INSTALL.userspace: Explain how and why to use iptables to drop packets.

author Ben Pfaff <blp@nicira.com>

Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)

committer Ben Pfaff <blp@nicira.com>

Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
author Ben Pfaff <blp@nicira.com>
Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer Ben Pfaff <blp@nicira.com>
Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
diff --git a/INSTALL.userspace b/INSTALL.userspace

index 6e6fcd49a78ab2d6d11af7635e54d39decb38c0f..10511b1653912bd1539c9db40c9433f04dd7e7e2 100644 (file)
--- a/INSTALL.userspace
+++ b/INSTALL.userspace
@@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface,
  named the same as the bridge, as well as for each configured internal
  interface.
  
  named the same as the bridge, as well as for each configured internal
  interface.
  
+Firewall Rules
+--------------
+
+On Linux, when a physical interface is in use by the userspace
+datapath, packets received on the interface still also pass into the
+kernel TCP/IP stack.  This can cause surprising and incorrect
+behavior.  You can use "iptables" to avoid this behavior, by using it
+to drop received packets.  For example, to drop packets received on
+eth0:
+
+    iptables -A INPUT -i eth0 -j DROP
+    iptables -A FORWARD -i eth0 -j DROP
+
  Bug Reporting
  -------------
  
  Bug Reporting
  -------------
author	Ben Pfaff <blp@nicira.com>
	Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer	Ben Pfaff <blp@nicira.com>
	Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)