From: Alexey Lapitsky <alexey@spotify.com>
Date: Fri, 19 Sep 2014 19:39:22 +0000 (-0400)
Subject: add more ipset documentation
X-Git-Tag: 1.3.0~1^2~2^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=e7f9a38624b0dae630351a595c071b04dec34904;p=puppet-modules%2Fpuppetlabs-firewall.git

add more ipset documentation
---

diff --git a/README.markdown b/README.markdown
index 7a5c405..d347232 100644
--- a/README.markdown
+++ b/README.markdown
@@ -446,6 +446,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.
 
+* `ipset`: Matches IP sets. Value must be `ipset_name (src|dst|src,dst)` and can be negated by putting ! in front. Requires ipset kernel module.
+
 * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature. 
 
 * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index bf21005..ce699da 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -968,6 +968,7 @@ Puppet::Type.newtype(:firewall) do
   newproperty(:ipset, :required_features => :ipset) do
     desc <<-EOS
       Matches against the specified ipset list.
+      Requires ipset kernel module.
       The value is the name of the blacklist, followed by a space, and then
       'src' and/or 'dst' separated by a comma.
       For example: 'blacklist src,dst'