diff options
author | Ben Pfaff <blp@nicira.com> | 2012-07-16 15:13:22 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2012-07-18 09:04:14 -0700 |
commit | f4ef95344b607537f95d865fa4526688557802b4 (patch) | |
tree | 6df149a1fb7a80025aed4e96d4bca975c51affa5 /INSTALL.userspace | |
parent | 95a1c4cab26da46f5d27a1591b9196c303a46286 (diff) |
INSTALL.userspace: Explain how and why to use iptables to drop packets.
Reported-by: Ed Maste <emaste@freebsd.org>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Diffstat (limited to 'INSTALL.userspace')
-rw-r--r-- | INSTALL.userspace | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/INSTALL.userspace b/INSTALL.userspace index 6e6fcd49..10511b16 100644 --- a/INSTALL.userspace +++ b/INSTALL.userspace @@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface, named the same as the bridge, as well as for each configured internal interface. +Firewall Rules +-------------- + +On Linux, when a physical interface is in use by the userspace +datapath, packets received on the interface still also pass into the +kernel TCP/IP stack. This can cause surprising and incorrect +behavior. You can use "iptables" to avoid this behavior, by using it +to drop received packets. For example, to drop packets received on +eth0: + + iptables -A INPUT -i eth0 -j DROP + iptables -A FORWARD -i eth0 -j DROP + Bug Reporting ------------- |