diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml
index a3da321e7..4125931ac 100644
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -361,23 +361,27 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
used in a Shorewall configuration file, the name must be preceded by
a plus sign (+) as with the shell-based compiler.
- Shorewall is now out of the ipset load/reload business with
- the exception of ipsets used for dynamic zones. With scripts
- generated by the Perl-based Compiler, the Netfilter rule set is
- never cleared. That means that there is no opportunity for Shorewall
- to load/reload your ipsets since that cannot be done while there are
- any current rules using ipsets.
+ From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
+ of the ipset load/reload business with the exception of ipsets used
+ for dynamic zones:
- So:
+
+ With scripts generated by the Perl-based Compiler, the
+ Netfilter rule set is never cleared. That means that there is no
+ opportunity for Shorewall to load/reload your ipsets since that
+ cannot be done while there are any current rules using
+ ipsets.
-
-
- Your ipsets must be loaded before Shorewall starts. You
- are free to try to do that with the following code in
- /etc/shorewall/init (it works for me; your mileage may
- vary):
+ So:
- if [ "$COMMAND" = start ]; then
+
+
+ Your ipsets must be loaded before Shorewall starts. You
+ are free to try to do that with the following code in
+ /etc/shorewall/init (it works for me; your mileage
+ may vary):
+
+ if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
@@ -385,37 +389,43 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
ipset -R < /etc/shorewall/ipsets
fi
- The file /etc/shorewall/ipsets will
- normally be produced using the ipset -S
- command. I have this in my
- /etc/shorewall/stop file:
+ The file /etc/shorewall/ipsets will
+ normally be produced using the ipset -S
+ command. I have this in my
+ /etc/shorewall/stop file:
- if ipset -S > /etc/shorewall/ipsets.tmp; then
+ if ipset -S > /etc/shorewall/ipsets.tmp; then
mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
fi
- The above extension scripts will work most of the time but
- will fail in a shorewall stop -
- shorewall start sequence if you use ipsets in
- your routestopped file (see below).
-
+ The above extension scripts will work most of the time
+ but will fail in a shorewall stop -
+ shorewall start sequence if you use ipsets
+ in your routestopped file (see below).
+
-
- Your ipsets may not be reloaded until Shorewall is stopped
- or cleared.
-
+
+ Your ipsets may not be reloaded until Shorewall is
+ stopped or cleared.
+
-
- If you specify ipsets in your routestopped file then
- Shorewall must be cleared in order to reload your ipsets.
-
-
+
+ If you specify ipsets in your routestopped file then
+ Shorewall must be cleared in order to reload your
+ ipsets.
+
+
- As a consequence, scripts generated by the Perl-based compiler
- will ignore /etc/shorewall/ipsets and will
- issue a warning if you set SAVE_IPSETS=Yes in
- shorewall.conf.
+ As a consequence, scripts generated by the Perl-based
+ compiler will ignore /etc/shorewall/ipsets
+ and will issue a warning if you set SAVE_IPSETS=Yes in
+ shorewall.conf.
+
+
+ Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
+ once again supported. See shorewall.conf(5).