From 0f3eac4a0e8d43052d984e395ab9156efa4845a6 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 18 Jun 2019 16:25:11 +0200
Subject: [PATCH] - Added documentation to the ipset files (for doxygen
 output).

---
 doc/Changelog |  1 +
 ipset/ipset.c |  7 +++++++
 ipset/ipset.h | 23 +++++++++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index 62bc98f60..210223d0d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,7 @@
 	  use unsigned type because of comparison, and assign null instead
 	  of compare with it.  Remade lex and yacc output.
 	- make depend
+	- Added documentation to the ipset files (for doxygen output).
 
 17 June 2019: Wouter
 	- Master contains version 1.9.3 in development.
diff --git a/ipset/ipset.c b/ipset/ipset.c
index 49484361d..85b2edea9 100755
--- a/ipset/ipset.c
+++ b/ipset/ipset.c
@@ -1,3 +1,10 @@
+/**
+ * \file
+ * This file implements the ipset module.  It can handle packets by putting
+ * the A and AAAA addresses that are configured in unbound.conf as type
+ * ipset (local-zone statements) into a firewall rule IPSet.  For firewall
+ * blacklist and whitelist usage.
+ */
 #include "config.h"
 #include "ipset/ipset.h"
 #include "util/regional.h"
diff --git a/ipset/ipset.h b/ipset/ipset.h
index 19a12e038..f60a8be8c 100755
--- a/ipset/ipset.h
+++ b/ipset/ipset.h
@@ -6,6 +6,29 @@
  */
 #ifndef IPSET_H
 #define IPSET_H
+/** \file
+ *
+ * This file implements the ipset module.  It can handle packets by putting
+ * the A and AAAA addresses that are configured in unbound.conf as type
+ * ipset (local-zone statements) into a firewall rule IPSet.  For firewall
+ * blacklist and whitelist usage.
+ *
+ * To use the IPset module, install the libmnl-dev (or libmnl-devel) package
+ * and configure with --enable-ipset.  And compile.  Then enable the ipset
+ * module in unbound.conf with module-config: "ipset validator iterator"
+ * then create it with ipset -N blacklist iphash and then add
+ * local-zone: "example.com." ipset
+ * statements for the zones where you want the addresses of the names
+ * looked up added to the set.
+ *
+ * Set the name of the set with
+ * ipset:
+ *   name-v4: "blacklist"
+ *   name-v6: "blacklist6"
+ * in unbound.conf.  The set can be used in this way:
+ *   iptables -A INPUT -m set --set blacklist src -j DROP
+ *   ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+ */
 
 #include "util/module.h"