diff --git a/roles/firewalld/templates/firewalld.conf.j2 b/roles/firewalld/templates/firewalld.conf.j2
index 2cbf0f3d5ab9bf0770e79105bb0edc7b5f065883..f8caf11c8a862960136a5163db6e57897bc97fc2 100644
--- a/roles/firewalld/templates/firewalld.conf.j2
+++ b/roles/firewalld/templates/firewalld.conf.j2
@@ -30,6 +30,8 @@ Lockdown=no
 # packet would be sent via the same interface that the packet arrived on, the
 # packet will match and be accepted, otherwise dropped.
 # The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
 # Default: yes
 IPv6_rpfilter=yes