FAQ: Mention conntrack capability for packet filtering.

The existing explanation didn't tell user the conntrack capability and user may be unaware of the stateful feature of OVS. Signed-off-by: Han Zhou <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
eyoung-father · Oct 31, 2016 · 0b1545b · 0b1545b
1 parent 0612d73
commit 0b1545b
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/FAQ.rst b/FAQ.rst
@@ -886,7 +886,9 @@ Q: Open vSwitch does not seem to obey my packet filter rules.
     would add an IP address, as discussed elsewhere in the FAQ.)
 
     For simple filtering rules, it might be possible to achieve similar results
-    by installing appropriate OpenFlow flows instead.
+    by installing appropriate OpenFlow flows instead.  The OVS conntrack
+    feature (see the "ct" action in ovs-ofctl(8)) can implement a stateful
+    firewall.
 
     If the use of a particular packet filter setup is essential, Open vSwitch
     might not be the best choice for you.  On Linux, you might want to consider