From fb1486439b6d62cad104b83ecd04ec1a54fc9cae Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 22 Jun 2020 10:24:57 +0200
Subject: doc: revisit meta/rt primary expressions and ct statement

Clarify meta/rt ipsec examples and document that 'ct helper set'
needs to be used *after* conntrack lookup.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 doc/statements.txt | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'doc/statements.txt')

diff --git a/doc/statements.txt b/doc/statements.txt
index 607aee13..9155f286 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -218,6 +218,11 @@ has to be assigned before a conntrack lookup takes place, i.e. this has to be
 done in prerouting and possibly output (if locally generated packets need to be
 placed in a distinct zone), with a hook priority of -300.
 
+Unlike iptables, where the helper assignment happens in the raw table,
+the helper needs to be assigned after a conntrack entry has been
+found, i.e. it will not work when used with hook priorities equal or before
+-200.
+
 .Conntrack statement types
 [options="header"]
 |==================
-- 
cgit v1.2.3