fix(meshpassthrough): added limitation (#2123)

* fix(meshpassthrough): added limitation

Signed-off-by: Lukasz Dziedziak <[email protected]>

* Update app/_src/policies/meshpassthrough.md

Co-authored-by: Krzysztof Słonka <[email protected]>
Signed-off-by: Lukasz Dziedziak <[email protected]>

---------

Signed-off-by: Lukasz Dziedziak <[email protected]>
Co-authored-by: Krzysztof Słonka <[email protected]>

app/_src/policies/meshpassthrough.md

@@ -94,6 +94,7 @@ If you rely on tags in the top-level `targetRef` you might consider securing the
 * It is currently not possible to route passthrough traffic through the [zone egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress/#zone-egress). However, this feature will be implemented in the future.
 * Wildcard domains with L7 protocol and all ports is not supported.
 * {% if_version gte:2.9.x %}Builtin gateway is not supported.{% endif_version %}{% if_version lte:2.8.x %}Gateways are currently not supported.{% endif_version %}
+* Envoy prioritizes matches in the following order: [first by Port, second by Address IP, and third by SNI](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchainmatch). For example, if you have an HTTP domain match configured for a specific port (e.g., 80) and a CIDR match also configured for port 80, a request to this domain may match the CIDR configuration if the domain's address falls within the CIDR range. However, if the domain's address does not match the CIDR, the request might fail to match entirely due to the absence of an appropriate matcher for that IP. This behavior is a limitation and could potentially be addressed in the future with the adoption of the [Matcher API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api).
 
 ## Examples