add more ipset documentation

diff --git a/README.markdown b/README.markdown
index 7a5c4059547e4b52183d703340e655a95fcb347c..d347232173c4687f134d25c5891a816b5eed81a6 100644 (file)
--- a/README.markdown
+++ b/README.markdown
@@ -446,6 +446,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.
 
+* `ipset`: Matches IP sets. Value must be `ipset_name (src|dst|src,dst)` and can be negated by putting ! in front. Requires ipset kernel module.
+
 * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature. 
 
 * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index bf21005deb72a9cb549049789a6fb22ce8878b86..ce699da0ebb63db0f8eb8669df4663303c60b633 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -968,6 +968,7 @@ Puppet::Type.newtype(:firewall) do
   newproperty(:ipset, :required_features => :ipset) do
     desc <<-EOS
       Matches against the specified ipset list.
+      Requires ipset kernel module.
       The value is the name of the blacklist, followed by a space, and then
       'src' and/or 'dst' separated by a comma.
       For example: 'blacklist src,dst'