diff --git a/manpages/shorewall-notrack.xml b/manpages/shorewall-notrack.xml
index 49edcff23..af1821173 100644
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -56,13 +56,40 @@
- DEST ‒ [address-list]
+ DEST ‒
+ [interface|address-list]
- where address-list is a
+ where interface is the name of a
+ network interface and address-list is a
comma-separated list of addresses (may contain exclusion - see
shorewall-exclusion
- (5)).
+ (5)). If an interface is given:
+
+
+
+ It must be up and configured with an IPv4 address when
+ Shorewall is started or restarted.
+
+
+
+ All routes out of the interface must be configured when
+ Shorewall is started or restarted.
+
+
+
+ Default routes out of the interface will result in a
+ warning message and will be ignored.
+
+
+
+ These restrictions are because Netfilter doesn't support
+ NOTRACK rules that specify a destination interface (these rules are
+ applied before packets are routed and hence the destination
+ interface is unknown). Shorewall uses the routes out of the
+ interface to replace the interface with an address list
+ corresponding to the networks routed out of the named
+ interface.
diff --git a/manpages6/shorewall6-notrack.xml b/manpages6/shorewall6-notrack.xml
index 91e6a2f2f..8cdc24aa8 100644
--- a/manpages6/shorewall6-notrack.xml
+++ b/manpages6/shorewall6-notrack.xml
@@ -48,13 +48,31 @@
- DEST ‒ [address-list]
+ DEST ‒
+ [interface|address-list]
where address-list is a
comma-separated list of addresses (may contain exclusion - see
shorewall6-exclusion
- (5)).
+ (5)). If an interface is given:
+
+
+
+ It must be up and configured with an IPv6 address when
+ Shorewall is started or restarted.
+
+
+
+ All routes out of the interface must be configured when
+ Shorewall is started or restarted.
+
+
+
+ Default routes out of the interface will result in a
+ warning message and will be ignored.
+
+