From 051452cdcfa4ba30142aad2ce39578867346626a Mon Sep 17 00:00:00 2001
From: Sameer Vohra <vohra.sam@gmail.com>
Date: Wed, 24 Jun 2020 11:18:50 -0500
Subject: [PATCH 1/2] Update firewall README.md

Document `CNI-ADMIN` chain usage as well as `iptablesAdminChainName`

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
---
 plugins/meta/firewall/README.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/plugins/meta/firewall/README.md b/plugins/meta/firewall/README.md
index f73a4121..1d3f3b1a 100644
--- a/plugins/meta/firewall/README.md
+++ b/plugins/meta/firewall/README.md
@@ -133,3 +133,17 @@ of the container as shown:
 - `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
 - `-d 10.88.0.2 -j CNI-FORWARD`
 
+A new chain, CNI-ADMIN is added to the CNI-FORWARD chain. CNI-ADMIN is intended as a user-controlled chain that all traffic passes through prior to the rules managed by the `firewall` plugin.
+
+`CNI-FORWARD` chain:
+- `-j CNI-ADMIN`
+
+The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in 
+
+```
+      {
+        "type": "firewall",
+	"backend": "iptables",
+	"iptablesAdminChainName": "SOME-OTHER-CHAIN-NAME",
+      }
+```

From 021462563bd542a4aed8c8f2dee161fd6360bcfd Mon Sep 17 00:00:00 2001
From: Sameer Vohra <vohra.sam@gmail.com>
Date: Fri, 3 Jul 2020 09:57:32 -0500
Subject: [PATCH 2/2] Update firewall README.md CNI-ADMIN

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
---
 plugins/meta/firewall/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/meta/firewall/README.md b/plugins/meta/firewall/README.md
index 1d3f3b1a..a45bbbdb 100644
--- a/plugins/meta/firewall/README.md
+++ b/plugins/meta/firewall/README.md
@@ -133,12 +133,12 @@ of the container as shown:
 - `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
 - `-d 10.88.0.2 -j CNI-FORWARD`
 
-A new chain, CNI-ADMIN is added to the CNI-FORWARD chain. CNI-ADMIN is intended as a user-controlled chain that all traffic passes through prior to the rules managed by the `firewall` plugin.
+The `CNI-FORWARD` chain first sends all traffic to `CNI-ADMIN` chain, which is intended as an user-controlled chain for custom rules that run prior to rules managed by the `firewall` plugin. The `firewall` plugin does not add, delete or modify rules in the `CNI-ADMIN` chain.
 
 `CNI-FORWARD` chain:
 - `-j CNI-ADMIN`
 
-The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in 
+The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in the plugin configuration
 
 ```
       {