diff options
| author | Florian Westphal <fw@strlen.de> | 2020-06-22 10:24:57 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2020-06-25 20:53:40 +0200 |
| commit | fb1486439b6d62cad104b83ecd04ec1a54fc9cae (patch) | |
| tree | b7107d64f233ae3829e5a1d8e8244c4850a152fb /doc/statements.txt | |
| parent | f16fbe76f62dcb9f7395d1837ad2d056463ba55f (diff) | |
doc: revisit meta/rt primary expressions and ct statement
Clarify meta/rt ipsec examples and document that 'ct helper set'
needs to be used *after* conntrack lookup.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc/statements.txt')
| -rw-r--r-- | doc/statements.txt | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/doc/statements.txt b/doc/statements.txt index 607aee13..9155f286 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -218,6 +218,11 @@ has to be assigned before a conntrack lookup takes place, i.e. this has to be done in prerouting and possibly output (if locally generated packets need to be placed in a distinct zone), with a hook priority of -300. +Unlike iptables, where the helper assignment happens in the raw table, +the helper needs to be assigned after a conntrack entry has been +found, i.e. it will not work when used with hook priorities equal or before +-200. + .Conntrack statement types [options="header"] |================== |