Update ipset doc with Shorewall6 and Shorewall-init info.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-08 08:44:05 +01:00 · 2011-06-19 15:00:48 -07:00 · 2011-06-19 15:00:48 -07:00 · f7322a674d
commit f7322a674d
parent 2097d0f4a0
1 changed files with 19 additions and 0 deletions
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@ -155,4 +155,23 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
      </listitem>
    </orderedlist>
  </section>
+
+  <section>
+    <title>Shorewall6 and Shorewall-init Support for Ipsets</title>
+
+    <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
+
+    <para>Unlike iptables, which has separate configurations for IPv4 and
+    IPv6, ipset has a single configuration that handles both. This means the
+    SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf won't work correctly
+    because . To work around this issue, Shorewall-init is now capable
+    restoring ipset contents during 'start' and saving them during 'stop'. To
+    direct Shorewall-init to save/restore ipset contents, set the SAVE_IPSETS
+    option in /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on
+    Debian and derivatives). The value of the option is a file name where the
+    contents of the ipsets will be save to and restored from. Shorewall-init
+    will create any necessary directories during the first 'save' operation.
+    If you configure Shorewall-init to save/restore ipsets, be sure to set
+    SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. </para>
+  </section>
 </article>