This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-devel] iptables rules added by default

To: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>, <Xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] iptables rules added by default
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Thu, 5 Jan 2006 12:55:18 -0000
Cc: Ewan Mellor <ewan@xxxxxxxxxxxxx>
Delivery-date: Thu, 05 Jan 2006 13:00:57 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcYRvNew77xnMRQSTSit49rDbt5YBAAOeoVA
Thread-topic: [Xen-devel] iptables rules added by default
> In a default install of xen-3.0-testing, I just noticed that 
> it automatically adds in some iptables rules when a domain is 
> created. This is with the default of vif-bridge.
> In my case I don't use iptables on this server, so these 
> iptables rules are completely unnecessary and can't do 
> anything useful for performance.
> Does anyone have any comments on how much difference having 
> iptables loaded makes for throughput, and if this is 
> something we should be worrying about?

Connection tracking certainly isn't great for performance, but I doubt
the current rules need that.

I believe we added them because they were necessary to make DHCP in the
guest work with the default RH and SuSE firewall settings. I don't
believe the IP anti-spoof stuff is enabled by default.

Perhaps it should be configurable whether any iptables rules are added
at all. If you mv the iptables binary out the way things should still


Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>