INSTALL.userspace: Explain how and why to use iptables to drop packets.

author Ben Pfaff <blp@nicira.com>

Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)

committer Ben Pfaff <blp@nicira.com>

Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
author Ben Pfaff <blp@nicira.com>
Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer Ben Pfaff <blp@nicira.com>
Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)
diff --git a/INSTALL.userspace b/INSTALL.userspace

index 6e6fcd4..10511b1 100644 (file)
--- a/INSTALL.userspace
+++ b/INSTALL.userspace
@@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface,
  named the same as the bridge, as well as for each configured internal
  interface.
  
  named the same as the bridge, as well as for each configured internal
  interface.
  
+Firewall Rules
+--------------
+
+On Linux, when a physical interface is in use by the userspace
+datapath, packets received on the interface still also pass into the
+kernel TCP/IP stack.  This can cause surprising and incorrect
+behavior.  You can use "iptables" to avoid this behavior, by using it
+to drop received packets.  For example, to drop packets received on
+eth0:
+
+    iptables -A INPUT -i eth0 -j DROP
+    iptables -A FORWARD -i eth0 -j DROP
+
  Bug Reporting
  -------------
  
  Bug Reporting
  -------------
author	Ben Pfaff <blp@nicira.com>
	Mon, 16 Jul 2012 22:13:22 +0000 (15:13 -0700)
committer	Ben Pfaff <blp@nicira.com>
	Wed, 18 Jul 2012 16:04:14 +0000 (09:04 -0700)