Bridge family allows reject statement in prerouting and input chains only. Users can't know without looking at kernel code. Signed-off-by: Phil Sutter <phil@xxxxxx> --- doc/nft.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 05193e67ed6dc..cd6c012ff1b6d 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -4873,6 +4873,10 @@ ip6 filter output log flags all The common default reject value is <command>port-unreachable</command>. </para> + <para> + Note that in bridge family, reject statement is only allowed in base chains which + hook into <literal>input</literal> or <literal>prerouting</literal>. + </para> </refsect2> <refsect2> <title>Counter statement</title> -- 2.17.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
