(Doubt) I'm trying to understand how to use ipset in a practical way

Hello friends. I'm trying to understand how to use ipset in a practical real life way. Can you tell me moments and how to be used with OpenWrt

It really depends on what you are trying to do... but here's some documentation:


In basic terms, it's a way to have one nft rule apply to multiple IP addresses where you can manipulate the IP addresses without having to modify the rule.

For example, it is used in OpenWrt by simple adblock in certain configurations so that you can block ads by ip address. One block rule, multiple addresses.

Was that a school assignment? :wink:


No, I'm just trying to understand it in a practical way, so I can use it

It's not clear to me if you have a specific goal in mind and are trying to understand if ipset is the way to implement it, or if you are trying to see how you can use ipset just because you can.

Picking those things apart..

  • if you have a goal for what you want to achieve, please share that. There are lots of people who can help advise accordingly. Consider this a 'problem in search of a solution'

  • if you're trying to figure out a way that can use this feature, you probably don't really need it. You may have a solution in search of a problem. In this case, there's really no reason to go any further, unless you are doing it in the spirit of learning new things (in that case, awesome! go for it).


I want to block all traffic from any host that probes my router for open ports.

I can add a new rule, each time I detect a probe; or I can have a rule blocking all IPs from a set, and add new address to the set.


My use cases:

  • I'm a member of a mesh-based tunnel network, when I receive the list of IP endpoints in a route statement, I run a script to add them to an ipset - the ipset is then referenced in a rule to open the firewall for just those IPs
  • I can load various block lists (e.g. firehol, ipdeny, etc.) into an ipset and make a firewall rule to block them
  • I can create my own bogon/malicious/blocked ipset (no need to install additional packages) and make a firewall rule for that as well
  • @eduperez noted a good use case - adding IPs from scanning/logs into an ipset for blocking

As previously noted, ipsets basically allow updating/editing of a list of IPs - without the need to edit the underlying firewall rule(s) during the process.

Hope this helps.


I want to block DNS-over-HTTP (DoH) from use on my network, and have all DNS handled by my own local DNS server.

  • I create a pair of sets, one each for IPv4 and IPv6, called doh_ipv4 and doh_ipv6, respectively. These will contain the IP addresses of known DoH hosts.
  • I create a firewall rule that blocks access to these IPs.
  • I have an update script that updates the sets every night, via a cron job.

The sets look like this, only differing in the '4' vs '6':

$ nft -t list set inet fw4 doh_ipv4
table inet fw4 {
        set doh_ipv4 {
                typeof ip daddr
                size 65535
                flags dynamic,timeout
                timeout 7d
                gc-interval 6h
                comment "DNS: Block list for IPv4 DoH hosts."

The rules look like this:

$ nft list ruleset | grep DNS
... other rules deleted for clarity ...
                meta l4proto { tcp, udp } th dport 443 ip  daddr @doh_ipv4 counter update @doh_ipv4 { ip  daddr } reject with icmp port-unreachable comment "DNS: Block IPv4 DoH by selective IPv4 address."
                meta l4proto { tcp, udp } th dport 443 ip6 daddr @doh_ipv6 counter update @doh_ipv6 { ip6 daddr } reject with icmpv6 port-unreachable comment "DNS: Block IPv6 DoH..."

Thank you all. I now understand