doc: Document implicit dependency creation for icmp/icmpv6

As suggested at NFWS, the implicit nfproto dependencies generated by
icmp/icmpv6 header field matches should be documented along with how to
achieve matching on unusual packets.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index 2a89b922c01ae7426c53db1f72022fd18e9dcacf..a2284ce8c3d921f2be0d88ed43a83df4edac1cfd 100644 (file)
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -119,6 +119,11 @@ ICMP HEADER EXPRESSION
 [verse]
 *icmp* ['ICMP' 'header' 'field']
 
+This expression refers to ICMP header fields. When using it in *inet*,
+*bridge* or *netdev* families, it will cause an implicit dependency on IPv4 to
+be created. To match on unusual cases like ICMP over IPv6, one has to add an
+explicit *meta nftproto ipv6* match to the rule.
+
 .ICMP header expression
 [options="header"]
 |==================
@@ -199,6 +204,11 @@ ICMPV6 HEADER EXPRESSION
 [verse]
 *icmpv6* ['ICMPv6' 'header' 'field']
 
+This expression refers to ICMPv6 header fields. When using it in *inet*,
+*bridge* or *netdev* families, it will cause an implicit dependency on IPv6 to
+be created. To match on unusual cases like ICMPv6 over IPv4, one has to add an
+explicit *meta nftproto ipv4* match to the rule.
+
 .ICMPv6 header expression
 [options="header"]
 |==================