More documentation changes regarding SAVE_IPSETS.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-28 17:10:45 -07:00
parent 3174454300
commit 2a463e06aa
2 changed files with 23 additions and 13 deletions

View File

@ -2470,7 +2470,7 @@ INLINE - - - ; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term> role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@ -2482,7 +2482,8 @@ INLINE - - - ; -j REJECT
<para>Beginning with Shorewall 4.6.4, you can restrict the set of <para>Beginning with Shorewall 4.6.4, you can restrict the set of
ipsets saved by specifying a setlist (a comma-separated list of ipv4 ipsets saved by specifying a setlist (a comma-separated list of ipv4
ipset names).</para> ipset names). You may also restrict the saved sets to just the ipv4
ones by specifying <emphasis role="bold">ipv4</emphasis>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -154,6 +154,11 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
firewall is first stopped.</para> firewall is first stopped.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Beginning with Shorewall 4.6.4, you can save selective ipsets by
setting SAVE_IPSETS to a comma-separated list of ipset names. You can also
restrict the group of sets saved to ipv4 sets by setting
SAVE_IPSETS=ipv4.</para>
</section> </section>
<section> <section>
@ -161,17 +166,21 @@ ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para> <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
<para>Unlike iptables, which has separate configurations for IPv4 and <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
IPv6, ipset has a single configuration that handles both. This means the url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf won't work correctly to Yes, the ipv6 ipsets will be set. You can also save selective ipsets by
because . To work around this issue, Shorewall-init is now capable setting SAVE_IPSETS to a comma-separated list of ipset names. </para>
restoring ipset contents during 'start' and saving them during 'stop'. To
direct Shorewall-init to save/restore ipset contents, set the SAVE_IPSETS <para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf won't
option in /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on work correctly because it saves both IPv4 and IPv6 ipsets. To work around
Debian and derivatives). The value of the option is a file name where the this issue, Shorewall-init is capable restoring ipset contents during
contents of the ipsets will be save to and restored from. Shorewall-init 'start' and saving them during 'stop'. To direct Shorewall-init to
will create any necessary directories during the first 'save' operation. save/restore ipset contents, set the SAVE_IPSETS option in
If you configure Shorewall-init to save/restore ipsets, be sure to set /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and
derivatives). The value of the option is a file name where the contents of
the ipsets will be save to and restored from. Shorewall-init will create
any necessary directories during the first 'save' operation. If you
configure Shorewall-init to save/restore ipsets, be sure to set
SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para> SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
</section> </section>
</article> </article>