From 864dba2e62c24467833d16cd7c901d561478b6e0 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 25 Apr 2015 21:14:55 -0700
Subject: [PATCH] Clarify the need to manually create and modify ipsets

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 docs/ipsets.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index f2d1bff61..4640fc04f 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -24,6 +24,8 @@
 
       <year>2010</year>
 
+      <year>2015</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -170,6 +172,12 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
     ipv4 ipsets are saved. Both features require ipset version 5 or
     later.</para>
+
+    <para>Although Shorewall can save the definition of your ipsets and
+    restore them when Shorewall starts, in most cases you must use the ipset
+    utility to initially create and load your ipsets. The exception is that
+    Shorewall will automatically create an empty iphash ipset to back each
+    dynamic zone.</para>
   </section>
 
   <section>