From 219954769c40a42b9db28aece5cc3aa7492a0065 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 12 Sep 2010 07:40:01 -0700
Subject: [PATCH 1/2] Update ipsets document

---
 docs/ipsets.xml | 81 ++++++++++++++++++++++++-------------------------
 1 file changed, 39 insertions(+), 42 deletions(-)

diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index 85ff1491a..e6cd49317 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -22,6 +22,8 @@
 
       <year>2008</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -62,6 +64,11 @@
         contents of an ipset</ulink>. Again, you can then add or delete
         addresses to the ipset without restarting Shorewall.</para>
       </listitem>
+
+      <listitem>
+        <para>In most configuration files when an address list is accepted,
+        the list may include ipsets using the syntax described below.</para>
+      </listitem>
     </orderedlist>
 
     <para>See the ipsets site (URL above) for additional information about
@@ -94,6 +101,24 @@
     <para>To generate a negative match, prefix the "+" with "!" as in
     "!+Mirrors".</para>
 
+    <para>When an ipset name appears in the SOURCE column of a file, Shorewall
+    generates a 'src' match ("-m set --match-set
+    <replaceable>set-name</replaceable> <emphasis role="bold">src</emphasis>")
+    and when the name appears in the DEST column, a 'dst' match is generated
+    (-m set --match-set <replaceable>set-name</replaceable> <emphasis
+    role="bold">dst</emphasis>"). Some set types allow matching on more than
+    one address and require a comma-separated list of 'src' and/or 'dst'
+    flags. This list may be enclosed in square brackets ("[...]") following
+    the set name.</para>
+
+    <para>Example: +setlist[src,dst]</para>
+
+    <para>If the flags are homogenous, you may use an integer to represent the
+    number of entries. In other words, <emphasis role="bold">[2]</emphasis> is
+    equivalent to <emphasis role="bold">[src,src]</emphasis> in the SOURCE
+    column and is equivalent to <emphasis role="bold">[dst,dst]</emphasis> in
+    the DEST column.</para>
+
     <para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
 
     <para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
@@ -103,50 +128,22 @@
 
     <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
 ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
+  </section>
 
-    <para>Shorewall is not in the ipset load/reload business because the
-    Netfilter rule set is never cleared. That means that there is no
-    opportunity for Shorewall to load/reload your ipsets since that cannot be
-    done while there are any current rules using ipsets.</para>
+  <section>
+    <title>Saving/Restoring Ipsets</title>
 
-    <para>So:</para>
+    <para>The SAVE_IPSETS option in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf </ulink>(5) allows you
+    to have Shorewall automatically save your ipset contents during
+    <command>shorewall stop</command> and restore them during
+    <command>shorewall start</command>. SAVE_IPSETS is implicitly set to
+    <option>Yes</option> when the configuration includes one or more <ulink
+    url="Dynamic.html">dynamic zones</ulink>.</para>
 
-    <orderedlist numeration="upperroman">
-      <listitem>
-        <para>Your ipsets must be loaded before Shorewall starts. You are free
-        to try to do that with the following code in
-        <filename>/etc/shorewall/init (it works for me; your mileage may
-        vary)</filename>:</para>
-
-        <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-        <para>The file <filename>/etc/shorewall/ipsets</filename> will
-        normally be produced using the <command>ipset -S</command>
-        command.</para>
-
-        <para>The above will work most of the time but will fail in a
-        <command>shorewall stop</command> - <command>shorewall start</command>
-        sequence if you use ipsets in your routestopped file (see
-        below).</para>
-      </listitem>
-
-      <listitem>
-        <para>Your ipsets may not be reloaded until Shorewall is stopped or
-        cleared.</para>
-      </listitem>
-
-      <listitem>
-        <para>If you specify ipsets in your routestopped file then Shorewall
-        must be cleared in order to reload your ipsets.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>As a consequence, scripts generated by the Perl-based compiler will
-    ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning
-    if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para>
+    <para>When SAVE_IPSETS=Yes, Shorewall disallows ipsets to be specified in
+    <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (8). </para>
   </section>
 </article>

From b071d2608f6711fa576edd7f5d9e6115b11ff67c Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 12 Sep 2010 07:43:36 -0700
Subject: [PATCH 2/2] Add version caution to two docs

---
 docs/blacklisting_support.xml | 7 +++++++
 docs/ipsets.xml               | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml
index ed8cd0242..c55e24d2b 100644
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -34,6 +34,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section id="Intro">
     <title>Introduction</title>
 
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index e6cd49317..d0711c7e2 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -38,6 +38,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section id="Ipsets">
     <title>What are Ipsets?</title>
 
@@ -145,5 +152,7 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     <ulink
     url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
     (8). </para>
+
+    <para>SAVE_IPSET support was added in Shorewall 4.4.6.</para>
   </section>
 </article>