#!/bin/bash

# -----------------------------------------------------------------
# ipset set listing wrapper script
#
# https://github.com/AllKind/ipset_list
# https://sourceforge.net/projects/ipset-list/
# -----------------------------------------------------------------

# Copyright (C) 2013-2014 AllKind (AllKind@fastest.cc)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# -----------------------------------------------------------------
# Compatible with ipset version 6+
# Tested with ipset versions:
# 6.16.1, 6.20.1, 6.22
# -----------------------------------------------------------------

# -----------------------------------------------------------------
# Features (in addition to the native ipset options):
# - Calculate sum of set members (and match on that count).
# - List only members of a specified set.
# - Choose a delimiter character for separating members.
# - Show only sets containing a specific (glob matching) header.
# - Arithmetic comparison on headers with an integer value.
# - Arithmetic comparison on flags of the headers 'Header' field.
# - Arithmetic comparison on member options with an integer value.
# - Match members using a globbing or regex pattern.
# - Suppress listing of (glob matching) sets.
# - Suppress listing of (glob matching) headers.
# - Suppress listing of members matching a glob or regex pattern.
# - Calculate the total size in memory of all matching sets.
# - Calculate the amount of matching, excluded and traversed sets.
# - Colorize the output.
# - Operate on a single, selected, or all sets.
# - Programmable completion is included to make usage easier and faster.
# -----------------------------------------------------------------

# -----------------------------------------------------------------
# Examples:
# $0                   - no args, just list set names
# $0 -c                - show all set names and their member sum
# $0 -t                - show all sets, but headers only
# $0 -c -t setA        - show headers and member sum of setA
# $0 -i setA           - show only members entries of setA
# $0 -c -m setA setB   - show members and sum of setA & setB
# $0 -a -c -d :        - show all sets members, sum and use `:' as entry delimiter
# $0 -a -c setA        - show all info of setA and its members sum
# $0 -c -m -d $'\n' setA - show members and sum of setA, delim with newline
# $0 -m -r -s setA     - show members of setA resolved and sorted
# $0 -Ts               - show all set names and total count of sets.
# $0 -Tm               - calculate total size in memory of all sets.
# $0 -Mc 0             - show sets with zero members
# $0 -Fi References:0  - show all sets with 0 references
# $0 -Hr 0             - shortcut for `-Fi References:0'
# $0 -Xs setA -Xs setB - show all set names, but exclude setA and setB.
# $0 -Xs "set[AB]"     - show all set names, but exclude setA and setB.
# $0 -Cs -Ht "hash:*"  - find sets of any hash type, count their amount.
# $0 -Ht "!(hash:ip)"  - show sets which are not of type hash:ip
# $0 -Ht "!(bitmap:*)" - show sets wich are not of any bitmap type
# $0 -i -Fr "^210\..*" setA - show only members of setA matching the regex "^210\..*"
# $0 -Mc \>=100 -Mc \<=150  - show sets with a member count greater or equal to 100
#+ and not greater than 150.
# $0 -a -c -Fh "Type:hash:ip" -Fr "^210\..*"
#+ - show all information of sets with type hash:ip,
#+ matching the regex "^210\..*", show match and members sum.
#
# $0 -m -Fg "!(210.*)" setA
#+ show members of setA excluding the elements matching the negated glob.
#
# $0 -Hr \>=1 -Hv 0 -Hs \>10000   - find sets with at least one reference,
#+ revision of 0 and size in memory greater than 10000
#
# $0 -Fh Type:hash:ip -Fh "Header:family inet *"
#+ - show all set names, which are of type hash:ip and header of ipv4.
#
# $0 -t -Xh "Revision:*" -Xh "References:*"
#+ - show all sets headers, but exclude Revision and References entries.
#
# $0 -t -Ht "!(@(bit|port)map):*" -Xh "!(Type):*"   - show all sets that are
#+ neither of type bitmap or portmap, suppress all but the type header.
#
# $0 -c -m -Xg "210.*" setA - show members of setA, but suppress listing of entries
#+ matching the glob pattern "210.*", show count of excluded and total members.
#
# $0 -t -Tm -Xh "@(Type|Re*|Header):*"
#+ show all sets headers, but suppress all but name and memsize entry,
#+ calculate the total memory size of all sets.
#
# $0 -t -Tm -Xh "!(Size*|Type):*" -Ts -Co
# + List all sets headers, but suppress all but name, type and memsize entry,
# + count amount of sets, calculate total memory usage, colorize the output.
#
# $0 -c -t -Cs -Ts -Xh "@(Size*|Re*|Header):*" -Ht "!(bitmap:*)"
#+ find all sets not of any bitmap type, count their members sum,
#+ display only the 'Type' header,
#+ count amount of matching and traversed sets.
#
# $0 -a -Xh "@(@(H|R|M)e*):*"  - show all info of all sets,
#+ but suppress Header, References, Revision and Member header entries.
#+ (headers existing as per ipset 6.x -> tested version).
#
# $0 -Co -c -Ts -Tm    - show all set names, count their members,
# + count total amount of sets, show total memory usage of all sets,
# + colorize the output
#
# $0 -m -r -To 0       - show members of all sets, try to resolve hosts,
# set the timeout to 0 (effectivly disabling it).
#
# $0 -m -Xo setA       - show members of setA,
# + but suppress displaying of the elements options.
#
# $0 -m -Oi packets:0
# + show members of all sets which have a packet count of 0.
#
# $0 -m -Oi "packets:>100" -Oi "bytes:>1024"
# + show members of all sets which have a
# + packet count greater than 100 and a byte count greater than 1024.
#
# $0 -m -Oi "skbmark:>0x123/0XFF" -Oi skbprio:\>=2:<=3 -Oi skbqueue:\!1
# + show members of all sets which have the following member options set:
# + skbmark greater than 0x123/0xFF, skbprio major greater or equal to 2
# + and minor lower or equal to 3, skbqueue not of value 1.
#
# $0 -n -Ca "foo*"
# + show only set names matching the glob "foo*" and enable all counters.
#
# $0 -Hi "markmask:>=0x0000beef" -Hi timeout:\!10000`
# + show only sets with the header 'Header' fields containing a markmask
# + greater or equal to 0x0000beef and a timeout which is not 10000.
# -----------------------------------------------------------------

# -----------------------------------------------------------------
# Modify here
# -----------------------------------------------------------------

# modify your PATH variable
# by default the path is only set if the PATH variable is not already set in the environment
# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
: ${PATH:=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin}

# path to ipset.
# defaults to `/sbin/ipset' if unset.
#ipset="/sbin/ipset"
# find in path if not declared in parent environment
: ${ipset:=$(command -v ipset)}

# default delimiter character for set members (elements).
# defaults to whitespace if unset.
# use delim=$'\n' to use the ipset default newline as delimiter.
delim=" "

# default read timeout (for reading sets - esp. with the -r switch).
# the command line option -To overrides this.
TMOUT=30

# colorize the output (bool 0/1).
colorize=0

# path to cl (to colorize the output).
# http://sourceforge.net/projects/colorize-shell/ or
# https://github.com/AllKind/cl
# defaults to `/usr/local/bin/cl' if unset.
cl="/usr/local/bin/cl"

# define colors
# run `cl --list' to retrieve the valid color names
#
# default foreground color
# defaults to: white
col_fg="white"

# default background color
# defaults to: black
col_bg="black"

# color for headers
# defaults to: cyan
col_headers="cyan"

# color for members
# defaults to: yellow
col_members="yellow"

# color for matches
# defaults to: red
col_match="red"

# color for displaying of memsize
# defaults to: green
col_memsize="green"

# color for counting of matched sets
# defaults to: magenta
col_set_count="magenta"

# color for counting of traversed sets
# defaults to: blue
col_set_total="blue"

# general higlightning color
# defaults to: white
col_highlight="white"

# -----------------------------------------------------------------
# DO NOT MODIFY ANYTHING BEYOND THIS LINE!
# -----------------------------------------------------------------


# bash check
if [ -z "$BASH" ]; then
	printf "\`BASH' variable is not available. Not running bash?\n" >&2
	exit 1
fi

# shell settings
shopt -s extglob
set -f
set +o posix
set +u

# variables
export LC_ALL=C
readonly version=3.2.1
readonly me="${0//*\//}"
readonly oIFS="$IFS"
declare ips_version="" str_search="" str_xclude="" opt str_name str_val str_op
declare -i show_all=show_count=show_members=headers_only=names_only=isolate=calc_mem=count_sets=sets_total=0
declare -i match_on_header=glob_search=regex_search=member_count=match_count=do_count=opt_int_search=0
declare -i exclude_header=glob_xclude_element=glob_xclude_element=exclude_set=xclude_member_opts=0
declare -i in_header=found_set=found_member_opt=found_hxclude=found_sxclude=xclude_count=mem_total=mem_tmp=set_count=sets_sum=i=x=y=idx=0
declare -a arr_sets=() arr_par=() arr_hcache=() arr_mcache=() arr_hsearch=() arr_tmp=()
declare -a arr_hsearch_int=() arr_hsearch_xint=() arr_hxclude=() arr_sxclude=() arr_match_on_msum=() arr_opt_int_search=()

# -----------------------------------------------------------------
# functions
# -----------------------------------------------------------------

ex_miss_optarg() {
printf "%s of option \`%s' is missing\n" "$2" "$1" >&2
exit 2
}

ex_invalid_usage() {
printf "%s\n" "$*" >&2
exit 2
}

is_int() {
[[ $1 = +([[:digit:]]) ]]
}

is_digit_or_xigit() {
[[ $1 = @(+([[:digit:]])|0[xX]+([[:xdigit:]])) ]]
}

is_compare_str() {
	[[ $1 = ?(\!|<|>|<=|>=)@(+([[:digit:]])|0[x|X]+([[:xdigit:]])) ]]
}

is_compare_str_complex() {
	[[ $1 = ?(\!|<|>|<=|>=)@(+([[:digit:]])|0@(x|X)+([[:xdigit:]])?(/0@(x|X)+([[:xdigit:]]))|+([[:xdigit:]]):?(\!|<|>|<=|>=)+([[:xdigit:]])) ]]
}

add_search_to_member_cache() {
if ((show_members || show_all || isolate)); then
	arr_mcache[i++]="$REPLY"
fi
}

arith_elem_opt_search() {
local str_opt_val str_val2 str_op2 str_cg='?(\!|<|>|<=|>=)' str_xdig='0[xX]+([[:xdigit:]])'
found_member_opt=0
for y in ${!arr_opt_int_search[@]}; do
	str_val="${arr_opt_int_search[y]#*:}"
	if [[ $str_val = ${str_cg}@(+([[:digit:]])|$str_xdig) ]]; then # i.e. timeout or skbqueue
		str_op="${str_val//[![:punct:]]}"
		str_val="${str_val//[=\!\>\<]}"
	elif [[ $str_val  = ${str_cg}${str_xdig}/$str_xdig ]]; then # i.e. skbmark
		str_op="${str_val//[![:punct:]]}"
		str_op="${str_op//\/}"
		str_val="${str_val//[=\!\>\<]}"
	elif [[ $str_val  = ${str_cg}+([[:xdigit:]]):${str_cg}+([[:xdigit:]]) ]]; then # i.e. skbprio
		str_op="${str_val%:*}"
		str_op="${str_op%%+([[:xdigit:]])}"
		str_op2="${str_val#*:}"
		str_op2="${str_op2%%+([[:xdigit:]])}"
		str_val="${str_val##+([[:punct:]])}"
		str_val2="${str_val#*:}"
		str_val2="${str_val2//[[:punct:]]}"
	fi
	# compare operator defaults to `=='
	# if it's a '!' set it to '!='
	[[ ${str_op:===} = \! ]] && str_op='!='
	[[ ${str_op2:===} = \! ]] && str_op2='!='
	set -- $REPLY
	shift
	while (($# > 1)); do # cycle through options
		if [[ $1 = ${arr_opt_int_search[y]%%:*} ]]; then str_opt_val="$2"
			if [[ $str_val = @(+([[:digit:]])|$str_xdig) && $str_opt_val = @(+([[:digit:]])|$str_xdig) ]]; then # i.e. timeout or skbqueue
				if (( $str_opt_val $str_op $str_val )); then
					let found_member_opt+=1
				fi
				shift
			elif [[ $str_val = $str_xdig && $str_opt_val = ${str_xdig}/$str_xdig ]]; then # i.e. skbmark
				if (( $str_opt_val $str_op $(( ${str_val%/*} & ${str_val#*/} )) )); then # logicaly AND mark/mask
					let found_member_opt+=1
				fi
				shift
			elif [[ $str_val = ${str_xdig}/$str_xdig && $str_opt_val = ${str_xdig}/$str_xdig ]]; then # i.e. skbmark
				if (( $(( ${str_opt_val%/*} & ${str_opt_val#*/} )) $str_op $(( ${str_val%/*} & ${str_val#*/} )) )); then # logicaly AND mark/mask
					let found_member_opt+=1
				fi
				shift
			elif [[ $str_val = +([[:xdigit:]]):${str_cg}+([[:xdigit:]]) && $str_opt_val = +([[:xdigit:]]):+([[:xdigit:]]) ]]; then # i.e. skbprio
				if (( ${str_opt_val%:*} $str_op ${str_val%:*} && ${str_opt_val#*:} $str_op2 $str_val2 )); then
					let found_member_opt+=1
				fi
				shift
			fi
		fi
		shift
	done
done
if ((opt_int_search == found_member_opt)); then
	let match_count+=1
	add_search_to_member_cache
fi
}

xclude_elem_search() {
if ((glob_xclude_element)); then # exclude matching members
	if [[ $REPLY = $str_xclude ]]; then
		let xclude_count+=1
		return 0
	fi
elif ((regex_xclude_element)); then # exclude matching members
	if [[ $REPLY =~ $str_xclude ]]; then
		let xclude_count+=1
		return 0
	else
		if (($? == 2)); then
			printf "Invalid regex pattern \`%s'.\n" "$str_xclude" >&2
			exit 1
		fi
	fi
fi
return 1
}

# -----------------------------------------------------------------
# main
# -----------------------------------------------------------------

# validate value of colorize
if [[ ${colorize:=0} != [01] ]]; then
	ex_invalid_usage "value of variable \`colorize' \`$colorize' is not 0 or 1."
fi

# parse cmd-line options
while (($#)); do
	case "$1" in
		-\?|-h) printf "\n\tipset set listing wrapper script\n\n"
			printf '%s [option [opt-arg]] [set-name-glob] [...]\n\n' "$me"
			printf '%s %s\n' "$me" "{-?|-h} | -v"
			printf '%s %s\n\t%s\n\t%s\n' "$me"\
				"[-i|-r|-s|-Co|-Xo] [-d char] [-To value]"\
				"[-Fg|-Fr pattern] [-Xg|-Xr pattern]"\
				"[-Oi option-glob:[!|<|>|<=|>=]value] [...] -- set-name"
			printf '%s %s\n\t%s\n\t%s\n\t%s\n' "$me"\
				"[-n|-c|-Ca|-Co|-Cs|-Tm|-Ts|-Xs] [-To value]"\
				"[-Fh header-glob:value-glob] [...] [-Fg|-Fr pattern]"\
				"[-Hi glob:[!|<|>|<=|>=]value] [...]"\
				"[-Oi option-glob:[!|<|>|<=|>=]value] [...] -- [set-name-glob] [...]"
			printf '%s %s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n' "$me"\
				"[-t|-c|-Ca|-Co|-Cs|-Tm|-Ts]"\
				"[-Fh header-glob:value-glob] [...]"\
				"[-Fi header-glob:[!|<|>|<=|>=]value] [...]"\
				"[-Fg|-Fr pattern] [-Ht type-glob]"\
				"[-Hi glob:[!|<|>|<=|>=]value] [...]"\
				"[-Hr|-Hs|-Hv [!|<|>|<=|>=]value]"\
				"[-Mc [!|<|>|<=|>=]value] [...] [-To value]"\
				"[-Oi option-glob:[!|<|>|<=|>=]value] [...]"\
				"[-Xh header-glob:value-glob] [...]"\
				"[-Xs set-name-glob] [...] -- [set-name-glob] [...]"
			printf '%s %s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n\t%s\n' "$me"\
				"[-a|-c|-m|-r|-s|-Ca|-Co|-Cs|-Tm|-Ts|-Xo] [-d char]"\
				"[-Fh header-glob:value-glob] [...]"\
				"[-Fi header-glob:[!|<|>|<=|>=]value] [...]"\
				"[-Fg|-Fr pattern] [-Ht type-glob]"\
				"[-Hi glob:[!|<|>|<=|>=]value] [...]"\
				"[-Hr|-Hs|-Hv [!|<|>|<=|>=]value]"\
				"[-Mc [!|<|>|<=|>=]value] [...]"\
				"[-Oi option-glob:[!|<|>|<=|>=]value] [...]"\
				"[-To value] [-Xh header-glob:value-glob] [...]"\
				"[-Xg|-Xr pattern] [-Xs set-name-glob] [...] -- [set-name-glob] [...]"
			printf 'options:\n'
			printf '%-13s%s\n' '-a' 'show all information but with default delim (whitespace).'\
				'-c' 'calculate members and match sum.'\
				'-d delim' 'delimiter character for separating member entries.'\
				'-h|-?' 'show this help text.'\
				'-i' 'show only the members of a single set.'\
				'-m' 'show set members.'\
				'-n' "show set names only."\
				'-r' 'try to resolve ip addresses in the output (slow!).'\
				'-s' 'print elements sorted (if supported by the set type).'\
				'-t' 'show set headers only.'\
				'-v' 'version information.'\
				'-Ca' "shortcut for -c -Cs -Ts -Tm (enable all counters)."\
				'-Co' "colorize output (requires \`cl')."\
				'-Cs' 'count amount of matching sets.'\
				'-Fg pattern' 'match on members using a [ext]glob pattern.'\
				'-Fr pattern' 'match on members using a regex (=~ operator) pattern.'
			printf '%s\n\t%s\n' '-Fh header-glob:value-glob [...]'\
				'show sets containing one or more [ext]glob matching headers.'
			printf '%s\n\t%s\n' '-Fi header-glob:[!|<|>|<=|>=]value [...]'\
				'show sets matching one or more integer valued header entries.'
			printf '%s\n\t%s\n' '-Hi header-glob:[!|<|>|<=|>=]value [...]'\
				"match one or more integer valued headers \`Header' entries."
			printf '%-24s%s\n' '-Ht set-type-glob' 'match on set type.'\
				'-Hr [!|<|>|<=|>=]value' 'match on number of references (value=int).'\
				'-Hs [!|<|>|<=|>=]value' 'match on size in memory (value=int).'\
				'-Hv [!|<|>|<=|>=]value' 'match on revision number (value=int).'
			printf '%-30s%s\n' '-Mc [!|<|>|<=|>=]value [...]' 'match on member count (value=int).'
			printf '%s\n\t%s\n' '-Oi option-glob:[!|<|>|<=|>=]value [...]'\
				'match member options (value=int | 0xhex[/0xhex] | hex:[!|<|>|<=|>=]hex).'
			printf '%-13s%s\n' '-Tm' 'calculate total memory usage of all matching sets.'\
				'-To' 'set timeout value (int) for read (listing sets).'\
				'-Ts' 'count amount of traversed sets.'\
				'-Xo' 'suppress display of member options.'
			printf '%s\n\t%s\n' '-Xh header-glob:value-glob [...]'\
				'exclude one or more [ext]glob matching header entries.'
			printf '%-13s%s\n' '-Xg pattern' 'exclude members matching a [ext]glob pattern.'\
				'-Xr pattern' 'exclude members matching a regex pattern.'\
				'-Xs pattern' 'exclude sets matching a [ext]glob pattern.'
			printf '%-13s%s\n' '--' 'stop further option processing.'
			exit 0
		;;
		-a) show_all=1 # like `ipset list', but with $delim as delim
		;;
		-c) show_count=1 # show sum of member entries
		;;
		-i) isolate=1 # show only members of a single set
		;;
		-m) show_members=1 # show set members
		;;
		-n) names_only=1 # only list set names
		;;
		-t) headers_only=1 # show only set headers
		;;
		-s|-r) arr_par[i++]="$1" # ipset sort & resolve options are passed on
		;;
		-d) # delimiter char for separating member entries
			[[ $2 ]] || ex_miss_optarg $1 "delim character"
			if ((${#2} > 1)); then
				ex_invalid_usage "only one character is allowed as delim"
			fi
			delim="$2"
			shift
		;;
		-o) if [[ $2 != plain ]]; then
				ex_invalid_usage "only plain output is supported"
			fi
		;;
		-Ca) # shortcut for -c -Cs -Ts -Tm
			show_count=1 count_sets=1 calc_mem=1 sets_total=1
		;;
		-Cs) count_sets=1 # calculate total count of matching sets
		;;
		-Co) colorize=1 # colorize the output (requires cl)
		;;
		-Fg) glob_search=1 # find entry with globbing pattern
			[[ $2 ]] || ex_miss_optarg $1 "glob pattern"
			str_search="$2"
			shift
		;;
		-Fr) regex_search=1 # find entry with regex pattern
			[[ $2 ]] || ex_miss_optarg $1 "regex pattern"
			str_search="$2"
			shift
		;;
		-Oi) let opt_int_search+=1
			[[ $2 ]] || ex_miss_optarg $1 "pattern"
			if [[ $2 = *:* ]] && is_compare_str_complex "${2#*:}"; then
				arr_opt_int_search[y++]="$2"
				shift
			else
				ex_invalid_usage "invalid format of header descriptor. expecting: \`glob:[!|<|>|<=|>=]value'"
			fi
		;;
		-Fh) let match_on_header+=1 # show only sets, which contain a matching header entry
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if [[ $2 = *:* ]]; then
				arr_hsearch[x++]="$2"
				shift
			else
				ex_invalid_usage "invalid format of header descriptor. expecting: \`*:*'"
			fi
		;;
		-Fi) let match_on_header+=1 # show only sets, containing a matching (int compare) header entry
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if [[ $2 = *:* ]] && is_compare_str "${2#*:}"; then
				arr_hsearch_int[idx++]="$2"
				shift
			else
				ex_invalid_usage "invalid format of header descriptor. expecting: \`name:[!|<|>|<=|>=]value'"
			fi
		;;
		-Hi) let match_on_header+=1 # match on name + integer (digit & xdigit) inside of headers 'Header' flag
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if [[ $2 = *:?(\!|<|>|<=|>=)@(+([[:digit:]])|0[xX]+([[:xdigit:]])) ]]; then
				arr_hsearch_xint[${#arr_hsearch_xint[@]}]="$2"
				shift
			else
				ex_invalid_usage "invalid format of headers \'Header' flag descriptor. expecting: \`name:[!|<|>|<=|>=]value'"
			fi
		;;
		-Hr) let match_on_header+=1 # shortcut for -Fi References:...
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if is_compare_str "$2"; then
				arr_hsearch_int[idx++]="References:$2"
				shift
			else
				ex_invalid_usage "invalid format of references header descriptor. expecting: \`[!|<|>|<=|>=]value'"
			fi
		;;
		-Hs) let match_on_header+=1 # shortcut for -Fi "Size in Memory:..."
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if is_compare_str "$2"; then
				arr_hsearch_int[idx++]="Size in memory:$2"
				shift
			else
				ex_invalid_usage "invalid format of memsize header descriptor. expecting: \`[!|<|>|<=|>=]value'"
			fi
		;;
		-Ht) let match_on_header+=1 # shortcut for -Fh Type:x:y
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if [[ $2 = *:* ]]; then
				arr_hsearch[x++]="Type:$2"
				shift
			else
				ex_invalid_usage "invalid format of set type descriptor. expecting: \`*:*'."
			fi
		;;
		-Hv) let match_on_header+=1 # shortcut for -Fi Revision:...
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if is_compare_str "$2"; then
				arr_hsearch_int[idx++]="Revision:$2"
				shift
			else
				ex_invalid_usage "invalid format of revision header descriptor. expecting: \`[!|<|>|<=|>=]value'"
			fi
		;;
		-Mc) do_count=1 # match on the count of members
			[[ $2 ]] || ex_miss_optarg $1 "value pattern"
			if is_compare_str "$2"; then
				arr_match_on_msum[${#arr_match_on_msum[@]}]="$2"
				shift
			else
				ex_invalid_usage "invalid format of match on member count value. expecting: \`[!|<|>|<=|>=]value'"
			fi
		;;
		-To) # set the timeout for read (limited to integer)
			[[ $2 ]] || ex_miss_optarg $1 "value"
			TMOUT=$2
			shift
		;;
		-Tm) calc_mem=1 # caculate total memory usage of all matching sets
		;;
		-Ts) sets_total=1 # caculate sum of all traversed sets
		;;
		-Xh) exclude_header=1 # don't show certain headers
			[[ $2 ]] || ex_miss_optarg $1 "header pattern"
			if [[ $2 = *:* ]]; then
				arr_hxclude[${#arr_hxclude[@]}]="$2"
				shift
			else
				ex_invalid_usage "invalid format of header descriptor. expecting: \`*:*'"
			fi
		;;
		-Xg) glob_xclude_element=1 # suppress printing of matching members using a globbing pattern
			[[ $2 ]] || ex_miss_optarg $1 "glob pattern"
			str_xclude="$2"
			shift
		;;
		-Xr) regex_xclude_element=1 # suppress printing of matching members using a regex pattern
			[[ $2 ]] || ex_miss_optarg $1 "regex pattern"
			str_xclude="$2"
			shift
		;;
		-Xo) xclude_member_opts=1 # don't show elements options
		;;
		-Xs) exclude_set=1 # don't show certain sets
			[[ $2 ]] || ex_miss_optarg $1 "set name ([ext]glob pattern)"
			arr_sxclude[${#arr_sxclude[@]}]="$2"
			shift
		;;
		-\!|-f) ex_invalid_usage "unsupported option: \`$1'"
		;;
		-v) printf "%s version %s\n" "$me" "$version"
			exit 0
		;;
		--) break
		;;
		*) break
	esac
	shift
done
declare -i i=x=y=idx=0

# check for ipset program and version
[[ -x ${ipset:=/sbin/ipset} ]] || {
	printf "ipset binary \`%s' does not exist, or is not executable. check \`ipset' variable\n" "$ipset" >&2
	exit 1
}
ips_version="$("$ipset" version)"
ips_version="${ips_version#ipset v}"
ips_version="${ips_version%%.*}"
if ! is_int "$ips_version"; then
	printf "failed retrieving ipset version. expected digits, got: \`%s'\n" "$ips_version" >&2
	exit 1
fi
if ((ips_version < 6)); then
	printf "found version \`%s' - ipset versions from 6.x and upwards are supported\n" "$ips_version" >&2
	exit 1
fi

# validate TMOUT variable
if [[ $TMOUT ]] && ! is_int "$TMOUT"; then
	ex_invalid_usage "timeout value \`$TMOUT' is not an integer"
fi

# option logic
if ((names_only)); then
	if ((headers_only||show_members||show_all||isolate||\
		glob_xclude_element||regex_xclude_element||xclude_member_opts))
   	then
		ex_invalid_usage "option -n does not allow this combination of options"
	fi
fi
if ((headers_only)); then
	if ((show_members || show_all || isolate)); then
		ex_invalid_usage "options -t and -a|-i|-m are mutually exclusive"
	fi
fi
if ((headers_only)); then
	if ((xclude_member_opts||glob_xclude_element||regex_xclude_element)); then
		ex_invalid_usage "options -t and -Xg|-Xr|-Xo are mutually exclusive"
	fi
fi
if ((isolate)); then
	if ((show_count||show_all||calc_mem||count_sets||sets_total||exclude_set)); then
		ex_invalid_usage "options -i and -a|-c|-Ca|-Cs|-Tm|-Ts|-Xs are mutually exclusive"
	fi
	if ((match_on_header)); then
		ex_invalid_usage "option -i does not allow matching on header entries"
	fi
fi
if ((glob_search || regex_search)); then
	if ((glob_search && regex_search)); then
		ex_invalid_usage "options -Fg and -Fr are mutually exclusive"
	fi
fi
if ((exclude_header)); then
	if ! ((headers_only || show_all)); then
		ex_invalid_usage "option -Xh requires -a or -t"
	fi
fi
if ((glob_xclude_element || regex_xclude_element)); then
	if ! ((show_members || show_all || isolate)); then
		ex_invalid_usage "options -Xg|-Xr require any of -a|-i|-m"
	fi
fi
if ((colorize)); then
	if ! [[ -x ${cl:=/usr/local/bin/cl} ]]; then
		printf "\ncl program \`%s' does not exist, or is not executable.\ncheck \`cl' variable.\n\n" "$cl" >&2
		printf "If you do not have the program, you can download it from:\n"
		printf "%s\n" "http://sourceforge.net/projects/colorize-shell/" \
			"https://github.com/AllKind/cl" >&2
		printf "\n"
		exit 1
	fi
	# set color defaults if unset
	: ${col_fg:=white}
	: ${col_bg:=black}
	: ${col_headers:=cyan}
	: ${col_members:=yellow}
	: ${col_match:=red}
	: ${col_memsize:=green}
	: ${col_set_count:=magenta}
	: ${col_set_total:=blue}
	: ${col_highlight:=white}

	# check if color defines are valid
	for opt in col_fg col_bg col_headers col_members col_match col_memsize \
	   	col_set_count col_set_total col_highlight
	do
		("$cl" ${!opt}) || ex_invalid_usage "variable \`$opt' has an invalid color value: \`${!opt}'"
	done
	[[ -t 1 ]] || colorize=0 # output is not a terminal
fi

# sets to work on (no arg means all sets)
while IFS=$'\n' read -r; do
	arr_sets[idx++]="$REPLY"
done < <("$ipset" list -n)
if ! ((${#arr_sets[@]})); then
	printf "Cannot find any sets\n" >&2
	exit 1
fi
if [[ $1 ]]; then # there are remaining arg(s)
	for opt; do found_set=0 # check if the sets exist
		for idx in ${!arr_sets[@]}; do
			if [[ ${arr_sets[idx]} = $opt ]]; then found_set=1
				# match could be a glob, thus multiple matches possible
				# save to temp array
				arr_tmp[${#arr_tmp[@]}]="${arr_sets[idx]}"
				unset arr_sets[idx]
			fi
		done
		if ! ((found_set)); then
			ex_invalid_usage "\`$opt' is not a valid option nor an existing set name"
		fi
	done
	if ((isolate)); then
		if (($# != 1)); then
			ex_invalid_usage "option -i is only valid for a single set"
		fi
	fi
	arr_sets=("${arr_tmp[@]}") # reassign matched sets
	if ((isolate && ${#arr_sets[@]} > 1)); then
		ex_invalid_usage "option -i is only valid for a single set"
	fi
else
	if ((isolate)); then
		ex_invalid_usage "option -i is only valid for a single set"
	fi
fi

# read sets
for idx in "${!arr_sets[@]}"; do found_set=0 arr_hcache=() arr_mcache=()
	while read -r || {
		(($? > 128)) && \
			printf "timeout reached or signal received, while reading set \`%s'.\n" \
			"${arr_sets[idx]}" >&2 && continue 2;
   	}; do
		case "$REPLY" in
			"") : ;;
			Name:*) # header opened (set found)
				if ((in_header)); then
					printf "unexpected entry: \`%s' - header not closed?\n" "$REPLY" >&2
					exit 1
				fi
				let sets_sum+=1
				if ((exclude_set)); then # don't show certain sets
					for y in ${!arr_sxclude[@]}; do
						if [[ ${arr_sets[idx]} = ${arr_sxclude[y]} ]]; then let found_sxclude+=1
							continue 3 # don't unset, as user could list sets multiple times
						fi
					done
				fi
				in_header=1 found_set=1 found_header=0 member_count=0 match_count=0 xclude_count=0 mem_tmp=0 i=0 x=0
				if ! ((isolate)); then # if showing members only, continue without saving any header data
					if ((names_only)); then
						if ((colorize)); then
							arr_hcache[x++]="$("$cl" bold $col_headers)${REPLY#*:+([[:blank:]])}$("$cl" normal $col_fg $col_bg)"
						else
							arr_hcache[x++]="${REPLY#*:+([[:blank:]])}"
						fi
					elif ! ((headers_only||show_members||show_all||show_count||match_on_header||do_count||calc_mem||glob_search||regex_search||opt_int_search))
				   	then
						in_header=0
						if ((colorize)); then
							arr_hcache[x++]="$("$cl" bold $col_headers)${REPLY}$("$cl" normal $col_fg $col_bg)"
						else
							arr_hcache[x++]="$REPLY"
						fi
						break # nothing to show but the names
					else
						if ((colorize)); then
							arr_hcache[x++]=$'\n'"$("$cl" bold $col_headers)${REPLY}$("$cl" normal $col_fg $col_bg)"
						else
							arr_hcache[x++]=$'\n'"$REPLY"
						fi
					fi
				fi
			;;
			Members:*) # closes header (if not `ipset -t')
				if ! ((in_header)); then
					printf "unexpected entry: \`%s' - header not opened?\n" "$REPLY" >&2
					exit 1
				fi
				in_header=0 found_hxclude=0
				if ((match_on_header)); then
					if ((found_header != match_on_header)); then found_set=0
						break # set does not contain wanted header
					fi
				fi
				if ((exclude_header)); then # don't show certain headers
					for y in ${!arr_hxclude[@]}; do
						if [[ ${REPLY%%:*} = ${arr_hxclude[y]%%:*} && ${REPLY#*: } = ${arr_hxclude[y]#*:} ]]
						then found_hxclude=1
							break
						fi
					done
				fi
				if ((show_all && ! found_hxclude)); then
					if ((colorize)); then
						arr_hcache[x++]="$("$cl" bold $col_headers)${REPLY}$("$cl" normal $col_fg $col_bg)"
					else
						arr_hcache[x++]="$REPLY"
					fi
				fi
			;;
			*) # either in-header, or member entry
				if ! ((found_set)); then
					printf "no set opened by \`Name:'. unexpected entry \`%s'.\n" "$REPLY" >&2
					exit 1
				fi
				if ((in_header)); then # we should be in the header
					if ((match_on_header && found_header < match_on_header)); then # match on an header entry
						for y in ${!arr_hsearch[@]}; do # string compare
							if [[ ${REPLY%%:*} = ${arr_hsearch[y]%%:*} && ${REPLY#*: } = ${arr_hsearch[y]#*:} ]]
							then let found_header+=1
							fi
						done
						for y in ${!arr_hsearch_int[@]}; do # int compare
							if [[ ${REPLY%%:*} = ${arr_hsearch_int[y]%%:*} ]]; then # header name matches
								if ! is_int "${REPLY#*: }"; then
									printf "header value \`%s' is not an integer.\n" "${REPLY#*: }" >&2
									exit 1
								fi
								str_val="${arr_hsearch_int[y]#*:}"
								str_op="${str_val//[[:digit:]]}" # compare operator defaults to `=='
								[[ ${str_op:===} = \! ]] && str_op='!='
								if ((${REPLY#*: } $str_op ${str_val//[[:punct:]]})); then
									let found_header+=1
								fi
							fi
						done
						# search and arithmetic compare values of the headers 'Header' flag
						if ((${#arr_hsearch_xint[@]})) && [[ ${REPLY%%:*} = Header ]]; then
							set -- ${REPLY#*:}
							while (($#)); do
								if is_digit_or_xigit "$1"; then
									shift
									continue
								fi
								for y in ${!arr_hsearch_xint[@]}; do
									str_name="${arr_hsearch_xint[y]%%:*}"
									str_val="${arr_hsearch_xint[y]#*:}"
									if [[ $str_val = ??0[xX]+([[:xdigit:]]) ]]; then
										str_op="${str_val%0[xX]*}"
									elif [[ $str_val = ??+([[:digit:]]) ]]; then
										str_op="${str_val//[[:digit:]]}"
									fi
									str_val="${str_val#"${str_op}"}"
									[[ ${str_op:===} = \! ]] && str_op='!='
									if [[ $1 = $str_name ]]; then
										if is_digit_or_xigit "$2"; then
											if (($2 $str_op $str_val)); then
												let found_header+=1
												shift
												break
											fi
										fi
									fi
								done
								shift
							done
						fi
					fi
					if ((calc_mem)); then
						if [[ ${REPLY%%:*} = "Size in memory" ]]; then
							if ! is_int "${REPLY#*: }"; then
								printf "header value \`%s' is not an integer.\n" "${REPLY#*: }" >&2
								exit 1
							fi
							# save to temp, in case we throw away the set, if it doesn't match other criteria
							mem_tmp=${REPLY#*: }
						fi
					fi
					if ((headers_only || show_all)); then found_hxclude=0
						if ((exclude_header)); then # don't show certain headers
							for y in ${!arr_hxclude[@]}; do
								if [[ ${REPLY%%:*} = ${arr_hxclude[y]%%:*} && ${REPLY#*: } = ${arr_hxclude[y]#*:} ]]
								then found_hxclude=1
									break
								fi
							done
						fi
						if ! ((found_hxclude)); then
							arr_hcache[x++]="$REPLY"
						fi
					fi
				else # this should be a member entry
					if ((show_members || show_all || isolate || glob_search || regex_search || opt_int_search)); then
						if ((glob_search)); then # show sets with glob pattern matching members
							if ! xclude_elem_search; then
								if [[ $REPLY = $str_search ]]; then
									if ((opt_int_search)); then
										arith_elem_opt_search
									else
										let match_count+=1
										add_search_to_member_cache
									fi
								fi
							fi
						elif ((regex_search)); then # show sets with regex pattern matching members
							if ! xclude_elem_search; then
								if [[ $REPLY =~ $str_search ]]; then
									if ((opt_int_search)); then
										arith_elem_opt_search
									else
										let match_count+=1
										add_search_to_member_cache
									fi
								else
									if (($? == 2)); then
										printf "Invalid regex pattern \`%s'.\n" "$str_search" >&2
										exit 1
									fi
								fi
							fi
						elif ((opt_int_search)); then # show sets with matching member options
							if ! xclude_elem_search; then
								arith_elem_opt_search
							fi
						else
							if ((glob_xclude_element)); then # exclude matching members
								if ! [[ $REPLY = $str_xclude ]]; then
									add_search_to_member_cache
								else let xclude_count+=1
								fi
							elif ((regex_xclude_element)); then # exclude matching members
								if [[ $REPLY =~ $str_xclude ]]; then
									let xclude_count+=1
								else
									if (($? == 2)); then
										printf "Invalid regex pattern \`%s'.\n" "$str_xclude" >&2
										exit 1
									fi
									add_search_to_member_cache
								fi
							else
								arr_mcache[i++]="$REPLY"
							fi
						fi
					else # nothing to show or search for, do we need to count members?
						if ! ((show_count || do_count)); then
							break # nothing more to do for this set
						fi
					fi
					let member_count+=1
				fi
		esac
	done < <("$ipset" list "${arr_sets[idx]}" "${arr_par[@]}")
	if ((found_set)); then # print gathered information
		if ((glob_search || regex_search || opt_int_search)) && ((match_count == 0)); then
			continue # glob, regex or option-integer search didn't match
		fi
		if ((${#arr_match_on_msum[@]} > 0)); then # match on member sum (do_count=1)
			for i in ${!arr_match_on_msum[@]}; do
				str_op="${arr_match_on_msum[i]//[[:digit:]]}"
				[[ ${str_op:===} = \! ]] && str_op='!='
				if ! (($member_count $str_op ${arr_match_on_msum[i]//[[:punct:]]})); then
					continue 2 # does not match
				fi
			done
		fi
		let set_count+=1 # count amount of matching sets
		if ((calc_mem)); then
			let mem_total+=$mem_tmp
		fi
		if ((${#arr_hcache[@]})); then # print header
			if ((colorize)); then
				printf "$("$cl" $col_headers)%b$("$cl" normal $col_fg $col_bg)\n" "${arr_hcache[@]}"
			else
				printf "%s\n" "${arr_hcache[@]}"
			fi
		fi
		if ((${#arr_mcache[@]})); then # print members
			if ((xclude_member_opts)); then
				arr_mcache=( "${arr_mcache[@]%% *}" )
			fi
			IFS="${delim:= }"
			if ((colorize)); then
				printf "$("$cl" $col_members)%s$("$cl" normal $col_fg $col_bg)" "${arr_mcache[*]}"
			else
				printf "%s" "${arr_mcache[*]}"
			fi
			IFS="$oIFS"
			printf "\n"
		fi
		if ((show_count)); then # print counters
			if ((glob_search || regex_search || opt_int_search)); then
				if ((colorize)); then
					printf "$("$cl" $col_match)Match count$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_match)%d$("$cl" normal $col_fg $col_bg)\n" $match_count
				else
					printf "Match count: %d\n" $match_count
				fi
			fi
			if ((glob_xclude_element || regex_xclude_element)); then
				if ((colorize)); then
					printf "$("$cl" $col_match)Exclude count$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_match)%d$("$cl" normal $col_fg $col_bg)\n" $xclude_count
				else
					printf "Exclude count: %d\n" $xclude_count
				fi
			fi
			if ((colorize)); then
				printf "$("$cl" bold $col_highlight)Member count$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_members)%d$("$cl" normal $col_fg $col_bg)\n" $member_count
			else
				printf "Member count: %d\n" $member_count
			fi
		fi
	fi
done

# print global counters
if ((count_sets || calc_mem || sets_total || exclude_set)); then
	printf "\n"
	if ((count_sets)); then
		if ((colorize)); then
			printf "$("$cl" bold $col_highlight)Count$("$cl" normal $col_fg $col_bg) of all\
 $("$cl" bold $col_set_count)matched sets$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_set_count)%d$("$cl" normal $col_fg $col_bg)\n" $set_count
		else
			printf "Count of all matched sets: %d\n" $set_count
		fi
		if ((exclude_set)); then
			if ((colorize)); then
				printf "$("$cl" bold $col_highlight)Count$("$cl" normal $col_fg $col_bg) of all\
 $("$cl" bold $col_match)excluded sets$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_match)%d$("$cl" normal $col_fg $col_bg)\n" $found_sxclude
			else
				printf "Count of all excluded sets: %d\n" $found_sxclude
			fi
		fi
	fi
	if ((sets_total)); then
		if ((colorize)); then
			printf "$("$cl" bold $col_highlight)Count$("$cl" normal $col_fg $col_bg) of all\
 $("$cl" bold $col_set_total)traversed sets$("$cl" normal $col_fg $col_bg):\
 $("$cl" bold $col_set_total)%d$("$cl" normal $col_fg $col_bg)\n" $sets_sum
		else
			printf "Count of all traversed sets: %d\n" $sets_sum
		fi
	fi
	if ((calc_mem)); then
		if ((colorize)); then
			printf "$("$cl" bold $col_memsize)Total memory size$("$cl" normal $col_fg $col_bg)\
 of all matched sets: $("$cl" bold $col_memsize)%d$("$cl" normal $col_fg $col_bg)\n" $mem_total
		else
			printf "Total memory size of all matched sets: %d\n" $mem_total
		fi
	fi
fi
