From: Phil Sutter <phil@nwl.cc>
Date: Thu, 23 Jun 2022 15:49:20 +0000 (+0200)
Subject: doc: Document limitations of ipsec expression with xfrm_interface
X-Git-Tag: v1.0.5~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=446e76dbde713327358f17a8af6ce86b8541c836;p=thirdparty%2Fnftables.git

doc: Document limitations of ipsec expression with xfrm_interface

Point at a possible solution to match IPsec info of locally generated
traffic routed to an xfrm-type interface.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index f97778b9..4d6b0878 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -428,6 +428,10 @@ Destination address of the tunnel|
 ipv4_addr/ipv6_addr
 |=================================
 
+*Note:* When using xfrm_interface, this expression is not useable in output
+hook as the plain packet does not traverse it with IPsec info attached - use a
+chain in postrouting hook instead.
+
 NUMGEN EXPRESSION
 ~~~~~~~~~~~~~~~~~