Module ipset
In: /modules/ipset/manifests/init.pp


Manage IP sets in the Linux kernel. Support in Red Hat Enterprise Linux has been introduced in the RHEL 6.2 kernel (run "modinfo ip_set" to check).

Once you have your IP sets in place, you‘ll want to manage iptables rules which make use of those IP sets.


ipset   iptables  

Classes and Modules

Class ipset::base
Class ipset::params


ipset( $ipset_add_options => '', $ipset_create_options => '', $from_file => 'false', $ipset_type => 'hash:ip', $ensure => 'undef' )

Define: ipset

Create and manage ipsets. You must pass one of $from_file, … TODO, unless you are passing "ensure => absent" to remove the ipset.


   Create and manage the ipset from the content of a file. Default: none
   The type of the ipset. Default: hash:ip
   The create options of the ipset. Default: empty
   The add options of the ipset elements. Default: empty

Sample Usage:

 file { '/path/to/my_blacklist.txt': content => "\n10.0.0.2\n" }
 ipset::test { 'my_blacklist':
     from_file => '/path/to/my_blacklist.txt',
iptables( $strictmatch => 'false', $chain, $flags => 'src', $target => 'DROP', $options => '', $table => 'filter', $ipset => 'name' )

Define: ipset::iptables

This shouldn‘t exist. There should be a way to have iptables silently ignore rules for non-existing IP sets… NOTE: No absent support! Just remove then restart iptables. Also make sure you never save iptables rules with IP set rules included, or restore will fail when the IP sets don‘t (yet) exist. That‘s the whole problem we try to solve here.


  The table to insert the rule into. Default: 'filter'
  The chain to indert the rule into. Mandatory.
  The IP set to match against. Default: $name
   Use it if you are creating more than one iptables rule for the same IP set.
  Comma separated list of 'src' and 'dst' specifications. Default: 'src'
  The options for the inserted rule. Default: empty
  You will often want to use this.
  The target used by inserted rule. Default: 'DROP'
  Strict match when checking for existing rules. Default: false
  Enable if you are sure your $options are set properly and you are having
  problems creating multiple rules for the same IP set.

Sample Usage:

 ipset::iptables { 'mylist':
     chain   => 'INPUT',
     options => '-p tcp',
     target  => 'REJECT',
 ipset::iptables { 'mylist-log':
     table   => 'raw',
     chain   => 'PREROUTING',
     ipset   => 'mylist',
     options => '-p tcp --dport 80',
     target  => 'LOG --log-prefix "MyList: "',