[ovs-dev] [PATCH] INSTALL.userspace: Explain how and why to use iptables to drop packets.
Ben Pfaff
blp at nicira.com
Wed Jul 18 16:04:35 UTC 2012
Thanks, I applied this to master.
On Tue, Jul 17, 2012 at 11:38:45PM -0700, Justin Pettit wrote:
> Looks reasonable to me.
>
> --Justin
>
>
> On Jul 16, 2012, at 3:13 PM, Ben Pfaff wrote:
>
> > Reported-by: Ed Maste <emaste at freebsd.org>
> > Signed-off-by: Ben Pfaff <blp at nicira.com>
> > ---
> > INSTALL.userspace | 13 +++++++++++++
> > 1 files changed, 13 insertions(+), 0 deletions(-)
> >
> > diff --git a/INSTALL.userspace b/INSTALL.userspace
> > index 6e6fcd4..10511b1 100644
> > --- a/INSTALL.userspace
> > +++ b/INSTALL.userspace
> > @@ -47,6 +47,19 @@ ovs-vswitchd will create a TAP device as the bridge's local interface,
> > named the same as the bridge, as well as for each configured internal
> > interface.
> >
> > +Firewall Rules
> > +--------------
> > +
> > +On Linux, when a physical interface is in use by the userspace
> > +datapath, packets received on the interface still also pass into the
> > +kernel TCP/IP stack. This can cause surprising and incorrect
> > +behavior. You can use "iptables" to avoid this behavior, by using it
> > +to drop received packets. For example, to drop packets received on
> > +eth0:
> > +
> > + iptables -A INPUT -i eth0 -j DROP
> > + iptables -A FORWARD -i eth0 -j DROP
> > +
> > Bug Reporting
> > -------------
> >
> > --
> > 1.7.2.5
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
>
More information about the dev
mailing list