docs: fix incorrect info about routed networks

In a recent expansion of the documentation on network forward modes, I
incorrectly stated that incoming sessions to guests on routed networks
were blocked. This is true for guests on NATed networks, but not
routed. This patch corrects that error, and adds a pointer to the
nwfilter page for those who do want to restrict incoming sessions to
hosts on routed networks.

diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index e06392b867eec75bc9f79bede7402a5b8f31fd7a..02302fafa053f2405e009884ac54246bbddb2fd1 100644 (file)
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -134,12 +134,12 @@
             attribute is set, firewall rules will restrict forwarding
             to the named device only. This presumes that the local LAN
             router has suitable routing table entries to return
-            traffic to this host. Firewall rules are also installed
-            that prevent incoming sessions from the physical network
-            to the guests, but outgoing sessions are unrestricted (as
-            are sessions from the host to the guests, and between
-            guests on the same network.)<span class="since">Since
-            0.4.2</span>
+            traffic to this host. All incoming and outgoing sessions
+            to guest on these networks are unrestricted. (To restrict
+            incoming traffic to a guest on a routed network, you can
+            configure <a href="formatnwfilter.html">nwfilter rules</a>
+            on the guest's interfaces.)
+            <span class="since">Since 0.4.2</span>
           </dd>
 
           <dt><code>bridge</code></dt>