From: Phil Sutter <phil@nwl.cc>
Date: Tue, 15 May 2018 15:34:30 +0000 (+0200)
Subject: nft.8: Document limitation of reject statement in bridge family
X-Git-Tag: v0.9.0~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc9566ff0adaceafae5687a3e719aa9a436915d5;p=thirdparty%2Fnftables.git

nft.8: Document limitation of reject statement in bridge family

Bridge family allows reject statement in prerouting and input chains
only. Users can't know without looking at kernel code.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/doc/nft.xml b/doc/nft.xml
index 05193e67..cd6c012f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -4873,6 +4873,10 @@ ip6 filter output log flags all
 				The common default reject value is
 				<command>port-unreachable</command>.
 			</para>
+			<para>
+				Note that in bridge family, reject statement is only allowed in base chains which
+				hook into <literal>input</literal> or <literal>prerouting</literal>.
+			</para>
 		</refsect2>
 		<refsect2>
 			<title>Counter statement</title>