ipset

Table of Contents

1. Overview
2. Usage
3. Reference
4. Limitations
5. Changelog
6. Development
7. Thanks

Overview

This module manages Linux IP sets.

• Checks for current ipset state, before doing any changes to it.
• Applies ipset every time it drifts from target state, not only on config file change.
• Handles type changes.
• Autostart support for RHEL 6 and RHEL 7 family (upstart, systemd).

Usage

Array

IP sets can be filled from an array data structure. Typically passed from Hiera.

ipset { 'foo':
  ensure => present,
  set    => ['1.2.3.4', '5.6.7.8'],
  type   => 'hash:ip',
}

String

You can also pass a pre-formatted string directly, using one entry per line (with \n as a separator). This pattern is practical when generating the IP set entries using a template.

ipset { 'foo':
  ensure => present,
  set    => "1.2.3.4\n5.6.7.8",
  type   => 'hash:ip',
}

Module file

IP sets content can also be stored in a module file:

ipset { 'foo':
  ensure => present,
  set    => "puppet:///modules/${module_name}/foo.ipset",
}

Local file

Or using a plain text file stored on the filesystem:

file { '/tmp/bar_set_content':
  ensure  => present,
  content => "1.2.3.0/24\n5.6.7.8/32"
}
-> ipset { 'bar':
  ensure => present,
  set    => 'file:///tmp/bar_set_content',
  type   => 'hash:net',
}

Reference

• Module reference
• ipset man page

Limitations

• Tested on Debian and RedHat-like Linux distributions
• IPv6 sets have not been tested yet
• Only hash ipsets are supported (this excludes bitmap and list:set)

Changelog

See CHANGELOG

Development

See development

Thanks

This module is a fork of pmuller/ipset, which was forked from mighq/ipset, which was based on thias/ipset.