[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] iptables rules added by default

To: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>, <Xen-devel@xxxxxxxxxxxxxxxxxxx>
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Thu, 5 Jan 2006 12:55:18 -0000
Cc: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Delivery-date: Thu, 05 Jan 2006 13:00:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Thread-index: AcYRvNew77xnMRQSTSit49rDbt5YBAAOeoVA
Thread-topic: [Xen-devel] iptables rules added by default

> In a default install of xen-3.0-testing, I just noticed that 
> it automatically adds in some iptables rules when a domain is 
> created. This is with the default of vif-bridge.
> 
> In my case I don't use iptables on this server, so these 
> iptables rules are completely unnecessary and can't do 
> anything useful for performance.
> 
> Does anyone have any comments on how much difference having 
> iptables loaded makes for throughput, and if this is 
> something we should be worrying about?

Connection tracking certainly isn't great for performance, but I doubt
the current rules need that.

I believe we added them because they were necessary to make DHCP in the
guest work with the default RH and SuSE firewall settings. I don't
believe the IP anti-spoof stuff is enabled by default.

Perhaps it should be configurable whether any iptables rules are added
at all. If you mv the iptables binary out the way things should still
work.

Ian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Prev by Date: Re: [Xen-devel] xen 3 dom0 eats memory - ME TOO
Next by Date: Re: [Xen-devel] [PATCH] Fix leak in blkback initialization
Previous by thread: [Xen-devel] iptables rules added by default
Next by thread: [Xen-devel] vif's disappear after dom1 reboot
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.