  Revision: 0
                  Header: family inet hashsize 4096 maxelem 4294967295
                  Size in memory: 89116
                  References: 1
                  Members:
                                // Members any IP data
                                3.1.4.21
                                8.1.8.46

                  // Members to master real name table 'blacknet0' 
                  Name: blacknet0
                  Type: hash:net
                  Revision: 0
                  Header: family inet hashsize 4096 maxelem 4294967295
                  Size in memory: 89116
                  References: 1
                  Members:
                                // Members any Network data
                                7.1.7.0/24
                                8.1.7.0/24


Example configuration file settings to enable AutoTable mode:


        // in sections server:
        [server]
        checkaccess = yes

        // in sections drv-ipset:
        [drv-ipset]

        // set master table name for group whitelist and blacklist.
        whitelist = whitelist
        blacklist = blacklist

        // in sections tblaccess:
        [tblaccess]

        // allow to modify type connection:
        access = crypt

        // granted access to modifying table name blacklist
        tbl = blacklist
        ...


Screen shot time of inspection, adding and removing IP addresses in AutoTable mode:

ATTENTION, all tables are included in the master table are used to validate, add or delete IP addresses

Manual create ipset table structure compatible to AutoTable mode

For detailed instructions related to the use of the ipset package, you can see: administration tool for ipset package manual.
If you want to create your own ipset table structure with compatible to AutoTable mode, you must comply with the following rules:

  • Creating a table assigns a digital end, it will facilitate the work of the indexer IPSETD-NG program, for example:

        // create table name 'myblacklist', type IP address set
        ipset -N myblacklist0 hash:ip maxlen 4294967295

        // create table name 'mainblacklist', type master list
        ipset -N mainblacklist list:set size 200

        // add table 'mainblacklist' to 'myblacklist'
        ipset -A mainblacklist myblacklist0

        // now, 'myblacklist' is member table 'mainblacklist', check
        ipset -L mainblacklist
                Name: mainblacklist
                Type: list:set
                Revision: 0
                Header: size 200
                Size in memory: 460
                References: 1
                Members:
                        myblacklist0



        // in sections server enable check access:
        [server]
        checkaccess = yes

        // add 'mainblacklist' to ipsetd-ng configuration file
        [drv-ipset]
        blacklist = mainblacklist

        [tblaccess]
        access = crypt
        tbl = mainblacklist

        // restart sysv init style ipsetd-ng
        /etc/rc.d/init.d/ipsetd-ng.init

        // or restart ipsetd-ng is manual command
        ipsetd-ng -k ; sleep 5 ; ipsetd-ng -d


  • Check result:

        // if start ipsetd-ng, check table structure
        ipset -L mainblacklist
                Name: mainblacklist
                Type: list:set
                Revision: 0
                Header: size 200
                Size in memory: 460
                References: 1
                Members:
                        myblacklist0
                        addtmptable0


Standalone Table mode

Standalone Table mode implies a lack of definition of the master tables in the configuration file, the field whitelist and blacklist in section [drv-ipset] they should comment out.
The basic provisions of the driver with the same mode of AutoTable mode.

Standalone mode supports the following features:

  • automatic creation of tables and adding rules match-set <TABLE NAME> src to iptables, if the table is of type black - DROP, is white - ACCEPT
  • for remote creating, destroy or flush rules are used access rules in the configuration file, section tblaccess and section server: field checkaccess
  • when deleting a table, also removed the iptables rules for this table
  • Internet protocol version 4 and 6 for ipset/iptables operation compatible
All iptables operation required library libiptc, library should be installed.

Automatic netmask & network prefix features

If you adding network address without netmask or network prefix to table type hash:net, auto-sensing network is trying to choose the optimum mask for this IP address.
True for both IPV4 and IPV6 family.

IPV4 to IPV6 IP address

If you adding IP address family IPV4 to table is family IPV6, automatic conversion IPV4 address to IPV6.

Full Example configuration file

Example configuration file to set ipset driver: ipsetd-ng.conf, ipsetcmd-ng.conf:


        # protocol configuration
        [protocol]

        # default create table value: ipv4,ipv6
        version=ipv4

        # in sections server enable check access:
        [server]
        checkaccess = yes

        [driver]
        # path to dynamic driver directory
        # create automaticaly from make, default: '/usr/lib/ipsetng'
        path = /usr/lib/ipsetng

        # name of use driver, explore: /usr/lib/ipsetng/drv-<name>-ng.so
        name = ipset

        # WARNING: this iptables setting can be used in all drivers.
        # Ipset driver use iptables engine directly.
        # enable iptables add/delete/flush e.t.c. direct to kernel
        iptenable = yes

        # chain of iptables
        iptchain = INPUT

        # table of iptables
        ipttable = filter

        # target of iptables
        iptrule =  DROP

        # method for adding to table: insert | append
        iptmethod = append


        # Ipset driver
        [drv-ipset]
        whitelist = whitelist
        blacklist = blacklist

        [tblaccess]
        access = crypt
        tbl = blacklist
        tbl = ...


IPSET black/white list downloadable base

Download the latest version ipset database , in the full version includes the following tables:

  • blacklist - Complete ALL list of blocked IP and networks addresses, including a list of open proxy, blocked by analyzing LOG files.
  • blackhttp - Part of blacklist: blocked IP from HTTP traffic, include hosts spam robots.
  • blackip4 - Part of blacklist: blocked IPV4 IP addresses, including a attack, hacker, spam hosts robots.
  • blackip6 - Part of blacklist: blocked IPV6 IP addresses, including a attack, hacker, spam hosts robots.
  • blacklog - Part of blacklist: IP addresses blocked by analyzing LOG files.
  • blacknet - Part of blacklist: blocked networks addresses, spam robots networks.
  • blackproxy - Part of blacklist: blocked IP addresses is a list of open proxy.

or use command line tools or use the command-line tools IPSETCMD-NG with the key --update for automatic database updates blacklists.


  Meta Tags: IPSETD-NG ipset driver