From d4b8909eab6194da389b121e46137da7618eb45c Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 30 Sep 2019 14:51:12 +0200
Subject: implement ipset support

---
 README.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 93edb62..01217bd 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,8 @@ You can collect them like this:
 Ferm::Rule <<| tag == 'allow_kafka_server2server' |>>
 ```
 
-You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return a string.
+You can also define rules in Hiera. Make sure to use `alias()` as interpolation
+function, because `hiera()` will always return a string.
 
 ```yaml
 ---
@@ -94,6 +95,20 @@ defined hashes and hand them over to the class. The main class will create
 rules for all of them. It also collects all exported resources that are tagged
 with the FQDN of a box.
 
+It's also possible to match against [ipsets](http://ipset.netfilter.org/). This
+allows to easily match against a huge amount of IP addresses or network ranges.
+You can use this as follows:
+
+```puppet
+ferm::ipset { 'INPUT':
+  sets => {
+   'office'   => 'ACCPET',
+   'internet' => 'DROP',
+  }
+}
+```
+
+please see the [references](#reference) section for more examples.
 
 ## Examples
 
@@ -131,7 +146,6 @@ The second rule will disable connection tracking for all other traffic coming in
 
 This will prevent your conntrack table from overflowing, tracking only the relevant connections and allowing you to use a stateful ruleset.
 
-
 ## Reference
 
 All parameters are documented within the classes. We generate markdown
-- 
cgit v1.2.3