What is and how to create an IpSet? (Firewalld/Iptables)


An IPset 1) is a set of IP or MAC addresses grouped together under a name.

You can use an IPset in every source with the ipset: prefix.


Add source


To make the new setting effective in the runtime environment, reload firewalld

List of IP v4

A IPset called white-list

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">

List of mac

List of mac address

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:mac">


IpSet Type

The ipset-type defines the store. ie

  • its file format type (hash, …) that has an impact on the execution time (linear or not)
  • and the syntax of its content (ie IP or subnet that has an impact on its size)

The ipset type determine then the memory size of the set.




  • method is one of bitmap, hash, and list
  • data type is:
    • ip - one line, one ip
    • net - one line, one subnet
    • mac - one line, one mac
    • port - one line, one port
    • iface

See the details at Ipset netfilter)

firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net


IP addresses in an ipset must be either IPv4 or IPv6.

This is defined by the family setting of the ipset. It can be either:

  • inet (the default)
  • or inet6.
<ipset type="hash:net">
  <option name="family" value="inet"/>


Creation by file

You can create ipset at the command line or via gui but also via configuration files located at:

  • /etc/firewalld/ipsets/*.xml (built-in)
  • /usr/lib/firewalld/ipsets/yourIpSet.xml (custom)

Example from the cloudflare howto:

  • to create the ipset named cloudflare-ipv4,
  • you would put the file in /etc/firewalld/ipsets/cloudflare-ipv4.xml
  • with the following content (and reload)
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <option name="family" value="inet"/>

List Ipset

firewall-cmd --permanent --get-ipsets

Test your ipset

ipset test ipsetName x.x.x.x

Example with a cloudflare subnet

ipset test cloudflare-ipv4

Add IpSet

  • new for ipv4
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net
  • new for ipv6
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6

Delete IpSet

firewall-cmd --permanent --delete-ipset=ipSetName

Info IpSet

  • info - entyr and option
firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size
  • With ipset
ipset -t list ipsetName
Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536

Add Entry Ipset

  • add Entry manually
firewall-cmd --permanent --ipset=ipSetName --add-entry=
  • add entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt

Remove Entry Ipset

  • remove Entry manually
firewall-cmd --permanent --ipset=ipSetName --remove-entry=
  • remove entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt

Remove Ipset

firewall-cmd \
    --permanent \
    --ipset=ipSetName \

Discover More

Cheatsheet on the usage of Firewalld
Chrome Site Cant Be Reached
How to allow only the HTTP traffic from a subnet such as Cloudflare with Firewalld?

This article is a step by step that shows you how to configure the firewall Firewalld to allow the network packet traffic from a subnet such as Cloudflare

This page is the source definition of traffic in a firewalld zone. The source value can be seen in the zone options Is an optional empty-element tag and can be used several times. It's used to...

Share this page:
Follow us:
Task Runner