INSTALL.userspace: Explain how and why to use iptables to drop packets.

author Ben Pfaff <blp@nicira.com>

Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)

committer Ben Pfaff <blp@nicira.com>

Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
author Ben Pfaff <blp@nicira.com>
Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer Ben Pfaff <blp@nicira.com>
Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
diff --git a/INSTALL.userspace b/INSTALL.userspace

index 6e6fcd49a78ab2d6d11af7635e54d39decb38c0f..10511b1653912bd1539c9db40c9433f04dd7e7e2 100644 (file)
--- a/INSTALL.userspace
+++ b/INSTALL.userspace
@@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface,
  named the same as the bridge, as well as for each configured internal
  interface.
  
+Firewall Rules
+--------------
+
+On Linux, when a physical interface is in use by the userspace
+datapath, packets received on the interface still also pass into the
+kernel TCP/IP stack.  This can cause surprising and incorrect
+behavior.  You can use "iptables" to avoid this behavior, by using it
+to drop received packets.  For example, to drop packets received on
+eth0:
+
+    iptables -A INPUT -i eth0 -j DROP
+    iptables -A FORWARD -i eth0 -j DROP
+
  Bug Reporting
  -------------
author	Ben Pfaff <blp@nicira.com>
	Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer	Ben Pfaff <blp@nicira.com>
	Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)