From fc0158617ac89492755a8d161ab043d57a46659b Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 24 Dec 2008 16:10:46 +0000
Subject: [PATCH] Show how to make a dynamic zone a sub-zone

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9165 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/ipsets.xml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index 728ccd0f8..51b013356 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -271,18 +271,20 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
 
     <para>The use of ipsets provides a much better way to define dynamic zones
     than is provided by the native Shorewall implementation. To define a
-    dynamic zone of hosts <emphasis role="bold">dyn</emphasis> that interface
+    dynamic zone of hosts <emphasis role="bold">dyn</emphasis> that is a
+    sub-zone of zone <emphasis role="bold">loc</emphasis> and that interfaces
     through interface eth3, use:</para>
 
     <para>/etc/shorewall/zones:</para>
 
     <programlisting>#ZONE         TYPE         OPTIONS            IN OPTIONS        OUT OPTIONS
-dyn           ipv4</programlisting>
+loc           ipv4
+dyn:loc       ipv4</programlisting>
 
     <para>/etc/shorewall/interfaces:</para>
 
     <programlisting>#ZONE         INTERFACE     OPTIONS
--             eth3          …</programlisting>
+loc           eth3          …</programlisting>
 
     <para>/etc/shorewall/hosts:</para>