From c6bbc394dd7613792e0d4fd603bd52fc2ab27d7f Mon Sep 17 00:00:00 2001
From: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Date: Mon, 5 May 2014 09:11:07 +0900
Subject: [PATCH] FAQ: Mention packet filter incompatibility

Co-authored-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Pritesh Kothari <pritesh.kothari@cisco.com>
Signed-off-by: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
---
 FAQ | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/FAQ b/FAQ
index fc21af459..d3632f9c4 100644
--- a/FAQ
+++ b/FAQ
@@ -676,6 +676,36 @@ A: On Linux kernels before 3.11, the OVS GRE module and Linux GRE module
    can then reload the OVS module following the directions in INSTALL,
    which will ensure that dependencies are satisfied.
 
+Q: Open vSwitch does not seem to obey my packet filter rules.
+
+A: It depends on mechanisms and configurations you want to use.
+
+   You cannot usefully use typical packet filters, like iptables, on
+   physical Ethernet ports that you add to an Open vSwitch bridge.
+   This is because Open vSwitch captures packets from the interface at
+   a layer lower below where typical packet-filter implementations
+   install their hooks.  (This actually applies to any interface of
+   type "system" that you might add to an Open vSwitch bridge.)
+
+   You can usefully use typical packet filters on Open vSwitch
+   internal ports as they are mostly ordinary interfaces from the point
+   of view of packet filters.
+
+   For example, suppose you create a bridge br0 and add Ethernet port
+   eth0 to it.  Then you can usefully add iptables rules to affect the
+   internal interface br0, but not the physical interface eth0.  (br0
+   is also where you would add an IP address, as discussed elsewhere
+   in the FAQ.)
+
+   For simple filtering rules, it might be possible to achieve similar
+   results by installing appropriate OpenFlow flows instead.
+
+   If the use of a particular packet filter setup is essential, Open
+   vSwitch might not be the best choice for you.  On Linux, you might
+   want to consider using the Linux Bridge.  (This is the only choice if
+   you want to use ebtables rules.)  On NetBSD, you might want to
+   consider using the bridge(4) with BRIDGE_IPF option.
+
 
 Quality of Service (QoS)
 ------------------------
-- 
2.20.1