implement ipset support

1 files changed, 16 insertions, 2 deletions

diff --git a/README.md b/README.md
index 93edb62..01217bd 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,8 @@ You can collect them like this:
 Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
 ```
 
-You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return a string.
+You can also define rules in Hiera. Make sure to use `alias()` as interpolation
+function, because `hiera()` will always return a string.
 
 ```yaml
 ---
@@ -94,6 +95,20 @@ defined hashes and hand them over to the class. The main class will create
 rules for all of them. It also collects all exported resources that are tagged
 with the FQDN of a box.
 
+It's also possible to match against [ipsets](http://ipset.netfilter.org/). This
+allows to easily match against a huge amount of IP addresses or network ranges.
+You can use this as follows:
+
+```puppet
+ferm::ipset { 'INPUT':
+  sets => {
+   'office'   => 'ACCPET',
+   'internet' => 'DROP',
+  }
+}
+```
+
+please see the [references](#reference) section for more examples.
 
 ## Examples
 
@@ -131,7 +146,6 @@ The second rule will disable connection tracking for all other traffic coming in
 
 This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
 
-
 ## Reference
 
 All parameters are documented within the classes. We generate markdown