1 files changed, 25 insertions, 5 deletions

diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 5081ce2f..a36877b7 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested.
 
 .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
    <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
    country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   inverse-match
 .. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
    country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   inverse-match
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
    country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   inverse-match
 
-Match IP addresses based on its geolocation. More info: `geoip matching
-<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_
+Match IP addresses based on its geolocation.
+More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+
+Use inverse-match to match anything except the given country-codes.
 
 Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
 permits redistribution so we can include a database in images(~3MB
@@ -459,6 +469,16 @@ geoip) to keep database and rules updated.
 
    Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
    'greater than', and 'lt' stands for 'less than'.
+   
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | 
+   minute | hour>
+
+   Match when 'count' amount of connections are seen within 'time'. These 
+   matching criteria can be used to block brute-force attempts.
 
 ***********************************
 Applying a Rule-Set to an Interface
@@ -531,10 +551,10 @@ Applying a Rule-Set to a Zone
 Before you are able to apply a rule-set to a zone you have to create the zones
 first.
 
-It helps to think of the syntax as: (see below). The 'rule-set' should be 
+It helps to think of the syntax as: (see below). The 'rule-set' should be
 written from the perspective of: *Source Zone*-to->*Destination Zone*
 
-.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone> 
+.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone>
    firewall name <rule-set>
 
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall name
@@ -829,4 +849,4 @@ Update geoip database
 
 .. opcmd:: update geoip
 
-   Command used to update GeoIP database and firewall sets.
\ No newline at end of file
+   Command used to update GeoIP database and firewall sets.