ipset set listing wrapper script — Match and display ipset (netfilter.org) sets in various ways
Scope = security, networking, system administration -- linux - netfilter/ipset
ipset_list [
option
[
option_argument
]
...] [
set-name-glob
...]
ipset_list is a wrapper script for listing sets of the netfilter ipset program. It allows you to match and display sets, headers, and elements in various ways. The resulting representation of the query can be saved as shell script containing the set creation / population commands, or in ipset `save', or `xml' format.
It is written for the bash shell.
It includes an interactive wizard based mode, that utilizes a dialog program (dialog or whiptail are supported).
Optionally the output can be colorized.
A compspec (programmable completion specification) for bash completion is included.
Some variables are available inside the script configuration header, or the
configuration file (ipset_list.conf). As the configuration file
will be loaded after reading the configuration header, its settings take precedence. The
variables are all undefined by default. Thus being available for manipulation in the
environment at runtime. None of them is mandatory, unless you want to change default
values. For details see section Environment, or the
comments inside ipset_list[.conf].
Some options exclude or require each other. ipset_list will complain if that is the case. The output of ipset_list -h does display the valid combinations.
Example usage is given in the header of the script itself, or in the
Readme.md shipping with ipset_list.
All options are optional. Some require an argument, others do not. All options and their arguments must be separated by blank(s). If an option can be used more than once, it is mentioned explicitly.
When run without arguments, the names of all sets found, are displayed with the prefix `Name:'.
Show usage instructions.
Show version information.
Enter interactive mode. This wizard based way to select the options
utilizes a dialog program. Which can
either be dialog or whiptail. dialog is the
preferred and default, if the variable dialog_prog is not
defined. Only dialog versions greater or equal to 1.2 are supported.
Show all information (header and members) but with default
delim (whitespace).
Calculate the total amout of set members and also the sum of members matching a criteria given by another option.
Delimiter character used to separate member entries. By default ipset uses
newline as delimiter. ipset_list by
default uses a whitespace. Which can
be changed permanently by editing the variable delim in the
configuration header of ipset_list.
If this parameter is used when starting interactive mode, it will apply globally to all search queries performed. Unless you choose the Delim option from the menu, which will overwrite the global value just for that single query.
Show only the members of a single set.
Show the set(s) members.
Show the set names only. No prefix is shown, as when running ipset_list without arguments.
Try to resolve ip addresses in the output (slow!).
If this option is used when entering interactive mode, it will be pre-selected in the menu, as long the session lasts.
Print elements sorted (if supported by the set type).
If this option is used when entering interactive mode, it will be pre-selected in the menu, as long the session lasts.
Show set headers only.
Enable all counters (shortcut for -c -Cs -Ts -Tm).
Colorize the output.
Requires the cl program. It can be downloaded from here: http://sf.net/projects/colorize-shell/ or: https://github.com/AllKind/cl.
Configuration variables are available to adjust the color settings. Their
names are prefixed with col_*. The list of valid color names
can be retrieved by running cl --list.
The default is not to use colored output. That can be changed by setting
the colorize variable to `1'.
If this option is used when entering interactive mode, it will be pre-selected in the menu, as long the session lasts.
Count the amount of sets that matched the search criteria.
Match on members using a [ext]glob pattern.
Match on members using a regex pattern.
Show sets containing one or more [ext]glob matching headers.
This option can be used multiple times.
Show sets matching one or more integer valued header entries.
This option can be used multiple times.
When in interactive mode, generate the ipset_list command-line, as for use in 'normal' mode.
If this option is used when entering interactive mode, then the option will be pre-selected in the menu, as long the session lasts.
Save the result of the query as shell script containing the ipset set creation / population commands.
If `auto' is used as option argument, the file name is automatically generated. Otherwise it must be specified.
If `none' is used as option argument, the output is sent to stdout. This will suppress normal output.
The option argument can be omitted. In that case `auto' is assumed.
The arguments `auto' and `none' can be written in short form. Meaning only
the first character is mandatory. While `file' should
be a regular file name.
It is not valid to use `-Gp none' together with `-Gs
none', or `-Gx none'.
If this option is used when entering interactive mode, it will be preselected in the menu, as long the session lasts.
The directory the file(s) will be saved into can be modified using the
cachedir variable.
Save the result of the query in `ipset save` output format.
Everything else is equal to option -Gp. See the above description.
Save the result of the query as ipset xml output. The format is equal to the output of `ipset save -o xml`.
Everything else is equal to option -Gp. See the above description.
Match on integer valued entries of the `Header' header. i.e. timeout.
This option can be used multiple times.
Match on the set type.
Match on number of references. value=integer.
Match on size in memory. value=integer.
Match on revision number. value=integer.
Match on the member count. value=integer.
value = int | 0xhex[/0xhex] |
hex:[!|<|>|<=|>=]hex.
Match values of member options. i.e. timeout.
This option can be used multiple times.
Run `ipset test set element` to check if the element is in the set.
This option can be used multiple times.
Calculate the total memory usage of all matching sets.
Set timeout value (integer) in seconds for the shell builtin read. This affects
the listing of sets. The default value of the set_tmout variable,
which can be set in the configuration header of the script, is 30. This
command line option overrides it.
If this parameter is used when starting interactive mode, it will apply globally to all search queries performed. Unless you choose the Timeout option from the menu, which will overwrite the global value just for that single search.
To influence for how long the result is displayed in interactive mode,
before returning to the main screen, set the variable
iactive_tmout (default 9999999999 - that should be
sufficient time for you to stare at the result, aight?) to the desired
value.
Count the amount of traversed sets.
Suppress the display of member options.
Exclude one or more [ext]glob matching header entries.
This option can be used multiple times.
Exclude members matching a [ext]glob pattern.
Exclude members matching a regex pattern.
Exclude sets matching a [ext]glob pattern.
This option can be used multiple times.
Stop further option processing.
The following variables are available during runtime. They can also be defined
permanently in the configuration header of ipset_list, or the
configuration file (ipset_list.conf).
The full path to the configuration file. This variable is obviously only available in the configuration header, or the environment.
Ipset executable. The variable can be either: empty, the name of the binary, or the full path to the binary.
Directory to save the query results into. The variable can be either:
empty, in which case it defaults to
/var/cache/ipset_list, or a regular
path.
See description of the `-To' parameter.
Colorize the output. The variable can be either: empty (=0), `0' - disabled, or `1' - enabled.
The cl program. The variable can be either: empty, the name of the binary, or the full path to the binary. Also see description of the `-Co' parameter.
Default foreground color. Defaults to white.
Default background color. Defaults to black.
Color for headers. Defaults to cyan.
Color for members. Defaults to yellow.
Color for matching entries. Defaults to red.
Color for displaying of memsize. Defaults to green.
Color for counting of matching sets. Defaults to magenta.
Color for counting of traversed sets. Defaults to blue.
General highlighting color. Defaults to white.
The dialog program required for interactive mode. The variable can be either: empty, the name of the binary (dialog or whiptail), or the full path to the binary.
The tput program - optional for interactive mode. The variable can be either: empty, the name of the binary, or the full path to the binary.
Terminal window height for interactive mode. Best practice is to set it to 0 and let tput retrieve the value.
Terminal window with for interactive mode. Best practice is to set it to 0 and let tput retrieve the value.
List height for interactive mode. Best practice is to set it to 0 and let ipset_list calculate the value (=w_height - 10).