From 8316a43805469a0223c6f3def2f204c6f04bcc80 Mon Sep 17 00:00:00 2001
From: Stefan Midjich <swehack@gmail.com>
Date: Wed, 15 Nov 2017 10:57:00 +0100
Subject: [PATCH] demonstrate use of ipset

---
 docs/examples/iptables/iptables.j2 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/examples/iptables/iptables.j2 b/docs/examples/iptables/iptables.j2
index 6cf78f2..7f7cd68 100644
--- a/docs/examples/iptables/iptables.j2
+++ b/docs/examples/iptables/iptables.j2
@@ -31,6 +31,15 @@
 # iptables -t mangle -I internet -m tcp -p tcp --source 1.2.3.4 -j RETURN
 # iptables -t mangle -I internet -m udp -p udp --source 1.2.3.4 -j RETURN
 
+# You can also use ipset like this.
+# This matches a pre-defined ipset instead of specific addresses, ipset type hash:ip.
+#-A internet -m set --match-set {{ipset_whitelist_clients}} src -j RETURN
+#-A internet -m set --match-set {{ipset_auth_clients}} src -j RETURN
+
+# These are for mac-addresses, ipset type hash:mac.
+#-A internet -m set --match-set {{macset_whitelist_clients}} src -j RETURN
+#-A internet -m set --match-set {{macset_auth_clients}} src -j RETURN
+
 # For MGMT SSH traffic return out of internet chain so it's not marked
 -A internet -p tcp -d {{captiveportal_conf.webportal_ip}} --dport ssh -j RETURN