doc: Document limitations of ipsec expression with xfrm_interface

Point at a possible solution to match IPsec info of locally generated
traffic routed to an xfrm-type interface.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index f97778b9762b5c469cf91a72fe4065a0a0d8bcae..4d6b0878b2529e93489834d346eef31b6e04db2d 100644 (file)
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -428,6 +428,10 @@ Destination address of the tunnel|
 ipv4_addr/ipv6_addr
 |=================================
 
+*Note:* When using xfrm_interface, this expression is not useable in output
+hook as the plain packet does not traverse it with IPsec info attached - use a
+chain in postrouting hook instead.
+
 NUMGEN EXPRESSION
 ~~~~~~~~~~~~~~~~~