语法：
ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - }
OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name | -terse | -file filename }
ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
ipset destroy [ SETNAME ]
ipset list [ SETNAME ]
ipset save [ SETNAME ]
ipset restore
ipset flush [ SETNAME ]
ipset rename SETNAME-FROM SETNAME-TO
ipset swap SETNAME-FROM SETNAME-TO
ipset help [ TYPENAME ]
ipset version

TYPENAME := method:datatype[,datatype[,datatype]]
当前使用的method方法是bitmap、hash, datatypes的list有 ip, net, mac, port and iface, botmap和list用于一个固定大小的storage,
The bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set.

一般的创建和添加操作：
timeout设置超时时间，如果设置为0，表示永久生效，超时时间可以通过 -exist来进行修改：

ipset create test hash:ip timeout 300
ipset add test 192.168.0.1 timeout 60

ipset -exist add test 192.168.0.1 timeout 600

counters, packets, bytes:
如果不指定packets和bytes的话，会在初始化的时候变为0，或者在创建set的时候指定value:
ipset create foo hash:ip counters

ipset add foo 192.168.1.1 packets 42 bytes 1024

comment(扩展)：
所有的set类型都支持comments，此模块是用来做注释，相当于git中的-m:

ipset create foo hash:ip comment
ipset add foo 192.168.1.1/24 comment "allow access to SMB share on \\fileserv\"

the above would appear as: "allow access to SMB share on \fileserv"

hashsize:
这个模块用于创建set时候的命令（适用于所有hash set），默认大小为1024，设置的时候必须是2的幂次方，不对话kernal会四舍五入：
ipset create test hash:ip hashsize 1536
maxelem：
这个模块用于 所有的hash type sets create动作，这个是用来指定存出来set中最大元素的数量，默认是65535：

           ipset create test hash:ip maxelem 2048

family(inet|inet6):
用于所有hash type sets(除了hash:mac)的create动作， It defines the protocol family of the IP addresses to be stored in the set ，对于inet家族，您可以通过在该条目的IP地址部分指定一个范围或一个IPv4地址网络来添加或删除多个条目。

•      ipaddr* := { *ip* | *fromaddr*-*toaddr* | *ip*/*cidr* }
  

•      netaddr* := { *fromaddr*-*toaddr* | *ip*/*cidr* }
  

Example:

ipset create test hash:ip family inet6

hash:ip：
set type用一个hash存储ip或者网络地址，zero value是不能被存储到hash:ip类型中的：
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr（要添加的ip地址）
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]

DEL-ENTRY := ipaddr（要删除的ip地址）

TEST-ENTRY := ipaddr
netmask cidr:
当选定的netmask被指定的时候， network addresses将代替 IP host addresses存储在set中，cidr的值对于iPv4是1-32，ipv6是1-128， An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. Examples:

ipset create foo hash:ip netmask 30
ipset add foo 192.168.1.0/24

ipset test foo 192.168.1.2

nomatch：
The hash set types which can store net type of data (i.e. hash:net) support the optional nomatch option when adding entries. When matching elements in the set, entries marked as nomatch are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type hash:net below.

When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too.
总结下来就是，这个通常与hash:net搭配使用，用来跳过 hash:net指定的ip netmask address.

hash:net：
** 这个是用一个hash存储不同大小的** IP network addresses，具有0前缀的的网络地址不能被存储到sets中：

CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr
TEST-ENTRY := netaddr
where netaddr := ip[/cidr]

Example:

ipset create foo hash:net
ipset add foo 192.168.0.0/24
ipset add foo 10.1.0.0/16
ipset add foo 192.168.0/24

ipset add foo 192.168.0/30 nomatch

hash:net,net
** 这种set type是用一个hash存储成对的不同大小的ip network address,** Bear in mind(记住)第一个参数比第二个参数优先，加入有明确的第一和第二个参数，很可能 nomatch就不生效了，带0前缀的地址也是无法存储的。

CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,netaddr
TEST-ENTRY := netaddr,netaddr
where netaddr := ip[/cidr]
Example:

ipset create foo hash:net,net
ipset add foo 192.168.0.0/24,10.0.1.0/24
ipset add foo 10.1.0.0/16,10.255.0.0/24
ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255

ipset add foo 192.168.0/30,192.168.64/30 nomatch

hash:ip,port
** ** The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
Examples:

ipset create foo hash:ip,port
ipset add foo 192.168.1.0/24,80-82
ipset add foo 192.168.1.1,udp:53
ipset add foo 192.168.1.1,vrrp:0

ipset test foo 192.168.1.1,80

创建一个集合
ipset create vader hash:ip

这条命令创建了名为 vader 的集合，以 hash 方式存储，存储内容是 IP 地址。
添加 iptables 规则
iptables -I INPUT -m set --match-set vader src -j DROP

如果源地址(src)属于 vader 这个集合，就进行 DROP 操作。这条命令中，vader 是作为黑名单的，如果要把某个集合作为白名单，添加一个 ‘!’ 符号就可以。
iptables -I INPUT -m set ! --match-set vader src -j DROP

hash:net,port

The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either.

Examples:

ipset create foo hash:net,port
ipset add foo 192.168.0/24,25
ipset add foo 10.1.0.0/16,80

ipset test foo 192.168.0/24,25

hash:ip,port,ip

The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.

         Examples:

ipset create foo hash:ip,port,ip
ipset add foo 192.168.1.1,80,10.0.0.1

ipset test foo 192.168.1.1,udp:53,10.0.0.1

hash:ip,port,net

The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either.、

       Examples:

ipset create foo hash:ip,port,net
ipset add foo 192.168.1,80,10.0.0/24
ipset add foo 192.168.2,25,10.1.0.0/16

ipset test foo 192.168.1,80.10.0.0/24

hash:ip,mark

The hash:ip,mark set type uses a hash to store IP address and packet mark pairs.

Examples:

ipset create foo hash:ip,mark
ipset add foo 192.168.1.0/24,555
ipset add foo 192.168.1.1,0x63

ipset add foo 192.168.1.1,111236

hash:net,port,net

The hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations.

Examples:

ipset create foo hash:net,port,net
ipset add foo 192.168.1.0/24,0,10.0.0/24
ipset add foo 192.168.2.0/24,25,10.1.0.0/16

ipset test foo 192.168.1.1,80,10.0.0.1

hash:net,iface

The hash:net,iface set type uses a hash to store different sized IP network address and interface name pairs.

Examples:

ipset create foo hash:net,iface
ipset add foo 192.168.0/24,eth0
ipset add foo 10.1.0.0/16,eth1

ipset test foo 192.168.0/24,eth0

list:set
** ** The list:set type uses a simple list in which you can store set names.

By the set match or SET target of netfilter you can test, add or delete entries in the sets added to the list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command

iptables -m set --match-set a src,dst -j SET --add-set b src,dst

iptables想所有人开放9200端口：

[root@centos2 ~]# iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
[root@centos2 ~]# iptables -A OUTPUT -p tcp --sport 9200 -j ACCEPT

添加 iptables 规则
iptables -I INPUT -m set --match-set vader src -j DROP

如果源地址(src)属于 vader 这个集合，就进行 DROP 操作。这条命令中，vader 是作为黑名单的，如果要把某个集合作为白名单，添加一个 ‘!’ 符号就可以。

iptables -I INPUT -m set ! --match-set yoda src -j DROP

创建一个新的ipset
ipset create openapi hash:net
1、查看已创建的ipset

2、ipset默认可以存储65536个element，使用maxelem指定数量

ipset create openapi hash:net maxelem 1000000
ipset list
3、加入一个黑名单ip
ipset add openapi 180.156.238.246
4、创建防火墙规则，与此同时，openapi这个ipset里的ip都无法访问22端口
iptables -I INPUT -m set --match-set openapi src -p tcp --destination-port 22 -j DROP
service iptables save
5、去除黑名单，与此同时，又可以访问了
ipset del openapi 180.156.238.246
6、将ipset规则保存到文件
ipset save openapi -f openapi.txt
7、删除ipset
ipset destroy openapi
8、导入ipset规则
ipset restore -f openapi.txt