add more ipset documentation

xbezdick · Oct 19, 2014 · e7f9a38 · e7f9a38
1 parent e55d4ec
commit e7f9a38
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/README.markdown b/README.markdown
@@ -446,6 +446,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.
 
+* `ipset`: Matches IP sets. Value must be `ipset_name (src|dst|src,dst)` and can be negated by putting ! in front. Requires ipset kernel module.
+
 * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature. 
 
 * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -968,6 +968,7 @@ def should_to_s(value)
   newproperty(:ipset, :required_features => :ipset) do
     desc <<-EOS
       Matches against the specified ipset list.
+      Requires ipset kernel module.
       The value is the name of the blacklist, followed by a space, and then
       'src' and/or 'dst' separated by a comma.
       For example: 'blacklist src,dst'