From fc9566ff0adaceafae5687a3e719aa9a436915d5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 15 May 2018 17:34:30 +0200
Subject: nft.8: Document limitation of reject statement in bridge family

Bridge family allows reject statement in prerouting and input chains
only. Users can't know without looking at kernel code.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/nft.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/nft.xml b/doc/nft.xml
index 05193e67..cd6c012f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -4873,6 +4873,10 @@ ip6 filter output log flags all
 				The common default reject value is
 				<command>port-unreachable</command>.
 			</para>
+			<para>
+				Note that in bridge family, reject statement is only allowed in base chains which
+				hook into <literal>input</literal> or <literal>prerouting</literal>.
+			</para>
 		</refsect2>
 		<refsect2>
 			<title>Counter statement</title>
-- 
cgit v1.2.3