WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] iptables rules added by default

from [Ian Pratt] [Permanent Link][Original]
To: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>, <Xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] iptables rules added by default
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Thu, 5 Jan 2006 12:55:18 -0000
Cc: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Delivery-date: Thu, 05 Jan 2006 13:00:57 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcYRvNew77xnMRQSTSit49rDbt5YBAAOeoVA
Thread-topic: [Xen-devel] iptables rules added by default 
> In a default install of xen-3.0-testing, I just noticed that 
> it automatically adds in some iptables rules when a domain is 
> created. This is with the default of vif-bridge.
> 
> In my case I don't use iptables on this server, so these 
> iptables rules are completely unnecessary and can't do 
> anything useful for performance.
> 
> Does anyone have any comments on how much difference having 
> iptables loaded makes for throughput, and if this is 
> something we should be worrying about?

Connection tracking certainly isn't great for performance, but I doubt
the current rules need that.

I believe we added them because they were necessary to make DHCP in the
guest work with the default RH and SuSE firewall settings. I don't
believe the IP anti-spoof stuff is enabled by default.

Perhaps it should be configurable whether any iptables rules are added
at all. If you mv the iptables binary out the way things should still
work.

Ian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] xen 3 dom0 eats memory - ME TOO, Patrick Scharrenberg
Next by Date:  Re: [Xen-devel] [PATCH] Fix leak in blkback initialization, Vincent Hanquez
Previous by Thread:  [Xen-devel] iptables rules added by default, James Harper
Next by Thread:  [Xen-devel] vif's disappear after dom1 reboot, Wensheng Wang
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy