INSTALL.userspace: Explain how and why to use iptables to drop packets.

Reported-by: Ed Maste <emaste@freebsd.org> Signed-off-by: Ben Pfaff <blp@nicira.com>
author: Ben Pfaff <blp@nicira.com> 2012-07-16 15:13:22 -0700
committer: Ben Pfaff <blp@nicira.com> 2012-07-18 09:04:14 -0700
commit: f4ef95344b607537f95d865fa4526688557802b4 (patch)
tree: 6df149a1fb7a80025aed4e96d4bca975c51affa5 /INSTALL.userspace
parent: 95a1c4cab26da46f5d27a1591b9196c303a46286 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/INSTALL.userspace b/INSTALL.userspace
index 6e6fcd49..10511b16 100644
--- a/INSTALL.userspace
+++ b/INSTALL.userspace
@@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface,
 named the same as the bridge, as well as for each configured internal
 interface.
 
+Firewall Rules
+--------------
+
+On Linux, when a physical interface is in use by the userspace
+datapath, packets received on the interface still also pass into the
+kernel TCP/IP stack.  This can cause surprising and incorrect
+behavior.  You can use "iptables" to avoid this behavior, by using it
+to drop received packets.  For example, to drop packets received on
+eth0:
+
+    iptables -A INPUT -i eth0 -j DROP
+    iptables -A FORWARD -i eth0 -j DROP
+
 Bug Reporting
 -------------
author	Ben Pfaff <blp@nicira.com>	2012-07-16 15:13:22 -0700
committer	Ben Pfaff <blp@nicira.com>	2012-07-18 09:04:14 -0700
commit	f4ef95344b607537f95d865fa4526688557802b4 (patch)
tree	6df149a1fb7a80025aed4e96d4bca975c51affa5 /INSTALL.userspace
parent	95a1c4cab26da46f5d27a1591b9196c303a46286 (diff)