Bring 4.4.6 Lenny->Squeeze in sync with the 4.5.3 version

Signed-off-by: Tom Eastep <teastep@shorewall.net>

docs/LennyToSqueeze.xml

@@ -354,7 +354,7 @@
           <term>SAVE_IPSETS</term>
 
           <listitem>
-            <para>Shorewall 4.4 will issue a warning if you set
+            <para>Shorewall 4.4.0-4.4.5 will issue a warning if you set
             SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
 
             <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
@@ -896,57 +896,32 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
       Shorewall configuration file, the name must be preceded by a plus sign
       (+) as with the shell-based compiler.</para>
 
-      <para>Shorewall 4.4 is out of the ipset load/reload business with the
-      exception of ipsets used for dynamic zones. With scripts generated by
-      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
-      there is no opportunity for Shorewall to load/reload your ipsets since
-      that cannot be done while there are any current rules using
-      ipsets.</para>
+      <para>Shorewall 4.4.6 re-introduced SAVE_IPSETS=Yes with slightly
+      different semantics:</para>
 
-      <para>So:</para>
-
-      <orderedlist numeration="upperroman">
+      <itemizedlist>
         <listitem>
-          <para>Your ipsets must be loaded before Shorewall starts. You are
-          free to try to do that with the following code in
-          <filename>/etc/shorewall/init (it works for me; your mileage may
-          vary)</filename>:</para>
-
-          <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -U :all: :all:
-    ipset -U :all: :default:
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The file <filename>/etc/shorewall/ipsets</filename> will
-          normally be produced using the <command>ipset -S</command> command.
-          I have this in my<filename> /etc/shorewall/stop</filename>
-          file:</para>
-
-          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
-    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
-    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The above extension scripts will work most of the time but
-          will fail in a <command>shorewall stop</command> -
-          <command>shorewall start</command> sequence if you use ipsets in
-          your routestopped file (see <link
-          linkend="routestopped">below</link>).</para>
+          <para>The contents of the ipsets are saved during processing of the
+          <command>stop</command> command in addition to during processing of
+          the <command>save</command> command.</para>
         </listitem>
 
         <listitem>
-          <para>Your ipsets may not be reloaded until Shorewall is stopped or
-          cleared.</para>
+          <para>The contents of the ipsets are restored during processing of
+          the <command>start</command> command in addition to during
+          processing of the <command>restore</command> command. When
+          <command>restore</command> is being run when Shorewall is not in the
+          stopped state (such as when it is run to recover from a failed
+          <command>start</command>, <command>restart</command> or
+          <command>refresh</command>) ipsets are not restored.</para>
         </listitem>
 
         <listitem>
-          <para>If you specify ipsets in your routestopped file then Shorewall
-          must be cleared in order to reload your ipsets.</para>
+          <para>Specifying an ipset in <ulink
+          url="manpages/shorewall-routestopped.html">shorewall-routestopped
+          </ulink>(5) is prohibited when SAVE_IPSETS=Yes.</para>
         </listitem>
-      </orderedlist>
+      </itemizedlist>
     </section>
   </section>